API Authentication

Zoho Creator APIs use OAuth 2.0 for authentication. This page gives you an overview of the authentication process. For complete details on OAuth 2.0 flows, registration, token management, and more, refer to Zoho OAuth 2.0 documentation.

How it works

To access Zoho Creator APIs, your application needs an access token obtained through one of the OAuth 2.0 flows. At a high level, the steps are:

  1. Register your application in the Zoho API console.
  2. Get consent from user to access their data and obtain an access token.
  3. Call Zoho Creator APIs using the access token.

Token expiry: Access tokens expire periodically. The expiry duration is mentioned as expires_in (seconds) in the access token response. To maintain uninterrupted access, you can request for an optional refresh token, store it, and use it to generate new access tokens as needed.

Different OAuth flows for different app types: Zoho supports OAuth flows for different application types (server-based, client-based, mobile & desktop-based, limited input devices, and self client). You can choose the flow that matches your application.

Multi DC support: Zoho operates data centers in multiple regions. If your application serves users across regions, you must enable Multi DC support in the API console and use region-specific endpoints for both OAuth and Creator API calls.

See detailed OAuth 2.0 workflow 

 

Scopes

Zoho Creator APIs require OAuth scopes to define the level of access your application needs. When requesting for access token, request only the scopes your application requires. These will be displayed to the users when asking for consent.

ScopeDescription
ZohoCreator.form.CREATETo add records in forms
ZohoCreator.report.CREATETo upload files in records that are displayed in reports
ZohoCreator.report.READ
  • To fetch data from the records displayed in reports
  • To download files from records that are displayed in reports
ZohoCreator.report.UPDATETo update records that are displayed in reports
ZohoCreator.report.DELETETo delete records that are displayed in reports
ZohoCreator.meta.form.READTo get the information about the fields in a form
ZohoCreator.meta.application.READ
  • To get the list of forms, reports, and pages in applications
  • To get the information about the application sections
ZohoCreator.dashboard.READTo get the list of applications

To request multiple scopes, separate them with commas:

scope=ZohoCreator.form.CREATE,ZohoCreator.report.READ

For more details about scope format, see OAuth Scopes.

 

Making API calls with access token

To authenticate your API calls, include the access token in the Authorization header of every API request.

Supported formats

Authorization: Zoho-oauthtoken {access-token-value} Authorization: Bearer {access-token-value}

Example

curl-X GET "https://www.zohoapis.com" \ -H"Authorization: Zoho-oauthtoken 1000.abc123def456..."

 

API endpoints by data center

When making API calls, you must use the base URL corresponding to your user's data center. The correct URL is returned as api_domain in the access token response.

Data centerAPI base URL
United States (US)www.zohoapis.com
European Union (EU)www.zohoapis.eu
India (IN)www.zohoapis.in
Australia (AU)www.zohoapis.com.au
Japan (JP)www.zohoapis.jp
Canada (CA)www.zohoapis.ca
Saudi Arabia (SA)www.zohoapis.sa
China (CN)www.zohoapis.com.cn
United Arab Emirates (UAE)www.zohoapis.ae

Important: Never hardcode a single region's URL. Always use the api_domain from the access token response. See Multi-DC Support.