Kintsugi
Octa
Optimizely
Praiz
Get your Zoho Books OAuth credentials set up and make your first authenticated API call. This guide covers app registration, client types, scopes, the authorization flow, token management, and the mistakes that cost developers time.
What's Zoho Books?
Zoho Books is Zoho's cloud accounting platform, and it has found its audience in small and mid-sized businesses already inside the Zoho ecosystem. Companies using Zoho CRM, Zoho Projects, or Zoho Inventory that want their accounting in the same stack. It handles invoices, bills, expenses, purchase orders, bank feeds, and tax compliance across a range of countries.
The API is REST-based, returns JSON, and follows familiar patterns. Version 3 is the current release. Every request requires two things: a valid OAuth 2.0 access token and an organization_id parameter. Zoho Books supports multiple organizations under one account, and the API enforces strict separation between them. Before you can touch any other endpoint, you'll need the organization ID from GET /organizations.
Note: Zoho Books doesn't use static API keys. Authentication is handled through OAuth 2.0, which means you'll be working with a Client ID, Client Secret, access tokens, and refresh tokens.
If you're planning to connect Zoho Books to your platform alongside other accounting tools, take a look at Apideck's guide on how to integrate with the Zoho Books API for the fuller picture on data mapping and sync patterns. For a broader view of how accounting APIs compare, the top accounting APIs guide covers Zoho Books alongside the other major platforms.
Prerequisites
- A Zoho Books account (any paid plan, or a free trial)
- A Zoho account login to access the Developer Console
- A redirect URI ready for your application (or use the Self Client option if you're building a server-side script without a public URL)
Step 1: Go to the Zoho Developer Console
Open https://api-console.zoho.com and log in with your Zoho account credentials.
Step 2: Create a New Client
Click GET STARTED (or ADD CLIENT if you've been here before). You'll be asked to choose a client type. The five options are:
- Server-based Applications: web apps running on a dedicated server with a redirect URI. This is the right choice for most SaaS integrations.
- Client-based Applications: browser-only apps (JavaScript, no web server).
- Mobile Applications: iOS/Android apps.
- Non-browser Applications: devices without browser support such as smart TVs and printers.
- Self Client: standalone server-side scripts or back-end jobs with no redirect URL. Good for testing, internal tooling, or one-off data syncs.
For a production integration, pick Server-based Applications. If you're just getting credentials to test an endpoint, Self Client is faster.
Step 3: Fill in Your Application Details
Once you click Create Now for your chosen client type, fill in the following:
- Client Name: the name of your application. Zoho uses this on the consent screen your users see.
- Homepage URL: the full URL of your app's homepage (required for server-based apps).
- Authorized Redirect URIs: where Zoho sends the authorization code after the user approves access. Use
https://in production. You can add multiple URIs.
Click CREATE.
Step 4: Copy Your Client ID and Client Secret
After creation, your Client ID and Client Secret appear in the Client Secret tab. Copy both and store them securely.
- Client ID: public identifier for your app.
- Client Secret: keep this private. Don't put it in client-side code, public repos, or browser logs.
Step 5: Choose Your Scopes
Scopes control what your app can read and write. Zoho Books uses a consistent naming pattern:
ZohoBooks.{module}.{permission}
Where permission is CREATE, READ, UPDATE, DELETE, or ALL.
Common modules and their scopes:
| Module | Example Scope |
|---|---|
| Invoices | ZohoBooks.invoices.READ |
| Contacts | ZohoBooks.contacts.ALL |
| Bills | ZohoBooks.bills.CREATE |
| Expenses | ZohoBooks.expenses.READ |
| Banking | ZohoBooks.banking.READ |
| Settings | ZohoBooks.settings.READ |
| Accountants | ZohoBooks.accountants.READ |
Request the minimum scopes your integration needs. Users see these on the consent screen, and a long list raises friction. ZohoBooks.fullaccess.all exists, but it's overkill for most integrations and looks alarming to end users.
Step 6: Build the Authorization URL
For server-based apps, you'll redirect users to Zoho's authorization endpoint to get a grant token (authorization code). Construct a GET request to:
https://accounts.zoho.com/oauth/v2/auth
With these parameters:
| Parameter | Value |
|---|---|
client_id | Your Client ID |
response_type | code |
redirect_uri | One of your registered redirect URIs |
scope | Comma-separated scopes |
access_type | offline (to receive a refresh token) |
A full example:
https://accounts.zoho.com/oauth/v2/auth?client_id=1000.YOUR_CLIENT_ID&response_type=code&redirect_uri=https://yourapp.com/callback&scope=ZohoBooks.invoices.CREATE,ZohoBooks.contacts.READ&access_type=offline
After the user approves, Zoho redirects to your callback URL with a code parameter. That's your authorization code.
Region note: If your Zoho Books account is on the EU data center, use
accounts.zoho.euinstead ofaccounts.zoho.com. Same forzoho.in,zoho.com.au,zoho.jp,zoho.ca,zoho.com.cn,zoho.sa, and other regional domains. The authorization URL must match the domain of your user's account.
Step 7: Exchange the Code for Tokens
Hit Zoho's token endpoint with a POST request:
https://accounts.zoho.com/oauth/v2/token
Body parameters:
code=AUTHORIZATION_CODE
client_id=YOUR_CLIENT_ID
client_secret=YOUR_CLIENT_SECRET
redirect_uri=https://yourapp.com/callback
grant_type=authorization_code
A successful response:
{
"access_token": "1000.abc123...",
"refresh_token": "1000.def456...",
"api_domain": "https://www.zohoapis.com",
"token_type": "Bearer",
"expires_in": 3600
}
Save both tokens. The api_domain field tells you which regional endpoint to use for subsequent API calls.
Step 8: Make Your First API Call
Pass the access token in the Authorization header:
Authorization: Zoho-oauthtoken YOUR_ACCESS_TOKEN
Start by fetching your organization ID:
curl -X GET 'https://www.zohoapis.com/books/v3/organizations' \
-H 'Authorization: Zoho-oauthtoken YOUR_ACCESS_TOKEN'
Grab the organization_id from the response. You'll need to append ?organization_id=YOUR_ORG_ID to every subsequent request.
Step 9: Handle Token Refresh
Access tokens expire after one hour. When a call returns a 401, use your refresh token to get a new one:
curl -X POST 'https://accounts.zoho.com/oauth/v2/token' \
-d 'client_id=YOUR_CLIENT_ID' \
-d 'client_secret=YOUR_CLIENT_SECRET' \
-d 'refresh_token=YOUR_REFRESH_TOKEN' \
-d 'grant_type=refresh_token'
The response gives you a new access token. The refresh token stays the same in this flow. If you lose the refresh token, you'll need to restart the OAuth flow from the authorization URL step.
Self Client: The Shortcut for Server-Side Scripts
If you picked Self Client in Step 2, the flow is different. You don't build an authorization URL or handle redirects. Instead:
- On the Client Secret tab, copy your Client ID and Client Secret.
- Switch to the Generate Code tab.
- Enter your required scopes (comma-separated), pick a time duration for the grant token, add a description, and click Create.
- Copy the generated grant token immediately. By default it expires after three minutes, though you can select a longer duration from the dropdown.
- Exchange that code for tokens using the same token endpoint from Step 7.
Self Client works well for background jobs, internal tooling, and testing. It's not suitable for multi-user apps where each customer needs to authorize your app against their own Zoho Books organization.
Common Mistakes
Wrong regional domain. Zoho Books is multi-datacenter. If a user's account is on zoho.eu, you need accounts.zoho.eu for auth and www.zohoapis.eu for API calls. You can identify the region from the location parameter returned in Zoho's redirect response after authorization.
Grant token already used or expired. Authorization codes are single-use. For server-based apps, the grant token expires after two minutes. For Self Client, the default is three minutes (though you can extend this when generating the token). If you try to exchange one that's been used or has expired, you'll get invalid_code. Generate a fresh code and exchange it right away.
Missing organization_id. Every API endpoint requires ?organization_id=YOUR_ORG_ID. Leaving it out returns a 400 error. Call GET /organizations first and cache the value.
Redirect URI mismatch. The redirect URI in your authorization request must exactly match one registered in the Developer Console. A trailing slash difference, http vs https, or a subdomain variation will return an error.
No refresh token. If you called the authorization endpoint with access_type=online (or omitted it, since online is the default), you won't receive a refresh token. Once the access token expires, users have to re-authorize. For production integrations, always use access_type=offline. If you need a new refresh token after the first authorization, add prompt=consent to force the consent screen again.
Rate Limits
Zoho Books has some of the tighter rate limits among major accounting APIs:
- Per-minute: 100 requests per minute per organization (error code 44 on breach)
- Per-day: varies by plan
- Free: 1,000 requests/day
- Standard: 2,000 requests/day
- Professional: 5,000 requests/day
- Premium, Elite, and Ultimate: 10,000 requests/day
- Concurrent: 5 concurrent calls for Free plans, 10 concurrent calls (soft limit) for paid plans (error code 1070 when exceeded)
The daily limit is shared across all integrations connected to the same organization. If your customer uses other Zoho-connected tools, they're drawing from the same pool. Build exponential backoff into your 429 handling.
Connecting Through Apideck
If Zoho Books is one of several accounting platforms you need to support, building a separate direct integration for each one gets expensive quickly. Apideck's Zoho Books connector connects through a unified accounting API alongside QuickBooks, Xero, Sage, NetSuite, and 30+ other platforms. Authentication, token refresh, rate limit handling, and data normalization are managed at the platform level.
To configure the connector, open the Apideck dashboard, go to Configuration > Connectors, and select Zoho Books under the Accounting API. You'll see two credential options: use Apideck's shared credentials for quick testing, or enter your own Client ID and Client Secret from the steps above for production use.
Once you've entered your credentials and saved, click Authorize to kick off the OAuth flow. After your users connect their Zoho Books account, the Organization ID field populates automatically.
The scopes panel lets you control exactly which Zoho Books resources your connector can access. You can select individual scopes per module (contacts, invoices, bills, and so on) rather than granting full access. The Virtual Webhooks section beneath it shows which resources Apideck will poll for updates, with a default 24-hour sync cycle that you can adjust per resource.
Ready to connect to Zoho Books and 30+ other accounting platforms through a single API? Get started for free.
Ready to get started?
Scale your integration strategy and deliver the integrations your customers need in record time.
