Authorization code flow for Multiple extension(users)

  • 17 February 2024
  • 7 replies

Hello, I am upgrading Ring-central api password flow to Authorization code flow, I have multiple extension where I were used password flow to get the call records , sending sms etc. but now I have to upgrade with Outh flow. So My question is how do I use Rincentral api use for multiple extension in on loop code? I know there is access tokent that needs to be refresh every hour to keep live but how do I manager for multiple extension in looping?


7 replies

I think you should choose the JWT flow instead of the code flow because that is kind of an equivalent method to the password flow. You will need to give the users your app client id and ask them to login the RingCentral developer portal to generate their own JWT token against the app. Then give you the JWT token instead of the username/password.

But if you really want to use the code flow, you have to implement the UI for your users to login and you will get the code from the redirectUrl you provided in the app settings, then use the code to exchange for the tokens. The tokens you receive will contain the access token (valid for 1 hr) and the refresh token (valid for 7 days each time it's issued). Then you can maintain the refresh token and use it to get a new access token if it's expired. Every time you get a new access token using the refresh token, you will receive a new refresh token and it will again be valid for another 7 days.

Hi Phong Vu,

Thank you for you reply

If I correct JWT flow is generated for only one app not for different extension. It's not per extension.

If we can then Can you please some info about how I can genrate JWT per user

Second thins ,Can I use password flow after 31 march?, because We have not front-end usera, we just have managers to see the call records and send the sms through Ring central.


A JWT token can be bound to a single app (provided the app client id) or can be bound to any app under the same account. The JWT token generator shows you the options to choose.

A JWT token generated by a user will represent that user (extension). If it is bound to an app defined by the app client id, it can be used to authenticate the user only for that app. If it is bound the all apps under the account, it can be used to authenticate the user for all apps under the account.

I don't know well about your app. But if it was intended to use the password flow, then now it is best to migrate to JWT flow. Simple as each user to generate their JWT token and pass the JWT token to the app (or to you) instead of the username/password.

Hi Phong Vu,

Thank you so much for your help. Is it possible to have both authentication method for an app until I updated password flow to JWT Auth? Because I need to check the working on production mode and there is an radio option to change the method. If both methods enable for an app, I can check working without any issue.


Yes, that is possible. Give me the app client id.

Hi Phong Vu,

When I was using user name and password for auth process, I was seen the call log record properly but now using JWT token call log record not see properly, is something changed with JWT token for call log records?

I am using the below script to get the call records

$queryParams = array(
'view' => 'Detailed',
'dateFrom' => $final_date,
'page' => 1,
'perPage' => 1000,


$platform = $rcsdk->platform();
$platform->login( [ "jwt" => $jwt ] );
$r = $platform->get("/restapi/v1.0/account/~/extension/~/call-log", $queryParams);
$ring_array = json_decode($r->text(), true);

Second thing: VM/Abandoned call results not getting in web hook subscription, is it any special event filter for that?

I can see the log of VM/Missed but not the VM/Abandoned call. What is the difference between of both of?


There must be no difference API result between using either password flow or JWT flow auth. You must make sure that it is the same user extension who logged in the app before and who generated the JWT token now.

Telephony session event notification gives you the raw data. "Abandoned" is an interpretation and it's not a raw call result from the notification event.

For the call log result, I don't think that it gives the "Abandoned" call result either (even the API documentation lists the "Abandoned" term as one of the possible results). Instead, the result can be either Missed or Voicemail, where missed calls can be interpreted directly as abandoned calls, but voicemails are not.

In live report and analytics report, abandoned calls may also be interpreted differently. When a call is routed to a voicemail, the caller may hangup w/o leaving a voice message, that can be interpreted as an abandoned call.