ZohoAPI: machine to machine authentication

Mehdi Benmoha
2 min readDec 16, 2023

Using Zoho oAuth authentication for a silent service is something that took us some time to figure out, so here’s what did work for us:

Photo by Mike Bird: https://www.pexels.com/photo/four-pistons-with-connecting-rods-on-engine-190539/

Create a self-client in the developer console

The Zoho oAuth implementation doesnt provide a Client Credentials flow implementation, so the only other option is to get a refresh_token using the Authorization code flow, that’s valid forever ! (unless revoked)

In the Zoho developer console you can register your self client, you will need to set a fixed scope list comma seperated, set the token duration to 10 minutes, and provide a description to scope (takes anything).

After creating the client, you will be provided by an authorization_code, and in the client secret tab, you will find the client_id and client_secret that you will need to get the refresh_token by sending this request:

curl — location — request POST ‘https://accounts.zoho.com/oauth/v2/token?code=<authorization_code>&client_id=<client_id>&client_secret=<client_secret>&grant_type=authorization_code&redirect_uri=localhost:3000'

Use the refresh token in your backend…

--

--