How To Retrieve Zoho CRM API Access Tokens and Refresh Tokens

I need help with my Zoho CRM Integration.

I’m working with a client on an app that aspired to bridge the communications gap between freelance insurance agents and their respective clients.

One of the biggest project requirements was to integrate Zoho CRM so that agents can connect their accounts. I managed to get this working. Agents click a button, are redirected to a Zoho page, approve the connect, are redirected back to the app. The connection is made and the user can now call their client’s data from Zoho from within the Bubble app.

But here is where my problem begins.

Zoho API relies on access-tokens and refresh-tokens to maintain the connection. When the access token expires the refresh token can be used to grab a new access token, and so on, creating a seamless experience for the user.

The problem is that I cannot seem to figure out how to extract the access tokens, so the user connections are temporary.

I will go through my setup and hopefully someone can identify the pain point.

Setting Up Zoho API

First thing’s first, in Zoho’s Developer Console, API console, I created a client for the app using the “Server-based applications” option. You must do this to retrieve your Client Secret that you will use later.

Next, you name your client and add some URLs. The Homepage URL for now is the page where the app lives. The Authorized Redirect URI is a generic redirect URL provided by Bubble during the API setup.

Screenshot 2023-07-26 142834

Setting up Zoho CRM

To test this integration, I had to sign up for a Zoho CRM account and create clients (contacts) for testing.

Setting up API Connector

Next, I setup the API Connector with these configurations.

This setup is what allows the user to be redirected to the Zoho CRM signin page where they’ll either allow or reject the account connection. After they’ve allowed the connection, they’ll be redirected to the app.

The problem seems to start here. According to multiple sources, including ChatGPT, when the user starts the action that redirects them to the Zoho page sign in, there should be some sort of authorization code in the URL, but I don’t see it. Then, after they’ve allowed the connection and are redirected to the app, Bubble should be capturing an access token and a refresh token. But I’ve checked the logs, URLs, browser developer network settings, and I cannot find any such codes or tokens.

ChatGPT suggests that the solution to the token expiration problem is to use the access token and refresh token to create workflows that capture them and other create other workflows that update the tokens when they’re about to expire. But because I do not receive the tokens, I can’t move forward with this fix.

What am I missing? Any help would be greatly appreciated.

I may have made some progress.

It turns out that I may have been receiving the authorization code in the redirect URL after the user connects their Zoho account. So now, I have a different issue.

The Zoho documentation states that I now need to use this authorization code to retrieve a Zoho access token and refresh token. To do this, I’ve created a new API call that is meant to point to a token endpoint,, which is supposed to spit back the tokens.

The problem is that although the call initializes, I receive an invalid_code error. Zoho’s documentation and ChatGPT suggests that the authorization code I’m receiving are either already expired by the time I grab it to initialize the call, or can only be used once, so a real head scratcher for me.

Any tips would be greatly appreciated.

Thank you for your help with this, Nigel.

I’m still working on this. Hopefully I can find a breakthrough.

I’ve found some other forum posts I’ll try to explore, some of which you’ve actually commented on again haha. It seems you keep finding yourself on these OAuth threads. I’m hoping to get to the bottom of this so that I can write a clear thing about it.

Just to recap, while I understand that Bubble handles the tokens for me, for whatever reason my Zoho connection does not stick after a period of time, which prompted me to look into these solutions in the first place.

I keep reading that it’ll be up to me to build workarounds to attain the access and refresh tokens so that I can use them to acquire new tokens, maintaining the connection indefinitely. That’s really the hiccup.

I’ll keep trying and will let you know if I reach a breakthrough. Thank’s again.

Any solutions to this?

I’ve set up Oauth2 With Google and Zoho. Bubble seems to handle the tokens for google no problem. However, Zoho tokens expire after an hour or some small amount of time and users can’t stay logged in for even a day. I don’t have any back-end workflows set up to handle either one. I’ve been looking for a solution for a long time. I circle back to the forums every year or so.