Authorization Flows on RingCentral

Last updated: 2021-08-18 Contributors Byrne ReeseEmbbnux Ji
Edit this page

Getting Started with OAuth

RingCentral supports a number of different authentication modes to satisfy the needs of the many different types of applications built on top of our platform, from mobile to desktop, from public to private, from bots to webapps.

The authentication mode we recommend developers implement is OAuth, a 3-legged auth flow that grants applications access to a user's account without exchanging a username/password with a 3rd party. The guides below will walk you through the creation of a simple OAuth flow.

Javascript » PHP » Python » Ruby » Java » C# »

First time building an app?

Before you begin implementing a full 3-legged auth flow, we recommend you complete any one of our Quick Start guides which utilize our Password Flow. While password based auth is not recommended for most applications, we recognize that it is in many respects the easiest to implement. Start there, and when you have successfully made your first API call, come back to improve the security of your application by implementing our Authorization Code Flow.


Your application and its users must be authorized by RingCentral in order to eliminate any possibility of abuse. The RingCentral API uses the OAuth 2.0 protocol for authentication and authorization, which is widely supported by the majority of cloud API providers.

In general, the steps your app needs to take to use RingCentral APIs (including authorization) are as follows:

  1. Create an app, and obtain the app's credentials from your Developer Portal account.

  2. Obtain an access token using either the Authorization Code Flow or the Password Flow.

  3. Use the access token when calling a RingCentral API.

  4. Refresh your access token when necessary, as they can expire.

What auth flow is right for my app?

App Settings Impact What Auth Flows You Can Use

How an application is configured will determine what authorization flows can be used to obtain an access token. This restriction has been known to trip-up many a developer. Please be aware of the following restrictions:

  • 'Public' apps are not allowed to use the Password Flow
  • 'Private' apps with a platform type of 'Browser-Based' or 'Server/Web' are not allows to use the Password Flow
  • Apps with no user interface are not allowed to use Auth Code Flow

You can check which flows are available for your app on your app's Setting page.

There are several authorization flows one can use to obtain an access token to call the RingCentral API. Choosing the right one will help ensure the security of your customer's data and credentials.

  • Auth Code Flow (recommended) - a 3-legged authorization flow common for apps accessed via the web, mobile and desktop applications.

  • Auth Code with PKCE Flow (recommended) - enhancement for Auth Code Flow with Proof Key for Code Exchange, no client secret required, recommended for apps accessed via web single-page, mobile and desktop applications.

  • Implicit Flow - a 2-legged authorization flow common for mobile and desktop apps.

  • Password Flow - a 2-legged authorization flow suitable for server apps used by a single user account. This is by far the easiest authentication scheme to implement, but is considered insecure as it requires servers to store username and password credentials in plain text.

  • Refresh Token Flow — a flow used to refresh existing access token regardless of the authorization flow (Authorization Code or Password) that was used for obtaining this access token. If refresh token flow is not available for your app, you should be using Auth Code or Password flows for obtaining new access tokens.

Learn More

RingCentral supports OAuth 2.0 authentication flows as described in: