How to Generate Zoho CRM OAuth 2.0 Credentials: Refresh Token Tutorial (2025)
Source: Dev.to
If you’re integrating WordPress (or any app) with Zoho CRM – like with the Zoho CRM Lead Mapping Pro plugin – you need secure OAuth credentials: Client ID, Client Secret, and a long‑lived Refresh Token.
Zoho uses OAuth 2.0 for safe access without sharing passwords. The refresh token lets your app auto‑renew short‑lived access tokens.
Step 1: Log In to Zoho API Console
- Go to the Zoho API Console.
- Sign in with the Zoho account linked to your CRM organization.
- You’ll see a dashboard with options for different client types.
Method 1: Self Client (Easiest & Recommended for Personal/Plugin Use)
Self Client is perfect for backend integrations (e.g., WordPress plugins) where you own the Zoho account. No redirect URI is needed – you generate tokens directly.
-
In the API Console, choose Self Client → Create Now (or Add Client if you already have clients).
-
Fill in the form:
-
Client Name – e.g., “WordPress Lead Plugin”
-
Scopes –
ZohoCRM.modules.ALL,ZohoCRM.users.READ,ZohoCRM.settings.ALL,ZohoCRM.org.READ
-
-
Click Create. On the next screen, click Generate Code (or similar).
- Choose the same scopes if prompted.
- Keep the default token duration (1 hour).
- Click Create – an Authorization Code (grant token) appears. Copy it immediately.
-
Exchange the authorization code for tokens. Replace the placeholders in the URL below and open it in a browser or use Postman/curl:
https://accounts.zoho.com/oauth/v2/token ?code=YOUR_AUTHORIZATION_CODE &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET &grant_type=authorization_code &redirect_uri=For EU accounts: use
https://accounts.zoho.eu/...
For IN accounts: usehttps://accounts.zoho.in/... -
The response will contain:
{ "access_token": "1000.12345678190123456789123456789", "refresh_token": "1000.12345678901234567890123456789", "scope": "ZohoCRM.modules.ALL ZohoCRM.modules.attachments.ALL", "api_domain": "https://www.zohoapis.com", "token_type": "Bearer", "expires_in": 3600 }The refresh_token is the long‑lived credential you’ll store securely.
Method 2: Server‑Based Application (For Production/Multi‑User Apps)
Use this flow if you need a redirect step or multi‑organization support.
-
In the API Console, choose Server‑based Applications → Create Now.
-
Fill in the registration form:
- Client Name
- Homepage URL (your site)
- Authorized Redirect URI (e.g.,
https://your-site.com/oauth-callback– a localhost URL works for testing)
-
Click Create – you’ll receive a Client ID and Client Secret.
-
Generate the authorization URL (replace placeholders):
https://accounts.zoho.com/oauth/v2/auth ?scope=ZohoCRM.modules.ALL,ZohoCRM.users.READ,ZohoCRM.settings.ALL,ZohoCRM.org.READ &client_id=YOUR_CLIENT_ID &response_type=code &redirect_uri=YOUR_REDIRECT_URI &access_type=offline -
Open the URL in a browser, log in, and approve the request. Zoho redirects to the URI with
?code=XXXX. -
Exchange the code for tokens using the same POST request as in Method 1 (include the
redirect_uriparameter). The response includes the refresh_token.
Important Tips
- Data Center Matters: Use the correct domain for your account (
.com,.eu, or.in) for both authentication and API calls. - Scopes: The exact scopes listed above give full access to leads, products, attachments, and notes.
- Security: Never expose your Client Secret or Refresh Token publicly. Store them securely on the server side.
- Multi‑DC: Enable multi‑region support in console settings if you operate across data centers.
- Testing: A refresh token remains valid until it’s revoked or the user revokes access.
Final Thoughts
Generating Zoho OAuth credentials is straightforward once you know the steps – the Self Client method is quickest for most plugin users.
The Zoho CRM Lead Mapping Pro plugin was built to make this integration seamless for WordPress sites. Hope this guide helps you get connected quickly!
Happy integrating! 🚀