To integrate Zoho Books with Lovable, create an OAuth2 Server-Based Application in the Zoho API Console, store client credentials in Cloud → Secrets, then build Edge Functions that call the Zoho Books API for invoices, contacts, expenses, and bank transactions. Zoho Books is ideal for founders building accounting dashboards or client billing portals inside Lovable, especially those already using other Zoho apps.
Build accounting-powered features in Lovable with Zoho Books and Edge Functions
Zoho Books is the accounting backbone of the Zoho ecosystem — deeply connected to Zoho CRM, Zoho Inventory, and Zoho Projects. For founders already in the Zoho suite, integrating Zoho Books with Lovable unlocks billing portals, expense dashboards, and client invoicing features without duplicating data across systems. The Zoho Books API is REST-based with comprehensive coverage of invoices, contacts, expenses, payments, bank transactions, and reports.
The authentication model is OAuth2 with organization-level scoping. Unlike simpler API key-based services, Zoho Books requires you to register an application in the Zoho API Console, go through an OAuth2 authorization flow, and manage access token refresh. Each API call is scoped to a specific organization ID — your Zoho Books organization number — which is required as a query parameter on every request. For multi-organization setups, each organization has its own ID.
A critical detail: Zoho operates data-center-specific domains. If your account is in the EU, the API base URL is books.zoho.eu; for India it is books.zoho.in; for the US it is books.zoho.com. Using the wrong domain returns authentication errors. Store the base URL as a secret alongside the credentials so it can be changed without code modifications.
The most common Lovable + Zoho Books use cases are client-facing invoicing portals (where clients view and pay invoices directly in your app) and internal accounting dashboards (where your team sees outstanding receivables, expense summaries, and cash flow without logging into Zoho Books directly).
Integration method
Zoho Books has no native Lovable connector. All accounting operations are proxied through Lovable Edge Functions using the Zoho Books REST API with OAuth2 authentication. OAuth2 access tokens and refresh tokens are stored in Cloud → Secrets and the Edge Function handles token refresh automatically, keeping all credentials server-side and preventing CORS issues from direct browser calls.
Prerequisites
- A Lovable project with Lovable Cloud enabled (Edge Functions require a deployed app)
- A Zoho Books account with at least one organization set up (zoho.com/books — free trial available)
- Admin access to the Zoho Books organization to configure API access
- Your Zoho Books Organization ID (found in Zoho Books → Settings → Organization Profile)
- Familiarity with OAuth2 concepts — you will be obtaining authorization codes and exchanging them for tokens
Step-by-step guide
Register a Server-Based Application in Zoho API Console
Register a Server-Based Application in Zoho API Console
Zoho Books uses OAuth2 for authentication. You need to register your integration as a 'Server-Based Application' in the Zoho API Console before making any API calls. Go to api-console.zoho.com and sign in with your Zoho account. Click 'Add Client'. Choose 'Server-based Applications' as the client type — this is the correct type for Edge Function server-to-server integrations. Fill in the registration form: - Client Name: something descriptive like 'Lovable Books Integration' - Homepage URL: your Lovable app URL (e.g., https://yourapp.lovable.app) - Authorized Redirect URIs: use https://yourapp.lovable.app/oauth/callback for now (you will need this for the initial token exchange) After creating the client, Zoho provides a Client ID and Client Secret. Copy both values. Next, you need to generate the first access token and refresh token. Zoho Books tokens follow the standard OAuth2 authorization code flow. Construct the authorization URL: https://accounts.zoho.com/oauth/v2/auth?scope=ZohoBooks.fullaccess.all&client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=YOUR_REDIRECT_URI&access_type=offline The 'access_type=offline' parameter is required to get a refresh token. Paste this URL in your browser, authorize access, and Zoho will redirect to your redirect URI with a 'code' parameter in the URL. Copy that code — it expires in 10 minutes. Exchange the code for tokens via a one-time curl-equivalent: POST to https://accounts.zoho.com/oauth/v2/token with grant_type=authorization_code, client_id, client_secret, redirect_uri, and code. Use a tool like Postman, Insomnia, or the Hoppscotch browser app to make this POST request and capture the access_token and refresh_token from the response. For EU accounts, use accounts.zoho.eu; for India, use accounts.zoho.in.
Pro tip: The authorization code from Zoho expires in 10 minutes. Complete the token exchange immediately after copying the code from the redirect URL. If it expires, repeat the browser authorization step to get a new code.
Expected result: You have a Zoho Client ID, Client Secret, Access Token, and Refresh Token. The refresh token is long-lived and is used to obtain new access tokens automatically. Store all four values before proceeding.
Store Zoho credentials and Organization ID in Cloud Secrets
Store Zoho credentials and Organization ID in Cloud Secrets
Zoho Books requires multiple credentials that must all live in Lovable Cloud → Secrets, never in your frontend code or Git repository. The access token provides immediate API access, the refresh token allows obtaining new access tokens when the current one expires (Zoho access tokens expire after one hour), and the organization ID scopes every API request to your specific Zoho Books organization. In Lovable, click the '+' icon at the top of the editor to open the Cloud panel. Navigate to the Secrets tab. Add the following secrets one by one: - ZOHO_CLIENT_ID — your application's Client ID from the Zoho API Console - ZOHO_CLIENT_SECRET — your application's Client Secret from the Zoho API Console - ZOHO_ACCESS_TOKEN — the access token from the token exchange (expires hourly, will be auto-refreshed) - ZOHO_REFRESH_TOKEN — the refresh token (long-lived, used to get new access tokens) - ZOHO_ORGANIZATION_ID — your Zoho Books organization ID (found in Zoho Books → Settings → Organization Profile → Organization ID) - ZOHO_BASE_URL — the API base URL for your data center: https://www.zohoapis.com for US, https://www.zohoapis.eu for EU, https://www.zohoapis.in for India The organization ID is visible in Zoho Books under the Settings gear → Organization Profile. It is a numeric string like '20080000123456'. Every Zoho Books API request must include ?organization_id=YOUR_ID as a query parameter — forgetting this returns a 'MANDATORY_NOT_FOUND' error. Because access tokens expire hourly, your Edge Function needs to implement token refresh logic using the client credentials and refresh token.
Pro tip: Zoho Books organization IDs are different from Zoho account IDs. Go to Zoho Books → Settings (gear icon) → Organization Profile — the organization ID is explicitly labeled there. Do not confuse it with your Zoho account login ID.
Expected result: All six secrets appear in Cloud → Secrets: ZOHO_CLIENT_ID, ZOHO_CLIENT_SECRET, ZOHO_ACCESS_TOKEN, ZOHO_REFRESH_TOKEN, ZOHO_ORGANIZATION_ID, and ZOHO_BASE_URL.
Create the Zoho Books API proxy Edge Function with token refresh
Create the Zoho Books API proxy Edge Function with token refresh
The core Edge Function needs to handle both the API call to Zoho Books and OAuth2 token refresh when the access token expires. Zoho access tokens are valid for one hour — a production integration must automatically refresh them using the refresh token and client credentials. The token refresh flow: when a Zoho API call returns 401 (token expired), POST to the Zoho accounts token URL with grant_type=refresh_token, client_id, client_secret, and refresh_token. Zoho responds with a new access_token. Use the new token for the original API request. A gotcha with Zoho Books: you cannot update the Deno environment secrets at runtime — once the new access token is obtained via refresh, you must either store it in your Supabase database table or accept that the next cold start will use the original (possibly expired) token from secrets and refresh again. The simplest production pattern is to store the current access token in a Supabase table with an expiry timestamp, and check that table before using the secret value. The Edge Function below shows the proxy pattern for the most common operations: listing invoices, fetching a single invoice, and creating an invoice. All three go through the same token-refresh-aware fetch wrapper. For development, you can skip the auto-refresh by simply regenerating the access token in Zoho API Console and updating the ZOHO_ACCESS_TOKEN secret whenever it expires — less elegant but fine while building.
Create an Edge Function called zoho-books at supabase/functions/zoho-books/index.ts. Accept POST requests with { action, params } where action can be 'list_invoices', 'get_invoice', or 'create_invoice'. Use ZOHO_ACCESS_TOKEN, ZOHO_ORGANIZATION_ID, and ZOHO_BASE_URL from secrets. Include CORS headers. If Zoho returns 401, use ZOHO_REFRESH_TOKEN, ZOHO_CLIENT_ID, and ZOHO_CLIENT_SECRET to refresh the token and retry. Return the Zoho API response data.
Paste this in Lovable chat
1import { serve } from 'https://deno.land/std@0.168.0/http/server.ts'23const corsHeaders = {4 'Access-Control-Allow-Origin': '*',5 'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',6}78async function refreshAccessToken(): Promise<string> {9 const clientId = Deno.env.get('ZOHO_CLIENT_ID')!10 const clientSecret = Deno.env.get('ZOHO_CLIENT_SECRET')!11 const refreshToken = Deno.env.get('ZOHO_REFRESH_TOKEN')!12 const baseAccounts = Deno.env.get('ZOHO_BASE_URL')!.replace('www.zohoapis', 'accounts.zoho')1314 const resp = await fetch(`${baseAccounts}/oauth/v2/token`, {15 method: 'POST',16 headers: { 'Content-Type': 'application/x-www-form-urlencoded' },17 body: new URLSearchParams({18 grant_type: 'refresh_token',19 client_id: clientId,20 client_secret: clientSecret,21 refresh_token: refreshToken,22 }),23 })24 const data = await resp.json()25 if (!data.access_token) throw new Error('Token refresh failed: ' + JSON.stringify(data))26 return data.access_token27}2829async function zohoFetch(path: string, options: RequestInit = {}, retry = true): Promise<Response> {30 const baseUrl = Deno.env.get('ZOHO_BASE_URL')!31 const orgId = Deno.env.get('ZOHO_ORGANIZATION_ID')!32 let token = Deno.env.get('ZOHO_ACCESS_TOKEN')!3334 const url = `${baseUrl}/books/v3${path}${path.includes('?') ? '&' : '?'}organization_id=${orgId}`35 let resp = await fetch(url, {36 ...options,37 headers: {38 Authorization: `Zoho-oauthtoken ${token}`,39 'Content-Type': 'application/json;charset=UTF-8',40 ...(options.headers || {}),41 },42 })4344 if (resp.status === 401 && retry) {45 token = await refreshAccessToken()46 resp = await fetch(url, {47 ...options,48 headers: {49 Authorization: `Zoho-oauthtoken ${token}`,50 'Content-Type': 'application/json;charset=UTF-8',51 ...(options.headers || {}),52 },53 })54 }55 return resp56}5758serve(async (req) => {59 if (req.method === 'OPTIONS') return new Response('ok', { headers: corsHeaders })6061 try {62 const { action, params = {} } = await req.json()6364 let resp: Response65 if (action === 'list_invoices') {66 const query = params.contactId ? `?contact_id=${params.contactId}&status=${params.status || 'all'}` : `?status=${params.status || 'all'}`67 resp = await zohoFetch(`/invoices${query}`)68 } else if (action === 'get_invoice') {69 resp = await zohoFetch(`/invoices/${params.invoiceId}`)70 } else if (action === 'create_invoice') {71 resp = await zohoFetch('/invoices', {72 method: 'POST',73 body: JSON.stringify(params),74 })75 } else {76 return new Response(JSON.stringify({ error: 'Unknown action' }), {77 status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' },78 })79 }8081 const data = await resp.json()82 return new Response(JSON.stringify(data), {83 status: resp.ok ? 200 : resp.status,84 headers: { ...corsHeaders, 'Content-Type': 'application/json' },85 })86 } catch (error) {87 return new Response(JSON.stringify({ error: error.message }), {88 status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' },89 })90 }91})Pro tip: Zoho Books API uses 'Zoho-oauthtoken YOUR_TOKEN' as the Authorization header format — not 'Bearer'. Using 'Bearer' causes 401 errors even with a valid token. This is a common mistake when adapting code from other OAuth2 APIs.
Expected result: The zoho-books Edge Function deploys successfully in Cloud → Edge Functions. Test it from the panel with action 'list_invoices' — you should see invoices from your Zoho Books organization in the response.
Build the invoicing or expense dashboard in Lovable
Build the invoicing or expense dashboard in Lovable
With the Edge Function in place, use Lovable's chat to build the UI that consumes Zoho Books data. The most impactful first build is typically an invoice dashboard — a table showing invoice number, client name, amount, due date, and status with color-coded badges for Paid, Sent, Overdue, and Draft states. Use supabase.functions.invoke() from your React components to call the zoho-books Edge Function with the appropriate action and params. For an invoice list, invoke with action 'list_invoices'. For a specific invoice detail view, invoke with action 'get_invoice' and the invoice ID. Zoho Books API responses wrap data in a root key matching the resource: invoice list is at response.invoices[], a single invoice is at response.invoice, contacts are at response.contacts[]. Always destructure at the correct key to avoid undefined errors. For expense dashboards, the Zoho Books expenses endpoint is /expenses (action would be 'list_expenses' — add this case to your Edge Function). Expenses have category, account, amount, date, and status fields. A useful dashboard shows total spend by category using a bar chart built with Recharts (already available in Lovable's React environment). For complex integrations linking Zoho Books with your Supabase customer records, RapidDev's team can help design the data mapping between your app's user IDs and Zoho Books contact IDs.
Create an invoice dashboard page that calls the zoho-books Edge Function with action 'list_invoices' on mount. Show a loading spinner while fetching. Display results in a table with columns: Invoice #, Customer, Amount, Due Date, Status. Add status badge colors: green for Paid, yellow for Sent, red for Overdue. Add a filter dropdown for status (All, Sent, Paid, Overdue). Handle empty states and errors gracefully.
Paste this in Lovable chat
1import { useEffect, useState } from 'react'2import { supabase } from '@/lib/supabase'34interface Invoice {5 invoice_id: string6 invoice_number: string7 customer_name: string8 total: number9 currency_code: string10 due_date: string11 status: string12}1314export function InvoiceDashboard() {15 const [invoices, setInvoices] = useState<Invoice[]>([])16 const [loading, setLoading] = useState(true)17 const [statusFilter, setStatusFilter] = useState('all')1819 useEffect(() => {20 async function fetchInvoices() {21 setLoading(true)22 const { data, error } = await supabase.functions.invoke('zoho-books', {23 body: { action: 'list_invoices', params: { status: statusFilter } },24 })25 if (!error && data?.invoices) setInvoices(data.invoices)26 setLoading(false)27 }28 fetchInvoices()29 }, [statusFilter])3031 const statusColor = (status: string) => ({32 paid: 'bg-green-100 text-green-800',33 sent: 'bg-yellow-100 text-yellow-800',34 overdue: 'bg-red-100 text-red-800',35 draft: 'bg-gray-100 text-gray-800',36 }[status.toLowerCase()] || 'bg-gray-100 text-gray-800')3738 return (39 <div className="p-6">40 <h1 className="text-2xl font-bold mb-4">Invoices</h1>41 {loading ? <p>Loading...</p> : (42 <table className="w-full border-collapse">43 <thead>44 <tr className="bg-gray-50">45 <th className="p-3 text-left">Invoice #</th>46 <th className="p-3 text-left">Customer</th>47 <th className="p-3 text-right">Amount</th>48 <th className="p-3 text-left">Due Date</th>49 <th className="p-3 text-left">Status</th>50 </tr>51 </thead>52 <tbody>53 {invoices.map(inv => (54 <tr key={inv.invoice_id} className="border-t">55 <td className="p-3">{inv.invoice_number}</td>56 <td className="p-3">{inv.customer_name}</td>57 <td className="p-3 text-right">{inv.currency_code} {inv.total.toFixed(2)}</td>58 <td className="p-3">{inv.due_date}</td>59 <td className="p-3"><span className={`px-2 py-1 rounded text-xs font-medium ${statusColor(inv.status)}`}>{inv.status}</span></td>60 </tr>61 ))}62 </tbody>63 </table>64 )}65 </div>66 )67}Pro tip: Zoho Books returns amounts as numbers, not strings. Use .toFixed(2) when displaying monetary values. Also, Zoho returns dates in YYYY-MM-DD format — you may want to format them with JavaScript's Intl.DateTimeFormat for a more user-friendly display.
Expected result: The invoice dashboard page renders with a table of invoices from Zoho Books. Status badges show in appropriate colors. The status filter dropdown updates the list when changed.
Common use cases
Client invoice portal showing outstanding and paid invoices
Build a client-facing portal in your Lovable app where customers can view their invoice history, download PDFs, and see payment status. The Edge Function fetches invoices filtered by contact email from the Zoho Books API, returning outstanding, paid, and overdue invoices. Clients interact with your branded portal rather than receiving raw Zoho invoice emails.
Create an Edge Function called zoho-invoices that accepts a GET with a contactId query parameter and fetches all invoices for that contact from the Zoho Books API using ZOHO_ACCESS_TOKEN, ZOHO_ORGANIZATION_ID, and ZOHO_BASE_URL from secrets. Return invoice number, date, due date, total, and status. Then create a React page that shows the user's invoices in a table with status badges (Paid, Outstanding, Overdue) and a download link for each invoice.
Copy this prompt to try it in Lovable
Expense submission and approval dashboard
Allow team members to submit expense claims in a Lovable app that creates expense records in Zoho Books via the API. A manager dashboard shows pending expenses, total spend by category, and one-click approval that updates the expense status in Zoho Books. This replaces email-based expense approval workflows with a proper UI.
Create an Edge Function called zoho-expense that accepts a POST with { employeeName, amount, currency, category, description, date, receiptUrl } and creates an expense record in Zoho Books using ZOHO_ACCESS_TOKEN and ZOHO_ORGANIZATION_ID from secrets. Then build a form in Lovable for expense submission and an admin dashboard showing all pending expenses with approve/reject buttons that update the expense status via a second Edge Function.
Copy this prompt to try it in Lovable
Automated invoice creation from app events
When a client completes an order or project milestone in your Lovable app, automatically create a Zoho Books invoice for the work completed. The Edge Function maps app order data to Zoho Books line items, sets payment terms, and creates the invoice in draft or sent state. This eliminates manual invoice creation in Zoho Books for every transaction.
Create an Edge Function called zoho-create-invoice that accepts a POST with { contactId, lineItems: [{ name, quantity, rate }], dueDate, notes } and creates an invoice in Zoho Books using ZOHO_ACCESS_TOKEN and ZOHO_ORGANIZATION_ID from secrets. Set the invoice status to 'sent' and return the invoice ID and portal URL. Call this Edge Function from my order completion flow after saving the order to Supabase.
Copy this prompt to try it in Lovable
Troubleshooting
Zoho API returns 'MANDATORY_NOT_FOUND' error for every request
Cause: The organization_id query parameter is missing from the API request URL. Zoho Books requires ?organization_id=YOUR_ORG_ID on every API endpoint.
Solution: Verify that ZOHO_ORGANIZATION_ID is set in Cloud → Secrets and that the Edge Function appends it as a query parameter to every request URL. The organization ID is found in Zoho Books → Settings → Organization Profile. Ensure the value is the numeric organization ID (e.g., '20080000123456'), not the organization name or Zoho account ID.
1// Ensure organization_id is always appended:2const url = `${baseUrl}/books/v3/invoices?organization_id=${orgId}`Edge Function returns 401 Unauthorized after the first hour of use
Cause: Zoho Books OAuth2 access tokens expire after one hour. Once the token stored in Cloud → Secrets expires, all API calls return 401 until the token is refreshed.
Solution: Implement the token refresh logic in your Edge Function as shown in the code example above. The refreshAccessToken() function calls the Zoho token endpoint with the refresh token and client credentials to obtain a new access token. For a simpler workaround during development, go to Zoho API Console → your app → Generate Token to get a new access token and update the ZOHO_ACCESS_TOKEN secret manually.
Zoho API calls return 'INVALID_CLIENT_ID' or 'INVALID_OAUTHSCOPE' errors
Cause: The OAuth2 scopes granted when you generated the token do not include the permissions needed for the API endpoint you are calling.
Solution: In Zoho API Console → your application, check the authorized scopes. For full Zoho Books access, use the scope 'ZohoBooks.fullaccess.all'. For specific access, use 'ZohoBooks.invoices.READ,ZohoBooks.invoices.CREATE,ZohoBooks.expenses.READ'. Regenerate authorization and exchange a new code for fresh tokens that include the required scopes.
Zoho API returns correct data for US accounts but fails for EU or India accounts
Cause: Zoho operates region-specific API endpoints. Using books.zoho.com (US) for an EU-hosted account (which requires books.zoho.eu) causes authentication failures.
Solution: Update the ZOHO_BASE_URL secret to match your account's data center: https://www.zohoapis.com (US/global), https://www.zohoapis.eu (Europe), https://www.zohoapis.in (India), https://www.zohoapis.com.au (Australia). Your Zoho account login URL indicates your data center — accounts.zoho.eu means EU, accounts.zoho.in means India.
Best practices
- Store all six Zoho credentials (Client ID, Client Secret, Access Token, Refresh Token, Organization ID, Base URL) in Cloud → Secrets — never hardcode any of them in Edge Function code.
- Implement automatic token refresh in your Edge Function: when a 401 response is received, use the refresh token to get a new access token and retry the original request once.
- Always include the organization_id query parameter on every Zoho Books API request — it is required for every endpoint and its absence returns a MANDATORY_NOT_FOUND error.
- Use the data-center-specific base URL that matches your Zoho account's region — mixing US and EU endpoints causes authentication failures even with valid tokens.
- Request only the OAuth2 scopes you actually need — 'ZohoBooks.fullaccess.all' is convenient but grants write access to all accounting data; use granular scopes like 'ZohoBooks.invoices.READ' for read-only dashboards.
- Test your Edge Function with Zoho's API documentation sandbox (developer.zoho.com/apiexplorer) before building the UI — it lets you verify request/response shapes without consuming your token quota.
- When creating invoices programmatically, always validate contact IDs by looking up the contact in Zoho Books first — creating an invoice with a non-existent contact_id returns a misleading 'INVALID_DATA' error.
Alternatives
Choose Zoho CRM if your primary need is sales pipeline and contact management rather than accounting — both share OAuth2 authentication patterns, making it easy to use both together.
Choose QuickBooks if your audience is US-based small businesses already using QuickBooks, as it dominates the US market and has a larger ecosystem of accountant integrations.
Choose Xero if your users are in the UK, Australia, or New Zealand, where Xero has stronger market presence and accountant adoption than Zoho Books.
Frequently asked questions
Does Zoho Books have a free plan that supports API access?
Zoho Books offers a free plan for businesses with annual revenue under a threshold (varies by country). API access is available on the free plan, but it is limited to a certain number of API calls per day. For development and low-traffic Lovable integrations, the free plan is sufficient. Paid plans (Standard from $15/month) remove API rate limits and add features like automated payment reminders and advanced reporting.
Can I use a single Zoho Books integration for multiple organizations?
Yes, but each organization requires its own organization ID and separate OAuth2 tokens. If you are building a multi-tenant app where each customer has their own Zoho Books organization, store each organization's credentials separately in Supabase and pass the appropriate organization ID to the Edge Function based on the authenticated user's account. The OAuth2 application registration (Client ID and Secret) can be shared across organizations.
What is the difference between Zoho Books and Zoho Invoice?
Zoho Invoice is a standalone invoicing tool focused purely on creating and sending invoices, while Zoho Books is a full accounting platform that includes invoicing plus expense tracking, bank reconciliation, chart of accounts, and financial reports. For Lovable integrations, Zoho Books is recommended because it has a more comprehensive API. Zoho Invoice uses the same API structure and OAuth2 authentication, so code written for Zoho Books is largely compatible.
How do I handle Zoho Books webhooks in Lovable for real-time updates?
Zoho Books supports webhooks for events like invoice payments, new contacts, and expense approvals. Create an Edge Function in Lovable to receive POST requests from Zoho, then register the Edge Function's URL in Zoho Books → Settings → Automation → Webhooks. Zoho includes a custom header with a secret token in webhook requests — validate this header value in your Edge Function using a ZOHO_WEBHOOK_SECRET stored in Cloud → Secrets before processing the event.
Why does the Zoho API return data for the wrong organization?
If your Zoho account has access to multiple organizations, the API returns data for the default organization if the organization_id parameter is omitted or incorrect. Always explicitly pass the ZOHO_ORGANIZATION_ID from secrets as a query parameter on every API request. Verify the organization ID in Zoho Books → Settings → Organization Profile, not from the URL or account settings, as those may show different numeric IDs.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation