CRM Authentication Explained
OAuth 2.0 is an authentication protocol that allows applications to access your accounts on other services without sharing your password. Instead of giving SuiteCRM your Gmail password to send emails, OAuth lets SuiteCRM request a temporary access token from Google — and Google grants it only after you explicitly approve.
OAuth 2.0 is an authentication protocol that allows applications to access your accounts on other services without sharing your password. Instead of giving SuiteCRM your Gmail password to send emails, OAuth lets SuiteCRM request a temporary access token from Google — and Google grants it only after you explicitly approve.
Think of OAuth like a hotel key card. Instead of giving a guest a copy of the master key (your password), the hotel issues a temporary card (token) that opens only specific doors (permissions) and expires after checkout (token expiry).
Google and Microsoft are actively deprecating basic authentication (username + password) for third-party applications. This means connecting SuiteCRM to Gmail, Google Calendar, Outlook, or Microsoft 365 increasingly requires OAuth 2.0 instead of passwords.
OAuth is more secure because your password is never stored in SuiteCRM’s database (only tokens), tokens have limited scope (read email vs full account access), tokens expire and must be refreshed (limiting damage if compromised), and access can be revoked at any time from Google/Microsoft without changing your password.
Step 1: Register your application. Create OAuth credentials in Google Cloud Console or Azure Portal — you get a Client ID and Client Secret.
Step 2: Configure SuiteCRM. Enter the Client ID and Secret in SuiteCRM’s Admin → External OAuth Connections panel.
Step 3: User authorization. Each user clicks “Authorize” in SuiteCRM, which redirects to Google/Microsoft. The user logs in and approves the connection. Google/Microsoft sends back an access token to SuiteCRM.
Step 4: Ongoing access. SuiteCRM uses the token for email sending, calendar sync, and contact sync. Tokens expire periodically and SuiteCRM refreshes them automatically using a refresh token.
Gmail and Google Workspace email (SMTP/IMAP). Google Calendar synchronization. Microsoft 365 / Outlook email. SuiteCRM’s REST API authentication (external applications connecting to SuiteCRM also use OAuth 2.0).
Building with OAuth 2.0? Let's talk.
“Invalid grant” error. The token has expired or been revoked. Re-authorize the connection from the user’s SuiteCRM profile.
“Redirect URI mismatch.” The redirect URI in your Google/Azure app registration doesn’t match what SuiteCRM sends. These must be identical.
“Access denied.” Your Google Workspace admin hasn’t approved the OAuth application. Workspace admins must allow the app in the admin console.
OAuth setup involves multiple systems (SuiteCRM, Google/Azure console, DNS). TechEsperto handles OAuth configuration as part of every SuiteCRM integration project. Contact us for setup help.