API Authentication
Zoho Shifts APIs use OAuth 2.0 for authentication. This page gives you an overview of the authentication process. For complete details on OAuth 2.0 flows, registration, token management, and more, refer to Zoho OAuth 2.0 documentation.
How it works
To access Zoho Shifts APIs, your application needs an access token obtained through one of the OAuth 2.0 flows. At a high level, the steps are:
Register your application in the Zoho API console.
Get consent from user to access their data and obtain an access token.
Call Zoho Shifts APIs using the access token.
Token expiry: Access tokens expire periodically. The expiry duration is mentioned as expires_in (seconds) in the access token response. To maintain uninterrupted access, you can request for an optional refresh token, store it, and use it to generate new access tokens as needed.
Different OAuth flows for different app types: Zoho supports OAuth flows for different application types (server-based, client-based, mobile & desktop-based, limited input devices, and self client). You can choose the flow that matches your application.
Multi DC support: Zoho operates data centers in multiple regions. If your application serves users across regions, you must enable Multi DC support in the API console and use region-specific endpoints for both OAuth and Product API calls.
Scopes
Zoho Shifts APIs require OAuth scopes to define the level of access your application needs. When requesting for access token, request only the scopes your application requires. These will be displayed to the users when asking for consent.
| Modules | Scopes |
|---|---|
| Employees |
ZohoShifts.employees.CREATE
ZohoShifts.employees.READ
ZohoShifts.employees.UPDATE
ZohoShifts.employees.DELETE
|
| Shifts, Availability |
ZohoShifts.schedules.CREATE
ZohoShifts.schedules.READ
ZohoShifts.schedules.UPDATE
ZohoShifts.schedules.DELETE
|
| Timesheets |
ZohoShifts.timesheets.CREATE
ZohoShifts.timesheets.READ
ZohoShifts.timesheets.UPDATE
ZohoShifts.timesheets.DELETE
|
| Settings (Schedules, Positions, Job Sites) |
ZohoShifts.settings.CREATE
ZohoShifts.settings.READ
ZohoShifts.settings.UPDATE
ZohoShifts.settings.DELETE
|
| Time Off |
ZohoShifts.timeoff.CREATE
ZohoShifts.timeoff.READ
ZohoShifts.timeoff.UPDATE
ZohoShifts.timeoff.DELETE
|
To request multiple scopes, separate them with commas:
scope=ZohoShifts.employees.READ,ZohoShifts.settings.READ
For more details about scope format, see OAuth Scopes.
Making API calls with access token
To authenticate your API calls, include the access token in the Authorization header of every API request with the prefix Bearer.
Syntax
Authorization: Bearer <space> {access-token-value}
Example
curl -X GET "https://shifts.zoho.com/api/v1/{org_id}/employees"
-H "Authorization: Zoho-oauthtoken 1000.abc123def456..."
API endpoints by data center
When making API calls, you must use the base URL corresponding to your user's data center. The correct URL is returned as api_domain in the access token response.
| Data Center | API Base URL |
|---|---|
| United States (US) | https://shifts.zoho.com |
| European Union (EU) | https://shifts.zoho.eu |
| India (IN) | https://shifts.zoho.in |
| Australia (AU) | https://shifts.zoho.com.au |
| Canada (CA) | https://shifts.zohocloud.ca |
| Saudi Arabia (SA) | https://shifts.zoho.sa |
Important: Never hardcode a single region's URL. Always use the api_domain from the access token response.See Multi-DC Support.