Bug: OAuth 2.0 State Parameter fails with Pipe Delimiters (RFC 6749 Non-Compliance)

https://accounts.zoho.com/oauth/v2/auth?response_type=code
    &client_id=<client_id>
    &scope=<scope>
    &redirect_uri=<redirect_uri>
    &access_type=offline
    &state=<state_value>

// Instead of using pipes as delimiters:
state = csrf_token + "|" + user_id + "|" + redirect_path;
// ❌ This breaks Zoho's authorization flow

// Developers must use alternative approaches:
state = csrf_token + "_SEP_" + user_id + "_SEP_" + redirect_path;
// or
state = base64_encode(json_encode({"csrf": token, "user": id, "path": path}));
// or
state = csrf_token; // Store other data server-side keyed by CSRF token

• Topic Participants

• Damien Cregan

  

• Affan Mohammed

  

• Sticky Posts

• Deprecation of SMS-based multi-factor authentication (MFA) mode

  Overview of SMS-based OTP MFA mode The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account. SMS-based OTPs offer

• Recent Topics

• Retainer invoice in Zoho Finance modlue

  Hello, Is there a way of creating retainer invoices in the Zoho Finance module? If not can I request this is considered for future updates please.

• Spotlight #27: Embed visual collaboration Spaces in your presentations using the Vani add-on

  Hello everyone! This month’s spotlight feature is the Vani add-on for Zoho Show. Every time you pause your presentation to open another tab or pull up supporting material, you lose a bit of momentum. At Zoho Show, we design features that keep everything

• CRM

  Is anyone else experiencing this issue? Our company is not moving out of using Gmail's web app. It just has more features and is a better email program than Zoho Mail. Gmail has an extension (Zoho CRM for Gmail) that we're using but we've found some serious

• Good news! Calendar in Zoho CRM gets a face lift

  Dear Customers, We are delighted to unveil the revamped calendar UI in Zoho CRM. With a complete visual overhaul aligned with CRM for Everyone, the calendar now offers a more intuitive and flexible scheduling experience. What’s new? Distinguish activities

• Global Search / Command Palette in Live App

  Zoho Creator applications can contain many forms, reports, pages, and dashboards. While navigation inside the app is smooth, users still need to move through multiple menus or screens to find specific records or open particular modules. Currently, in

• New 2026 Application Themes

  Love the new themes - shame you can't get a little more granular with the colours, ie 3 different colours so one for the dropdown menu background. Also, I did have our logo above the application name but it appears you can't change logo placement position

• Smarter appointment allocation with round-robin distribution

  Greetings from the Zoho Bookings team! We’re excited to introduce the Appointment Distribution feature, a new way to decide how appointments are assigned among users. By default, appointments are distributed evenly across all event types, but this enhancement

• A2P 10DLC Opt-in Rejection Issue with Zoho Creator Public Form

  Hi everyone, I’m working on an A2P 10DLC SMS campaign and running into repeated rejections due to opt-in issues. I’m using Zoho Creator for the registration flow. The form is public (no login required). Users enter their phone number and there is an unchecked

• Analytics & Reporting Improvements + Export Bug

  Hello, I would like to raise several important product suggestions and issues regarding Zoho Expense: 1. Filter in Admin View → Analytics → Expense Details → Receipt Is it possible to add a filter that allows us to prioritize or sort reports that have

• Make Quick Edits to Images Before Attaching

  Hello everyone, We have enhanced how attachments are handled in tickets to help agents preview and share files more efficiently in Zoho Desk. Agents can preview image attachments before adding them to tickets and edit them using attachment annotator.

• 3/18 オンライン勉強会のお知らせ Zoho ワークアウト （無料）

  ユーザーの皆さま、こんにちは。コミュニティチームの中野です。 3月開催のZoho ワークアウトの開催が決定しましたのでご案内します。 今回はZoomにて、オンライン開催します。 ▶︎参加登録はこちら（無料） https://us02web.zoom.us/meeting/register/BoNTN7zYR8OvOPGShqBY0A ━━━━━━━━━━━━━━━━━━━━━━━━ Zoho ワークアウトとは？ Zoho ユーザー同士で交流しながら、サービスに関する疑問や不明点の解消を目指すイベントです。

• Extend color coding to custom picklist fields

  Objectively, Projects has the best UI of any Zoho app — clean, intuitive, and never feels bloated. Big props to whoever owns the design. Feature request: color coding for custom picklist field values in field customization. You've already done it in two

• New in Office Integrator: In-sheet text translation

  Hi users, We're pleased to introduce translation capability in the spreadsheet editor in Zoho Office Integrator. This allows you to translate the text in your spreadsheet's cells into 70+ languages from within your web app. Office Integrator's spreadsheet

• Streamline email communication with Out of Office configuration

  Managing user communication effectively is the key to ensuring timely responses and consistent messaging. However, when users are unavailable, the absence of an Out of Office response can lead to delays and missed expectations. Managing these settings

• Changing settings for auto logoff

  I've noticed that when I haven't used Cliq for a while, I have to re-enter my password. That is really clumsy, especially if you have a complicated password. Because it won't be filled in automatically. Is there a way to change that behaviour? We are

• A few Issues when using "Pay Bill via Check"

  We have quite a bit of issues with how paying for Bills via Check works. Would love some feedback from the Zoho team in case we are doing something incorrectly. 1. When we go from a vendor and select "Pay Bill via Check" option, we see ALL the outstanding

• Prevent tracking users from specific countries

  Currently, I’m receiving many bot visits from the United States and Malaysia. I would like these visits not to be recorded in SalesIQ. I already enabled the option to exclude traffic from cloud service providers, but I’m still receiving bot visits. Ideally,

• My client requires me to have custom pdf file names to except payment for invoices, how can I customize this before emailing.

  Hello! I love the program so far but there are a few things that are standing in the way. I hope you guys can code them in so I can keep the program for years to come. My client requires I customize the pdf file names I send in for billing. Can you please

• Edit Project Number?

  Hi all: We just signed up for a trial of zoho one, which includes ZoHo Projects. We've noticed there was a 'dummy project' preloaded in projects to help familiarize yourself with the software. We've created a couple of our own projects now but noticed since the dummy project was preloaded, our projects start with number 2 then 3, sequentially. Since it seems we will be keeping zoho past the trial, If we delete the dummy project, how do we get our own projects renumbered, beginning with 1? We'd like

• Download pricebook products & details - not just pricebook creation date & name

  We're looking to download a copy of a pricebook and its associated products & book prices (as we have several offices in different countries selling the same products), however, when using the export feature under Data administration it only gives me

• 554 5.1.1 – Mail sending blocked for the domain(s): [gmail.com]

  Here's your corrected text: Hello, I hope you are doing well. I was unable to send a message and received the following error: "554 5.1.1 – Mail sending blocked for the domain(s): [gmail.com]" I tried to send and deliver an email but got this error. I

• Outgoing Mail Blocked – Suspicious Login Activity (Need Clarification and Solution)

  Hello, I’m currently facing an issue where my Zoho Mail account has been blocked due to “suspicious login activity,” and outgoing emails are restricted. Here are the details shown: Block type: Outgoing mail blocked Reason: Suspicious login activity A

• Assign Meeting in records

  It would be nice to be able to "call and assing" meetings from a record, for example from a Deal. Right now - calendar is synced with CRM - meetings show in calendar - you can go in each meeting and assign it to a record It would be nice to be able to

• Allow Global Admin to access/edit all forms without changing owners

  Hi there, Please consider adding a feature where the Global Admin of the account an automatically access/edit any form in the Company Account. I'm the Global Admin on our Zoho One plan, and we have multiple users that use/create forms. But for me to access

• ERROR: "Please enter a valid Phone"

  WHAT IS THE PHONE FORMAT? There is nothing ANYWHERE to define the format. At least the error should either show the correct format or provide a link to the help file I enter a valid phone number in as many formats as I can think of and none of them allow me to save the number to CRM Nothing works! No matter what format I enter I keep getting a red error "Please enter a valid Phone" The international format for MY mobile is +61414652366 (or +61 414 652 366) Local format is 0414652366 I call all over

• Introducing Zoho Sprints 3.0

  Zoho Sprints is consistently evolving in steady increments. The introduction of the latest version, with its enterprise level solutions, brings to you advanced capabilities that propel your agile efforts in the right direction. Here's a quick glimpse

• Transaction Rules & Customer Payments

  So I have a situation as follows. We have many clients who are all invoiced on the 1st of each month on a recurring invoice for 1 of 10 plans. This means that almost all payment dates are the same (some people pay late) and that a lot of the amounts are

• Customize Sign-out Button

  Are there some url parameters I can use to make a form button sign-out the user from the app? The sign-out link on the top right is small. Here's and example of the url for the top right sign-out: https://creator.zoho.com/logoutpage.jsp?sharedBy=niskypto&appID=212085000006568003&appLinkName=MYAPP&signOutUrl=niskypto/MYAPP/view-login/SOMEPAGE Note: In my account, the sign-out is set to redirect users to my website. Can I also override this with some url parameters? John M. Whitney

• Please can the open tasks be shown in each customer account at the top.

  Hi there This has happened before, where the open tasks are no longer visible at the top of the page for each customer in the CRM. They have gone missing previously and were reinstated when I asked so I think it's just after an update that this feature

• Tip #65 - Exploring Technician Console: Short Keys - 'Insider Insights'

  Hello Zoho Assist Community! Have you ever been in the middle of a remote support session, trying to pass a key combination onto the remote machine, only to find it's reflecting on the technician's computer. The Short Keys feature in Zoho Assist is here

• Reading from and writing to Zoho Projects Custom Module with Deluge

  Does anyone know if there is a way to read from and write to the Custom Modules that Zoho now supports. I would love to be able to loop through a set of data and create the entities I need to for this new custom module I'm looking to put together.

• Disappointment with Zoho Payments

  Dear Gowdhaman, I am writing to inform you that I am removing Zoho Payments from my website. I cannot continue to disappoint my customers due to the lack of UPI support, as has been the case with my experience so far. Please note that the 0.5% transaction

• Evolução do modelo de ambientes: Dev, Homologação e Produção com pacotes versionados

  Hoje o Zoho CRM já oferece Sandbox, o que é um avanço importante para organizações que trabalham com customizações mais complexas. No entanto, na prática, o modelo atual ainda apresenta limitações significativas quando múltiplas equipes ou consultorias

• Permissões granulares por usuário além do modelo baseado exclusivamente em perfis

  Atualmente, o modelo de segurança do Zoho CRM é fortemente baseado em perfis. Embora funcional, esse modelo apresenta limitações quando equipes possuem variações individuais de acesso dentro do mesmo grupo operacional. Em cenários reais, é comum que usuários

• Add or update lookup field values during Blueprint transition

  Hello everyone, During blueprint transition users can add or modify the value of a lookup field. For instance, if the Tickets module includes a lookup field that connects it to records in the Assets module, agents can link the ticket to the correct asset

• Can you limit SEO penalties by delaying the appearance of a pop-up?

  Google is not keen on pop-ups and has got even less keen on them with the new Core Web Vitals updates. But I like using pop-ups. If you delay the pop-up so it only appears 10 seconds after the page loads, do you avoid Google’s penalties? 

• Adding bank details to the contact through API

  How to add bank-related information to the contact while creating it using API? The account number needs to be encrypted before sending it through API but not sure how to encrypt and get those values. Please guide me in this.

• Restrict Payment Methods

  Allow us to restrict certain payment methods specific for each customer.

• Clone Banking Transaction

  Why is there no option to CLONE a Transaction in the Banking module?? I often clone Expenses (for similar expense transactions each month) so I would also like to clone Income transactions. But there is no option in Banking to clone an existing Income

• PDF limit

  Hello everyone, We have received an e-mail that we have reached our PDF limit. (see screenshot) However, I cannot find any reference to a PDF limit in our tariff plan (Premium). (see screenshot). What is the maximum number of PDFs that can be generated

• Next Page