You're viewing our website for the India edition. Switch to the US edition to explore Zoho Payments in your region.
Switch to US Website
Stay Here
Zoho Payments Logo
🇮🇳 India

OAuth (Deprecated Soon)

OAuth is used to authenticate API requests on behalf of an individual user. It uses the Self Client client type, providing quick access without needing full organization-level permissions. The credentials are tied to a specific user account and become invalid if the account is removed.

Note: This flow is available only for existing users. We recommend migrating to the new OAuth flow, as this version will be deprecated soon.

Watch this video or follow the steps below to access Zoho Payments' APIs using OAuth 2.0.

1. Register a New Self Client & Generate an Authorisation Code

First, you must register your application with Zoho’s Developer Console to obtain your Client ID and Client Secret.

To register your application:

  1. Visit Zoho's Developer Console.
  2. Choose Self Client under Applications.

Note: Only the Self Client option is supported for registering your application with Zoho’s Developer Console.

  1. Go to the Generate Code tab and enter the scopes you need to access. Use commas to separate multiple scopes.

Scopes in Zoho Payments:

Scope Description Available Types
Payments Access to Payments-related APIs. ZohoPay.payments.CREATE,ZohoPay.payments.READ,ZohoPay.payments.UPDATE
Refunds Access to Refunds-related APIs. ZohoPay.refunds.CREATE,ZohoPay.refunds.READ

  1. Select the Time Duration for the authorisation code’s expiry. By default, it is 3 minutes.

  2. Enter the Description and click CREATE. Enter the scope, time duration, and description.

    Code generated

An authorisation code will be generated. You can copy or download the code in the popup that is being displayed.

Note: Keep these credentials secure, and do not share them with anyone.

2. Generate Access and Refresh Tokens

Once you have the authorisation code from the previous step, make a POST request with the required parameters to generate an access_token. Use the following URL: https://accounts.zoho.in/oauth/v2/token?

Parameter Description
code* The code obtained from the previous step.
client_id* A unique ID displayed under Self Client > Client Secret.
client_secret* A unique confidential string displayed under Self Client > Client Secret.
grant_type* This will be authorization_code.

* Indicates mandatory fields.

The response to your request will include both an access_token and a refresh_token :

  1. access_token: Expires after a certain period, as indicated by the expires_in parameter in the response.
  2. refresh_token: Permanent and can be used to generate a new access_token once the current one expires.

Note: A user can have up to 20 refresh tokens. If this limit is exceeded, the oldest refresh token will be automatically deleted, even if it is in use.

Request Example
https://accounts.zoho.in/oauth/v2/token?code=1000.dd7exxxxxxxxxxxxxxxxxxxxxxxx9bb8.b6c0xxxxxxxxxxxxxxxxxxxxxxxxdca4&client_id=1000.0SRSxxxxxxxxxxxxxxxxxxxx239V&client_secret=fb01xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8abf&grant_type=authorization_code

3. Call an API

When calling an API, the access token must be included in the request header and cannot be passed as a request parameter.

  • Header Name: Authorization
  • Header Value: Zoho-oauthtoken {access_token}

4. Generate Access Tokens from Refresh Tokens

Access tokens have limited validity, typically expiring in one hour, but can be used without restriction during this time. Once an access token expires, your application must use the refresh token to obtain a new access token.

To generate a new access token, make a POST request with the given parameters to the following URL: https://accounts.zoho.in/oauth/v2/token?

Parameter Description
refresh_token The refresh token obtained from the previous step.
client_id The Client ID received during client registration.
client_secret The Client Secret received during client registration.
grant_type This will be refresh_token.
Request Example
https://accounts.zoho.in/oauth/v2/token?refresh_token=1000.8ecdxxxxxxxxxxxxxxxxxxxxx5cb7.4638xxxxxxxxxxxxxxxxxxxxxxebdc&client_id=1000.0SRSxxxxxxxxxxxxxxxxxxxx239V&client_secret=fb01xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8abf&grant_type=refresh_token

5. Revoke Refresh Token

To revoke a refresh token, make a POST request with the given parameters to the following URL: https://accounts.zoho.in/oauth/v2/token/revoke?

Parameter Description
token The refresh token that you want to revoke.
Request Example
https://accounts.zoho.in/oauth/v2/token/revoke?token=1000.8ecdxxxxxxxxxxxxxxxxxxxxxxxx5cb7.4638xxxxxxxxxxxxxxxxxxxxxxxxebdc

Your refresh tokens have now been revoked, and you can’t use them to generate new access tokens to initiate API calls

If you wish to generate tokens again, you will need to repeat the entire process.

Let us simplify payments

Our product experts will tailor the session to your business needs to ensure you get the maximum value from the conversation.

What to expect in the demo

  • Tick icon Walkthrough of Zoho Payments personalized to your business needs
  • Tick icon How it integrates within your existing business ecosystem
  • Tick icon Answers to any specific questions you may have

Request a demo

Please enter your name

Please enter your organization name

Please enter your email address.

Please enter a valid mobile number

Please enter a convenient date and time.

Example: May 30, 9.00-11.00AM IST

Please select your industry type.

Please enter a brief description of your payments processing needs.

Type the characters you see in the picture

Captcha Refresh Captcha

By submitting this form, you agree to our Privacy Policy.