LeadCRM
Get your free account
Login

Get your Black Friday deal today! Avail now! 💥

LeadCRM
Get your free account
Login

How to Find and Use Your Zoho API Token (OAuth) for Zoho CRM

Integration
How to Find and Use Your Zoho API Token (OAuth) for Zoho CRM (1)

Zoho CRM doesn’t use a single static “API key.” Instead, it uses OAuth 2.0 to issue short‑lived access tokens and long‑lived refresh tokens that are scoped, revocable, and compliant with modern security best practices, which is what most people mean by “Zoho API token.”

What you’ll set up

You will register an OAuth client in Zoho Accounts, generate a one-time authorization code, exchange it for an access_token and refresh_token, then call Zoho CRM APIs using the access token. When the token expires, refresh it automatically using the refresh_token.

Who this guide is for

  • Marketers, admins, and developers integrating Zoho CRM with websites, browser extensions, or backend systems.
  • Anyone searching for “Zoho API key”, “Zoho API token”, or “Zoho CRM OAuth token” and needing a practical, copy-ready implementation guide.

What is a Zoho “API Token”?

Zoho CRM doesn’t use a single static “API key.” Instead, it uses OAuth 2.0 to issue short‑lived access tokens and long‑lived refresh tokens that are scoped, revocable, and compliant with modern security best practices, which is what most people mean by “Zoho API token.”

Prerequisites

  • A Zoho account with Zoho CRM access and permission to register clients in Zoho Accounts.
  • Your data center (DC) base URL for Zoho Accounts (US, EU, IN, AU, JP, CA, SA, CN); the same DC must be used for generating and refreshing tokens.
  • A redirect or callback URL you control, or use Zoho’s Self Client to test without a hosted app.

Step 1: Register an OAuth client

  • Open the Zoho Developer/API Console and create a new client for your app. Choose Server-based if your integration runs on a backend.
  • Provide the Client Name, Homepage URL, and Authorized Redirect URI(s); these must exactly match the redirect_uri used later when exchanging the authorization code.
  • Save to get your Client ID and Client Secret, which you’ll use for the token exchange and refresh flow.

EEAT notes: Registering a client formalizes app identity and ensures Zoho can issue scoped tokens for only the permissions you request, providing least‑privilege access and auditability.

Step 2: Build the authorization URL

Use the correct Zoho Accounts base URL for your DC:

Authorization URL template (US example with full CRM scope and offline access):
https://accounts.zoho.com/oauth/v2/auth?scope=ZohoCRM.modules.ALL&client_id=YOUR_CLIENT_ID&response_type=code&access_type=offline&redirect_uri=YOUR_REDIRECT_URI

Notes:

  • response_type=code issues a one-time code after consent; access_type=offline is required to receive a refresh_token.

After the user grants access, Zoho redirects to your redirect_uri with code=AUTH_CODE for a short validity window; exchange it immediately.

Step 3: Exchange the code for tokens

Send a POST request to your DC’s token endpoint with form-encoded parameters:

Endpoint (US shown):

https://accounts.zoho.com/oauth/v2/token

Reference:

Zoho CRM API Docs

Body:

  • grant_type=authorization_code
  • code=YOUR_CODE
  • client_id=YOUR_CLIENT_ID
  • client_secret=YOUR_CLIENT_SECRET
  • redirect_uri=YOUR_REDIRECT_URI

Successful response:

				
					 {
 "access_token": "...",
 "refresh_token": "...",
 "api_domain": "https://www.zohoapis.com",
 "token_type": "Bearer",
 "expires_in": 3600
 }

What to do next

  • Use access_token in the Authorization header for API calls.

Save api_domain and call APIs on that domain for the user’s environment.

Step 4: Call Zoho CRM APIs with your token

Header:

Authorization: Zoho-oauthtoken YOUR_ACCESS_TOKEN

Examples:

  • List Leads:
    GET {api_domain}/crm/v8/Leads with the Authorization header above.
  • Create a Lead:
    POST {api_domain}/crm/v8/Leads with a JSON payload and the Authorization header above.

Scope guidance:

Use only the scopes you need.
ZohoCRM.modules.ALL grants broad access, but applying the principle of least privilege
reduces risk and aligns with security best practices.

Step 5: Refresh the access token automatically

When access_token expires, refresh it using refresh_token without user interaction:

POST {accounts_URL}/oauth/v2/token?refresh_token=YOUR_REFRESH_TOKEN&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=refresh_token

Response:

				
					 {
 "access_token": "{new_access_token}",
 "expires_in": 3600,
 "api_domain": "https://www.zohoapis.com",
 "token_type": "Bearer"
 }

Critical details

  • Always use the same DC base URL you used originally; mismatched data centers cause invalid_client errors.

Tokens and domains are environment-specific; always use the api_domain value returned in your token response for production, sandbox, or developer environments.

Self Client: fastest way to test

If you don’t have an app yet, use Zoho’s Self Client to generate a grant code within the console, then exchange it for tokens using the steps above; perfect for quick testing from scripts or API tools.

Common errors and fixes

  • invalid_client: Wrong Client ID/Secret or DC mismatch — verify the client exists in the same DC used for token calls.
  • invalid_code: Code expired or already used — generate a new code and exchange it immediately.
  • invalid_redirect_uri: Must exactly match a registered redirect URI, character-for-character.

Security best practices

  • Keep client_secret, access_token, and refresh_token out of browser code and public repositories. Treat them as sensitive credentials and store them securely on the server side.
  • Rotate secrets during personnel or environment changes, and restrict scopes to only what your integration requires.

Copy‑paste snippets (ready to run)

Authorization URL (US example) 

				
					https://accounts.zoho.com/oauth/v2/auth?scope=ZohoCRM.modules.ALL&client_id=YOUR_CLIENT_ID&response_type=code&access_type=offline&redirect_uri=YOUR_REDIRECT_URI

Refresh token (cURL, EU example)

				
					 curl -X POST "https://accounts.zoho.com/oauth/v2/token"
 -H "Content-Type: application/x-www-form-urlencoded"
 -d "grant_type=authorization_code"
 -d "code=YOUR_CODE"
 -d "client_id=YOUR_CLIENT_ID"
 -d "client_secret=YOUR_CLIENT_SECRET"
 -d "redirect_uri=YOUR_REDIRECT_URI"

Exchange code for tokens (cURL, US) 

				
					 curl -X POST "https://accounts.zoho.eu/oauth/v2/token?grant_type=refresh_token&refresh_token=YOUR_REFRESH_TOKEN&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET"

Make a CRM API call (cURL)

				
					 curl -X GET "https://www.zohoapis.com/crm/v8/Leads"
 -H "Authorization: Zoho-oauthtoken YOUR_ACCESS_TOKEN"

Data center and environment mapping

  • Always use the correct accounts_URL for your DC (US, EU, IN, AU, JP, CA, SA, CN) for both token creation and refresh.
  • Use the api_domain returned in token responses; variants such as sandbox.zohoapis.{domain} and developer.zohoapis.{domain} apply to non-production orgs.

Integration example: Chrome extension or server app

Register a server-based client, run the OAuth flow once per user, store the refresh_token securely on the server, and refresh access tokens as needed to create or update records such as Leads or Contacts when a user performs an action (for example, “Add to Zoho CRM”). This pattern minimizes exposure and ensures token handling occurs securely on the server side.

Frequently Asked Questions (FAQ)

No. Zoho CRM uses OAuth 2.0 with access and refresh tokens instead of static API keys to enable scoped, revocable access with better security and compliance.

Access tokens typically last about an hour; refresh tokens are long‑lived until revoked and are used to mint new access tokens programmatically.

Use your region’s Zoho Accounts base URL consistently for the authorize and token endpoints; mixing DCs leads to errors.

Authorization: Zoho-oauthtoken {access_token} in every request to Zoho CRM endpoints.​