← Back to Index

Zoho OAuth Setup Guide

Status: In Progress (Feb 17, 2026)
Priority: CRITICAL - Blocks Tier 2 graduation
Current State: Expired CRM token, need client credentials + scope expansion


Current Situation

✅ We Have:

❌ Missing:

🔴 Problem:


Step 1: Get Client Credentials (URGENT)

You need to retrieve from Zoho API Console:

  1. Go to https://api-console.zoho.com/
  2. Log in with your Zoho account (quan@ztag.com or main account)
  3. Find your existing "Self Client" app (or create new one if needed)
  4. Copy the following:
    • Client ID (long string starting with 1000.)
    • Client Secret (long alphanumeric string)

Where to store them:
Create file: /home/node/.openclaw/credentials/zoho-client-secret.json

{
  "client_id": "1000.XXXXXXXXXXXXXXXXXXXXXXXXXX",
  "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "notes": "Zoho Self Client - created [DATE]"
}

⚠️ Security: This file is gitignored. Never commit to repo.


Step 2: Refresh Current Token (Test)

Once you provide client_id and client_secret:

cd /home/node/.openclaw/workspace
python3 tools/zoho-refresh-token.py

This will:


Step 3: Expand Scopes (CRITICAL for Tier 2)

Current scopes (READ ONLY):

Required scopes for full automation:

Zoho CRM (Carmee pathway automation)

Zoho Books (Financial automation)

Zoho Desk (Support automation)

Zoho Cliq (Team notifications)


Step 4: Generate New Authorization Code (Manual Process)

This requires browser access to Zoho API Console:

  1. Go to https://api-console.zoho.com/
  2. Navigate to your Self Client
  3. Click "Generate Code" tab
  4. Enter scopes (comma-separated):
    ZohoCRM.modules.ALL,ZohoCRM.settings.ALL,ZohoCRM.users.READ,ZohoCRM.org.READ,ZohoBooks.fullaccess.all,Desk.tickets.READ,Desk.tickets.UPDATE,Desk.contacts.READ,Cliq.Messages.CREATE,Cliq.Channels.READ
    
  5. Set expiry: 3 minutes (default)
  6. Description: "Full automation scopes - Minnie COO Feb 2026"
  7. Click CREATE
  8. Copy the generated authorization code (long string)

⚠️ Time-sensitive: Authorization code expires in 3 minutes. Have terminal ready.


Step 5: Exchange Code for Tokens

Immediately after generating code:

cd /home/node/.openclaw/workspace
python3 tools/zoho-crm-oauth.py \
  <CLIENT_ID> \
  <CLIENT_SECRET> \
  <AUTHORIZATION_CODE>

This will:


Step 6: Implement Auto-Refresh (Like Gmail)

Once we have valid tokens with full scopes:

  1. Update tools/zoho-refresh-token.py to load client credentials
  2. Add cron job to refresh every 45 minutes
  3. Test all services:
    • CRM: Read deals, create contact
    • Books: Read invoices
    • Desk: Read tickets
    • Cliq: Send test message

Testing Checklist

After token refresh:

Expected results:


Security Notes

Credential files (gitignored):

Backup location:

Rotation policy:


Timeline

Immediate (Today):

  1. Get client_id/secret from Zoho console → 5 min
  2. Refresh current token → 2 min
  3. Test CRM access → 1 min

Phase 2 (This week):

  1. Generate new auth code with full scopes → 5 min
  2. Exchange for new tokens → 2 min
  3. Implement auto-refresh cron → 15 min
  4. Test all services → 30 min

Total time: ~1 hour (mostly waiting for browser/API calls)


Troubleshooting

Error: "INVALID_TOKEN"

Error: "INVALID_CLIENT"

Error: "insufficient scope"

Error: "code expired"


Next Action: Retrieve client_id and client_secret from Zoho API Console.

Once you provide those, I can implement the full refresh + auto-refresh system in ~15 minutes.