{"id":4067,"date":"2026-05-29T19:53:02","date_gmt":"2026-05-29T19:53:02","guid":{"rendered":"https:\/\/aaxonix.com\/resources\/?post_type=glossary&#038;p=4067"},"modified":"2026-05-29T19:53:02","modified_gmt":"2026-05-29T19:53:02","slug":"api-token-oauth","status":"publish","type":"glossary","link":"https:\/\/aaxonix.com\/resources\/glossary\/api-token-oauth\/","title":{"rendered":"API Token \/ OAuth 2.0 (CRM)"},"content":{"rendered":"<style>\n.gt-body { font-family:'Poppins',sans-serif; color:#111; line-height:1.75; }\n.gt-def { border-left:4px solid #E8650A; padding:16px 20px; background:#fff8f4; border-radius:0 8px 8px 0; margin:0 0 32px; font-size:1.05rem; }\n.gt-section { margin:0 0 36px; }\n.gt-section h2 { font-family:'Fraunces',serif; color:#0A1628; font-size:1.5rem; margin:0 0 12px; }\n.gt-section p { margin:0 0 12px; }\n.gt-example-box { background:#f0f4ff; border-radius:10px; padding:20px 24px; margin:0 0 32px; }\n.gt-example-box strong { color:#2563EB; }\n.gt-related-pills { display:flex; flex-wrap:wrap; gap:10px; margin:0 0 32px; }\n.gt-related-pill { background:#f7f4ef; border:1px solid #ddd8cf; border-radius:20px; padding:6px 16px; font-size:0.875rem; color:#0A1628; text-decoration:none; transition:all .2s; }\n.gt-related-pill:hover { background:#0A1628; color:#fff; border-color:#0A1628; }\n.gt-faq-item { border:1px solid #ddd8cf; border-radius:10px; padding:16px 20px; margin:0 0 12px; }\n.gt-faq-item h3 { font-size:1rem; color:#0A1628; margin:0 0 8px; }\n.gt-faq-item p { margin:0; font-size:0.9rem; color:#444; }\n<\/style>\n<div class=\"gt-body\">\n<div class=\"gt-def\">OAuth 2.0 in Zoho CRM is the authentication protocol used by all API integrations to securely grant external applications access to CRM data without sharing user credentials. It uses short-lived access tokens (valid for 1 hour) and long-lived refresh tokens to maintain continuous API access.<\/div>\n<div class=\"gt-section\">\n<h2>The OAuth 2.0 Flow<\/h2>\n<p>The standard OAuth 2.0 flow for Zoho CRM has four steps. First, the application redirects the user to Zoho&#8217;s authorisation URL with the Client ID and requested scopes. Second, the user logs in and approves the access. Third, Zoho redirects back to the application with an authorisation code. Fourth, the application exchanges the code for an access token and refresh token by calling Zoho&#8217;s token endpoint. The access token is then included in the Authorization header of all API requests.<\/p>\n<\/div>\n<div class=\"gt-section\">\n<h2>Self Client for Server-to-Server<\/h2>\n<p>For server-to-server integrations where no user interaction is possible, Zoho supports the Self Client type in the API Console. This generates a grant token that can be exchanged directly for access and refresh tokens without a browser-based authorisation step. This is the most common approach for backend scripts and scheduled integrations.<\/p>\n<\/div>\n<div class=\"gt-section\">\n<h2>Industry Example<\/h2>\n<div class=\"gt-example-box\"><strong>Automation Script:<\/strong> A Python script runs nightly on a cloud server to sync closed-won deals from Zoho CRM to a data warehouse. It uses a stored refresh token to generate a fresh access token at the start of each run, queries the CRM API for deals closed in the previous 24 hours, and writes the records to BigQuery. The refresh token is stored securely in an environment variable, never in the code itself.<\/div>\n<\/div>\n<div class=\"gt-section\">\n<h2>Related Terms<\/h2>\n<div class=\"gt-related-pills\"><a href=\"https:\/\/aaxonix.com\/resources\/glossary\/connected-app\/\" class=\"sp-content-link gt-related-pill\">Connected App<\/a><br \/>\n<a href=\"https:\/\/aaxonix.com\/resources\/glossary\/crm-rest-api\/\" class=\"sp-content-link gt-related-pill\">CRM REST API<\/a><br \/>\n<a href=\"https:\/\/aaxonix.com\/resources\/glossary\/deluge-invoke-url\/\" class=\"sp-content-link gt-related-pill\">Deluge invoke URL<\/a><br \/>\n<a href=\"https:\/\/aaxonix.com\/resources\/glossary\/bulk-api-crm\/\" class=\"sp-content-link gt-related-pill\">Bulk API (CRM)<\/a>\n<\/div>\n<\/div>\n<div class=\"gt-section\">\n<h2>Frequently Asked Questions<\/h2>\n<div class=\"gt-faq-item\">\n<h3>What is OAuth 2.0 in Zoho CRM?<\/h3>\n<p>OAuth 2.0 is the authentication protocol for all Zoho CRM API access. It uses short-lived access tokens (1-hour expiry) and long-lived refresh tokens. External applications use a Connected App&#8217;s Client ID and Secret to obtain tokens, which are then included in API request headers.<\/p>\n<\/div>\n<div class=\"gt-faq-item\">\n<h3>How do I generate a Zoho CRM API access token?<\/h3>\n<p>Register a Connected App in the Zoho API Console, use the OAuth 2.0 authorization flow (or Self Client for server-to-server) to generate an authorization code, and exchange it for an access token and refresh token via Zoho&#8217;s token endpoint. Use the refresh token to generate new access tokens as they expire.<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>OAuth 2.0 in Zoho CRM is the authentication protocol used by all API integrations to securely grant external applications access to CRM\u2026<\/p>\n","protected":false},"template":"","meta":{"seo_title":"API Token \/ OAuth 2.0 (CRM) | Zoho CRM Glossary","seo_description":"OAuth 2.0 in Zoho CRM is the authentication protocol used by all API integrations to securely grant external applications access to CRM data without sharin","seo_keyword":"api token \/ oauth 2.0 (crm) zoho crm","seo_faqs":"[{\"q\": \"What is OAuth 2.0 in Zoho CRM?\", \"a\": \"OAuth 2.0 is the authentication protocol for all Zoho CRM API access. It uses short-lived access tokens (1-hour expiry) and long-lived refresh tokens. External applications use a Connected App\"s Client ID and Secret to obtain tokens, which are then included in API request headers.\"}, {\"q\": \"How do I generate a Zoho CRM API access token?\", \"a\": \"Register a Connected App in the Zoho API Console, use the OAuth 2.0 authorization flow (or Self Client for server-to-server) to generate an authorization code, and exchange it for an access token and refresh token via Zoho\"s token endpoint. Use the refresh token to generate new access tokens as they expire.\"}]","term_type":"Technical","glossary_related":"","glossary_links":""},"glossary_category":[1238],"class_list":["post-4067","glossary","type-glossary","status-publish","hentry","glossary_category-zoho-crm"],"_links":{"self":[{"href":"https:\/\/aaxonix.com\/resources\/wp-json\/wp\/v2\/glossary\/4067","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aaxonix.com\/resources\/wp-json\/wp\/v2\/glossary"}],"about":[{"href":"https:\/\/aaxonix.com\/resources\/wp-json\/wp\/v2\/types\/glossary"}],"wp:attachment":[{"href":"https:\/\/aaxonix.com\/resources\/wp-json\/wp\/v2\/media?parent=4067"}],"wp:term":[{"taxonomy":"glossary_category","embeddable":true,"href":"https:\/\/aaxonix.com\/resources\/wp-json\/wp\/v2\/glossary_category?post=4067"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}