Does Zoho CRM use OAuth?

Yes. Zoho CRM API uses OAuth access and refresh tokens. A production setup needs an OAuth client in the Zoho API Console, the correct data center, approved scopes, user consent, and host-side access-token refresh.

Can agents update Zoho records?

Yes, but only after OAuth setup, workspace mapping, and explicit write permission. Writes run as policy-controlled actions when explicitly enabled — start with read proofs, then enable the specific write actions the workflow needs.

Learn · Setup guides

Connect Zoho CRM API to Outloop

Last updated: June 12, 2026

In short

Zoho CRM API uses OAuth 2.0. A production setup needs a Zoho OAuth client, the correct data center, approved scopes, user consent, a refresh token, and host-side access-token refresh.

Outloop stores the refresh token locally and lets agents request CRM actions without seeing raw Zoho credentials. Access tokens are minted host-side per request, the Authorization header is injected by the broker, and every call is mapped to the right workspace and audited.

Summarize this setup guide with AI ChatGPT Claude Perplexity

Why Zoho CRM needs OAuth

Zoho CRM is not a normal "paste one API key" service. Real CRM access uses OAuth, so the setup includes:

client_id
client_secret
refresh_token
accounts domain / data center
Zoho CRM API domain
scopes

Outloop uses these parts to mint short-lived access tokens host-side. The agent never sees:

client_secret
refresh_token
access_token
Authorization header

Never paste API keys, access tokens, refresh tokens, client secrets, developer tokens, Authorization headers, or customer secrets into chat, screenshots, docs, .env files, project folders, or generated artifacts.

Step 1: Identify the Zoho data center

Before setup, confirm the Zoho account region. Common examples:

US: accounts.zoho.com / www.zohoapis.com
EU: accounts.zoho.eu / www.zohoapis.eu
IN: accounts.zoho.in / www.zohoapis.in

Outloop asks for the region/data center because the token URL and API domain change by region — the most common silent failure in Zoho setups.

Step 2: Open Zoho API Console and create a client

In the Zoho API Console, create a new OAuth client of type Server-based application — for example named Outloop CRM Access — with your homepage URL and the redirect URI that Outloop's setup flow tells you to register.

Step 3: Save client ID and client secret securely

Zoho will show a client_id and client_secret. Do not paste them into chat. Do not store them in .env. Do not put them in a skill file. Use Outloop's secure setup flow — that is the only place they should ever go.

Step 4: Choose scopes

Choose the minimum scopes required for the workflow.

# Read-only CRM proof:
ZohoCRM.modules.READ
ZohoCRM.settings.READ
ZohoCRM.org.READ

# Lead/contact management:
ZohoCRM.modules.ALL

Prefer least privilege: if the workflow only reads leads, do not request write scopes. If it creates or updates leads, request exactly the write scopes it needs.

Step 5: Complete OAuth consent

The correct product flow:

Connect Zoho
→ user signs in to Zoho
→ user approves scopes
→ Zoho returns authorization code
→ Outloop exchanges it host-side
→ Outloop stores refresh token locally

Manual refresh-token paste should be advanced mode only.

Step 6: Add Zoho CRM access in Outloop

Expected configuration:

service: zoho_crm
auth_type: oauth_refresh_token
client_id: stored locally
client_secret: stored locally
refresh_token: stored locally
token_url: depends on Zoho region
api_base_url: depends on Zoho region
scopes: selected ZohoCRM scopes
workspace_mapping:
  workspace_001:
    allowed_org: <Zoho org ID if available>
    allowed_modules:
      - Leads
      - Contacts
      - Deals

Outloop mints access tokens host-side and injects Authorization: Zoho-oauthtoken <access_token> on the wire. The agent never sees that value.

Step 7: Run a safe proof

The first proof should be read-only:

GET /crm/v8/org
GET /crm/v8/settings/modules

# then, for a real workspace:
GET /crm/v8/Leads?per_page=1

Success criteria:

decision: allow
HTTP 200
secret_exposed: false
correct Zoho org
correct workspace
audit entry exists

Check the response body, not just the status code — Zoho can return HTTP 200 with an error payload.

Step 8: Enable write actions only after read proof

Write actions — create lead, update lead, create task, update deal, add note — should be enabled only after the read proof works, as policy-controlled writes when explicitly enabled by the operator. Outloop shows a warning before enabling writes; for destructive or broad updates, use a draft/dry-run first.

Production readiness checklist

Do not mark Zoho CRM runtime-verified until:

✓OAuth refresh works.
✓The correct Zoho data center is configured.
✓The safe read proof succeeds (body checked, not just status).
✓Workspace / org mapping is correct.
✓The agent never sees the access token.
✓No secrets appear in logs, audit, results, screenshots, or generated files.

Common mistakes

✕Pasting the Zoho client secret in chat or the refresh token in project files.
✕Using the wrong Zoho data center.
✕Requesting broad scopes when read-only is enough.
✕Marking HTTP 200 as success without checking the response body.
✕Letting the agent access the wrong CRM org.
✕Storing OAuth parts in .env.

The Outloop value

Zoho gives delegated CRM API access. Outloop makes it safe for agent workflows:

The CRM user authorizes access once.
Outloop stores the refresh token locally.
Agents request approved CRM actions.
Outloop refreshes tokens host-side and audits every call.

Outloop is in commercial beta (controlled design-partner prep). Outloop is an independent tool and is not affiliated with or endorsed by Zoho. See the security model.