Applying OAuth on the RingCentral API (Part 2)

DZone 's Guide to

Applying OAuth on the RingCentral API (Part 2)

This tutorial explains how to apply OAuth on the RingCentral API.

· Integration Zone ·
Free Resource

In the last post, here, we saw the use of RingCentral OAuth 2.0 APIs and the implementation of OAuth 2.0 token in RingCentral APIs. We will continue from there and extend the discussion with implementing OAuth 2.0 access_token as well as refresh_token in APIs.

refresh_token is a long-lived token that clients get from the server and can be used to generate access_token when access_token expires.

In our last post, we saw that when we call the RingCentral OAuth 2.0 API, we get the response as in the below image:

This image has an empty alt attribute; its file name is 5-2.jpg

We can see in the above image that both the access_token and the refresh_token has been generated from the API call.

access_token and refresh_token are valid for 1 hour and 1 week respectively. You can cache the tokens and use them without calling the OAuth API frequently.

  • access_token lifetime is 3600s = 1 hour

  • refresh_token lifetime is 7 days(1 week)

We can use this refresh_token to generate a new access_token by passing parameters in the API request body, as follows:

username=<account phone number>&password=<account password>&extension=<your extension>&grant_type=refresh_token&refresh_token=<Your refresh token>

As you can see in the above request, grant_type=refresh_token&refresh_token=<Your refresh token> is used to generate a new access_token from the existing valid refresh_token.

Now, in some cases, we may not require a refresh_token. There are times when your application with RingCentral may not require the refresh_token as part of the OAuth 2.0 token request while obtaining an access_token.

So, in that case, we can easily tweak a minor change in our API request to disable it.

In the body, we need to pass the parameters in the following way:

username=<account phone number>&password=<account password>&extension=<your extension>&grant_type=password&refresh_token_ttl=0

The use of refresh_token_ttl=0 will help to disable refresh_token as the below image:

As we can see in the above image,the refresh_token is not created. We disabled it by setting the TTL (time to live) for the refresh_token_ttl to 0.

Revoking a valid access_token can also be done in case the admin decides not to use a particular access_token when an access_token may have been compromised or an admin needs to revoke access of an API with a particular access_token for some reason by calling the following API:


In the API body, we need to pass the access_token as follows:

token=< access_token >

If we now use this token in our RingCentral APIs, we will get an invalid token error message as below:

I hope I was clear in demonstrating the implementation of OAuth 2.0 access_token as well as refresh_token in APIs in various ways. I also demonstrated the process of revoking/withdrawing and existing valid access_token that was issued. Let me know if you have questions! 

integration, integration tutorial, oauth 2, ringcentral, ringcentral apis, tutorial

Published at DZone with permission of Anirban Sen Chowdhary , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}