Bolt.new AI and Zoho CRM integration: Step-by-Step Guide 2025

To integrate Bolt.new with Zoho CRM, you treat Zoho like any other external REST API: you obtain OAuth access to Zoho, store the tokens as environment variables inside your Bolt.new workspace, and then write standard fetch‑based API calls to Zoho’s REST endpoints from your backend routes or serverless functions. Bolt.new does not have any built‑in Zoho connector — the integration is simply your backend code talking to Zoho’s API using OAuth tokens you manage. Once authenticated, you can create leads, update contacts, query records, etc., using Zoho’s documented REST URLs. That is the whole shape of the integration.

 

Core Concepts You Need

 

Zoho CRM exposes a public REST API. Bolt.new gives you a workspace where you can write backend code that can call any REST API, including Zoho, as long as you provide the correct tokens.

Zoho uses OAuth 2.0. That means you must create a Zoho “self‑client” (or a proper client if doing full OAuth login), generate a short‑lived authorization code, exchange it for a refresh token, then keep using the refresh token to request fresh access tokens. Access tokens expire quickly; refresh tokens do not.

Bolt.new supports environment variables. You must store your Zoho refresh token, client ID, and client secret there — never hard‑code them.

 

Step‑By‑Step Integration (Real Process)

 

• Create a Zoho CRM OAuth client using api-console.zoho.com. Choose “Self Client” if you just need server-to-server integration for prototyping.
• Generate an authorization code in the Zoho API Console (self‑client flow). Zoho will ask for scopes such as "ZohoCRM.modules.ALL".
• Exchange that authorization code for a refresh token using Zoho’s documented token endpoint.
• Store the refresh token, client ID, client secret, and Zoho base domain in Bolt.new environment variables.
• In Bolt.new, write a small backend function to automatically exchange your refresh token for a fresh access token before calling the Zoho API.
• Call Zoho's REST endpoints using standard fetch requests with the Authorization: Bearer header.

 

Example: Backend Token Refresh in Bolt.new

 

// This example uses Node.js fetch inside a Bolt.new backend file.
// It exchanges your Zoho refresh token for a temporary access token.

export async function getZohoAccessToken() {
  const clientId = process.env.ZOHO_CLIENT_ID;
  const clientSecret = process.env.ZOHO_CLIENT_SECRET;
  const refreshToken = process.env.ZOHO_REFRESH_TOKEN;
  const baseDomain = process.env.ZOHO_BASE_DOMAIN; // example: zoho.com or zoho.eu

  const url = `https://accounts.${baseDomain}/oauth/v2/token`
    + `?refresh_token=${refreshToken}`
    + `&client_id=${clientId}`
    + `&client_secret=${clientSecret}`
    + `&grant_type=refresh_token`;

  const response = await fetch(url, {
    method: "POST"
  });

  if (!response.ok) {
    throw new Error("Failed to refresh Zoho token");
  }

  const data = await response.json();
  return data.access_token;  // use this token for API calls
}

 

Example: Calling Zoho CRM (Create a Lead)

 

import { getZohoAccessToken } from "./zohoAuth.js";

export async function createZohoLead(leadData) {
  const token = await getZohoAccessToken();
  const baseDomain = process.env.ZOHO_BASE_DOMAIN; // example: zoho.com

  const response = await fetch(`https://www.zohoapis.${baseDomain}/crm/v2/Leads`, {
    method: "POST",
    headers: {
      "Authorization": `Bearer ${token}`,
      "Content-Type": "application/json"
    },
    body: JSON.stringify({
      data: [leadData]   // Zoho CRM API requires array in "data"
    })
  });

  if (!response.ok) {
    const errBody = await response.text();
    throw new Error("Zoho create lead failed: " + errBody);
  }

  return response.json();
}

 

How You Wire This Inside Bolt.new

 

• You create a server route (for example, /api/create-lead) that calls createZohoLead.
• Your frontend calls that route using fetch. Bolt manages local preview.
• Your tokens remain in environment variables, never shipped to the frontend.
• When moving to production, you copy the same env vars into your deployment provider.

 

Important Operational Notes

 

• Never expose refresh tokens to the browser. Only backend code may use them.
• Zoho refresh tokens are usually long‑lived, but Zoho can revoke them if scopes change.
• Zoho REST API returns detailed error messages. Log them during development.
• Rate limits exist. For heavy loads, add retry logic.

 

What This Gives You

 

You end up with a Bolt.new project that can read/write Zoho CRM data on demand. The integration is reliable because you use Zoho’s official OAuth flow, store secrets correctly, refresh tokens automatically, and call their REST endpoints with standard fetch code. Nothing magical — just correct API plumbing.