API Authentication
Zoho Bookings APIs use OAuth 2.0 for authentication. This page gives you an overview of the authentication process. For complete details on OAuth 2.0 flows, registration, token management, and more, refer to Zoho OAuth 2.0 documentation
How it works
To access Zoho Bookings APIs, your application needs an access token obtained through one of the OAuth 2.0 flows. At a high level, the steps are:
Register your application in the Zoho API console.
Get consent from user to access their data and obtain an access token.
Call Zoho Bookings APIs using the access token.
Token expiry: Access tokens expire periodically. The expiry duration is mentioned as expires_in (seconds) in the access token response. To maintain uninterrupted access, you can request for an optional refresh token, store it, and use it to generate new access tokens as needed.
Different OAuth flows for different app types: Zoho supports OAuth flows for different application types (server-based, client-based, mobile & desktop-based, limited input devices, and self client). You can choose the flow that matches your application.
Multi DC support: Zoho operates data centers in multiple regions. If your application serves users across regions, you must enable Multi DC support in the API console and use region-specific endpoints for both OAuth and Bookings API calls.
See detailed OAuth 2.0 workflow
Scopes
Zoho Bookings APIs require OAuth scopes to define the level of access your application needs. When requesting for access token, request only the scopes your application requires. These will be displayed to the users when asking for consent.
Scope | Description |
zohobookings.data.CREATE | Grants permission to perform supported actions in Zoho Bookings. |
For more details about scope format, see OAuth Scopes.
Making API calls with access token
To authenticate your API calls, include the access token in the Authorization header of every API request.
Supported formats
Example
API endpoints by data center
When making API calls, you must use the base URL corresponding to your user's data center. The correct URL is returned as api_domain in the access token response.
Data center | Bookings domain | API base URL |
United States of America | bookings.zoho.com | https://www.zohoapis.com/bookings/ |
European Union | bookings.zoho.eu | https://www.zohoapis.eu/bookings/ |
India | bookings.zoho.in | https://www.zohoapis.in/bookings/ |
Australia | bookings.zoho.com.au | https://www.zohoapis.com.au/bookings/ |
China | bookings.zoho.com.cn | https://www.zohoapis.com.cn/bookings/ |
Japan | bookings.zoho.jp | https://www.zohoapis.jp/bookings/ |
Saudi Arabia | bookings.zoho.sa | https://www.zohoapis.sa/bookings/ |
Canada | bookings.zohocloud.ca | https://www.zohoapis.ca/bookings/ |
Important: Never hardcode a single region's URL. Always use the api_domain from the access token response. See Multi-DC Support.