Once your application is registered, the next step is to obtain a Grant Token (also known as an Authorization Code). This is a short-lived token (valid for only 1 minute) that you will later exchange for permanent access.
At Kalki LLP, we emphasize that this step requires a browser interface, as the user must manually log in and click "Accept" to authorize the integration.
You must redirect the user to the Zoho Authorization endpoint. The URL structure varies by data center:
Your request URL must include these specific parameters:
| Parameter | Value / Description | Importance |
scope | e.g., ZohoBooks.fullaccess.all | Defines the permissions requested. |
client_id | Your Generated Client ID | Identifies your app to Zoho. |
response_type | code | Tells Zoho to return a Grant Token. |
redirect_uri | Your Registered Redirect URL | Must match your Step 1 registration exactly. |
access_type | offline or online | Use offline to receive a Refresh Token. |
prompt | consent | Forces the consent screen to appear (useful for debugging). |
Example URL for Kalki LLP Developers:
When the user visits this URL:
They are prompted to log into their Zoho Account.
A screen appears listing the requested scopes (e.g., "This app wants to view and manage your Zoho Books data").
The user clicks Accept or Deny.
After the user clicks Accept, Zoho redirects them back to your redirect_uri with the code attached to the URL:
Success Response:
code: This is your Grant Token. Save it immediately!
location: Confirms the data center (e.g., in for India).
Error Response:
If the user clicks Deny, they are redirected with an error:
https://kalkillp.com/callback?error=access_denied
| Error Code / Log | Reason | Solution |
invalid_client | Incorrect Client ID. | Double-check the ID in your API Console. |
redirect_uri_mismatch | The URL in the request doesn't match Step 1. | Ensure protocols (http vs https) and trailing slashes match. |
invalid_scope | Typo in the scope name. | Ensure you use ZohoBooks.fullaccess.all (case sensitive). |
| Code Expires (60s) | You waited too long to use the code. | The Grant Token must be exchanged for an Access Token within 1 minute. |
If you are building a small script for internal use at Kalki LLP and don't want to build a redirect page, use the Self-Client option in the Zoho API Console:
Go to the Generate Code tab in your Self-Client.
Enter your scopes and set an expiry time.
Zoho will provide the code directly in the browser—no redirect URL needed.
Building a seamless "Connect to Zoho Books" button for your website can be tricky. Kalki LLP provides pre-built OAuth handlers in PHP, Python, and Node.js to help you skip the frustration.