Are oAuth access and refresh tokens issued per user or account?

  • 1
  • Question
  • Updated 3 years ago
  • Answered
I'm integrating a CRM system with Ring Central and I cannot find a clear answer whether the access and refresh tokens are issued per user or they are valid for the whole account (main number and all extensions). I would like to know whether I should authenticate all agents separately and maintain independent tokens for all of them or I just need one set on account level.

All agents have to be able to ring out and we should be able to access extensions related information and call logs in order to update call dispositions in our database. We use web-hooks in the background where we pick up the correct (user) access token to execute some follow-up API calls. I only have one extension in my sandbox so I cannot perform an appropriate test for this case.
Photo of v77


  • 220 Points 100 badge 2x thumb

Posted 3 years ago

  • 1
Photo of Benjamin Dean

Benjamin Dean, Alum

  • 8,662 Points 5k badge 2x thumb
access_tokens are issued as a combination of (user + application).

If you are integrating with a web application (which CRM is typically a SaaS web application), then you should implement 3-Legged OAuth (which will prevent your application from adding the security risk of storing RingCentral Usernames/Passwords).

You can find multiple demos for implementing 3-Legged OAuth here: