Zoho CRM

Name: QuantaSeal
Brand: QuantaSeal
Price: 69 AUD

CRM

system_type: "zoho"

Proxy Zoho CRM API calls for contacts, leads, deals, and custom modules with PQC-sealed OAuth2 tokens.

Overview#

The Zoho CRM connector proxies Zoho REST API v7 calls through QuantaSeal's ML-KEM-768 + AES-256-GCM encryption layer. OAuth2 access and refresh tokens are sealed in QuantaVault. Supports contacts, leads, deals, accounts, and custom modules.

Base URL: https://api.quantaseal.io/api/v2/proxy/outbound
Auth header: X-API-Key: qs_live_…

Prerequisites#

1A Zoho CRM account with API access enabled
2A Zoho Server-based OAuth2 application (Self-Client or Web App)
3Client ID, Client Secret, and a refresh token with the required scopes
4A QuantaSeal API key

Configuration#

Follow these steps to connect Zoho CRM to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.

1
In Zoho API Console (api-console.zoho.com), create a Server-based OAuth2 application.
2
Request scopes: ZohoCRM.modules.ALL, ZohoCRM.settings.ALL.
3
Generate a refresh token using the Self-Client or authorization code flow.
4
Seal credentials: POST /api/v2/vault/seal with credential_type: oauth2_client and values: {client_id, client_secret, refresh_token}.
5
Create integration: POST /api/v2/integrations with system_type: zoho.

Authentication Types#

Zoho uses OAuth2 with long-lived refresh tokens. Seal the client_id, client_secret, and refresh_token as oauth2_client in QuantaVault. QuantaSeal automatically refreshes the access token before expiry.

OAuth2 Client

All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.

Available Operations#

QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.

Operation	Description
`get_record`	Retrieve a CRM record by module and ID.
`create_record`	Create a new record in any Zoho module.
`update_record`	Update a record by ID.
`search_records`	Search records with criteria filters.
`list_records`	List records in a module with pagination.

Code Example#

Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.

bashCopy

curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
  -H "X-API-Key: qs_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "integration_id": "int_ZOHO001",
    "operation": "search_records",
    "payload": {"module": "Contacts", "criteria": "(Email:equals:alice@acme.com)"}
  }'

Decrypt the response using the QuantaSeal SDK: client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.

Troubleshooting#

invalid_code or invalid_client from Zoho

Refresh token may have expired. Zoho refresh tokens expire if unused for 60 days. Re-generate and rotate the vault credential.

INVALID_MODULE error

Ensure the module name matches Zoho's API name exactly (e.g., 'Leads' not 'Lead').

Still stuck? Check the Security Events page in the Admin Console for detailed proxy error logs, or open a support ticket at quantaseal.io/support.

All Connectors API Reference