Authorization Flows on RingCentral Using OAuth 2.0

Your application and its users must be authorized by RingCentral in order to eliminate any possibility of abuse. The RingCentral API uses the OAuth 2.0 protocol for authentication and authorization, which is widely supported by the majority of cloud API providers.

In general, the steps your app needs to take to use RingCentral APIs (including authorization) are as follows:

  1. Create an app, and obtain the app's credentials from your Developer Portal account.

  2. Obtain an access token using either the Authorization Code Flow or the Password Flow.

  3. Use the access token when calling a RingCentral API.

  4. Refresh your access token when necessary, as they can expire.

Supported Authorization Flows

There are several authorization flows one can use to obtain an access token to call the RingCentral API. They are:

  • Authorization Code Flow (recommended) - a 3-legged authorization flow common for apps accessed via the web, mobile and desktop applications.

  • Password Flow (a.k.a. Resource Owner Password Credentials Flow (ROPC) - a 2-legged authorization flow which is more suitable for server apps used by a single user account. This is by far the easiest authentication scheme to implement, but is considered insecure as it requires servers to store username and password credentials in plain text.

  • Refresh Token Flow — a flow used to refresh existing access token regardless of the authorization flow (Authorization Code or Password) that was used for obtaining this access token. If refresh token flow is not available for your app, you should be using Authorization Code or Password flows for obtaining new access tokens.

App Settings Impact What Auth Flows You Can Use

How an application is configured will determine what authorization flows can be used to obtain an access token. This restriction has been known to trip-up many a developer. Please be aware of the following restrictions:

  • 'Public' apps are not allowed to use the Password Flow
  • 'Private' apps with a platform type of 'Browser-Based' or 'Server/Web' are not allows to use the Password Flow
  • Apps with no user interface are not allowed to use Auth Code Flow

You can check which flows are available for your app on your app's Setting page.

Learn More

RingCentral supports OAuth 2.0 authentication flows as described in: