How to keep XML RPC API Auth Token private in a public form?

The Problem:

You have a public form that we wish to add records into a creator application including is’t subform).

You are able to successfully submit our form data into Creator using the XML RPC API, with the data structure as per the support doc examples –

Now the question is how do you keep the Auth Token private? Anyone who inspects the source code of the form will be able to view the auth token and username.


The Answer:

You can create a server file (php or nodejs or any other server page of your choice), to act as a middleware and handle the data post to Zoho Creator. This allows you to store private information on your server so it’s not visible to client. Here’s what I would do in a php file.

file_name: add_record.php


define(“authtoken”, “yourAuthToken”);
define(“zc_ownername”, “yourZohoUserName”);
$xml_string = $_REQUEST[“XMLString”];

//Add to Zoho

function insert_record($xml_string){
$api_url = “”;
$post_params = array();
$post_params[‘authtoken’] = constant(“authtoken”);
$post_params[‘scope’] = ‘creatorapi’;
$post_params [‘XMLString’] = $xml_string;
$post_params[‘zc_ownername’] = constant(“zc_ownername”);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $api_url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_params);
$result = curl_exec($ch);

You can post your form to add_record.php instead of url