Zoho CRM: "Invalid_Client" Error After Successful OAuth Authorization

In this entry, you will find the resolution to the most common cause of the "Invalid_Client" error, despite seeing a successful OAuth authorization in the browser.

Date Entered: 5/12/2020    Last Updated: 5/12/2020    Author: Garrett Bird


A common issue faced by many who attempt to connect with the Zoho CRM driver for the first time is the "Invalid_Client" error that occurs during the initial OAuth flow. What makes this error message confusing for many, is that it tends to occur right after seeing the "OAuth Authorization Successful" page upon authorizing the app in their browser.

OAuth Authorization Successful

The ultimate cause of the issue is actually something that happens directly after the browser authorization. When the redirect to the "OAuth Authorization Successful" page happens, the driver takes a verifier code from that URL and uses it to send another HTTP request to obtain the actual access token. The "Invalid_Client" error comes from the HTTP response to this request.

Why is This happening?

The behavior in Zoho CRM's API is dependent on the domain used during the OAuth process. As opposed to the authorization endpoint before it, the access token endpoint appears to be more restrictive in which client ID values are valid. Whereas the authorization endpoint accepts any valid client id without issue, regardless of the domain used, the access token endpoint only considers the specified domain for valid client IDs. So, if your account is normally accessed with a URL similar to "https://crm.zoho.eu/crm/org999999999/tab/Home/begin," the authorization will succeed when opening "https://accounts.zoho.com/oauth/v2/auth" in the browser, but the attempt to fetch the access token via "https://accounts.zoho.com/oauth/v2/token" will fail with the error.

The Solution

The solution to this is quite simple. If you normally log into the CRM with a domain other than .com, then setting the Domain connection property to the appropriate value should suffice. For example, if you normally log in with a .eu domain, then setting the Domain connection property to "eu" will cause the driver to use "https://accounts.zoho.eu/oauth/v2/auth" and "https://accounts.zoho.eu/oauth/v2/token" for the authorization and access token stages respectively. At that point, the same client ID should be considered valid for both stages of the OAuth flow, allowing you to obtain an access token and view your Zoho CRM data.

We appreciate your feedback.  If you have any questions, comments, or suggestions about this entry, please contact our support team at support@cdata.com.