MCP URL (Server URL)
- Each Zoho MCP server receives a unique, secure Server URL upon creation.
- Format:
https://[mcp-server-name]-[org-id].zohomcp.com/mcp/[api-key]/message - This URL is the sole endpoint MCP clients invoke to execute tools.
- Security warning (from Zoho Billing docs): Treat the Server URL like a password. Anyone with this URL can interact with your MCP server. Do not share it in public repositories or shared documents (Zoho Billing MCP Help).
API Key Regeneration
- Click API Key Re-Generate (or Regenerate API Key) in the Connect tab.
- A new Server URL is generated immediately.
- Important: Regenerating disconnects ALL existing MCP client integrations; each client must be reconfigured with the new URL.
OAuth Flow (OAuth 2.1)
Zoho MCP uses a two-layer OAuth consent architecture:
Layer 1 – MCP Account Authorization
- Client presents credentials; first consent screen requests access to the Zoho MCP account and all enabled tools.
- User clicks Allow.
Layer 2 – Service-Level Authorization
- Second screen (Zoho OAuth) lists the specific permissions for the target service (e.g., Zoho Billing permissions).
- User clicks Accept.
Authorization Modes:
| Mode | Type | Scope | When to Use |
|---|---|---|---|
| Authorization on Demand | Per-user | Individual user authenticates when first using a tool | Default for Zoho products; user-specific access |
| Authorization via Connection | Org-wide | Super Admin shares OAuth tokens to all org members | Third-party services; centralized admin-managed auth |
- Revoke: Ellipsis → Revoke (Zoho services) or Delete (third-party)
- Re-authorize: Ellipsis → Authorize
- OAuth Token Limits: Max 10 active access tokens per refresh token; max 10 token requests per 10 minutes (Zoho OAuth Token Limits)