Skip to main content

Hello,

I'm new to RingCentral and a little confused about the best practices around managing the Client ID and Client Secret.

I'm building an integration for an e-commerce platform to allow transactional order messages to be sent to customers via SMS. In the past, with other API integrations, I've created an interface in the platform's Admin panel where the merchant (owner of the store/website) can configure their access credentials that are used for retrieving the API token.

If I understand RC correctly, however, I must first create an App and then somehow provide the merchant with its Client ID and Client Secret. Those values, in turn, would be used to collect the merchant's access credentials (in the Admin panel) via OAuth or a JWT.

Is it safe to store the Client ID and Client Secret in my integration, or is there a better way to provide them to the merchant?

My intention is to make this integration available publicly to merchants and have it be as simple as possible to set up.

I am not clear about the integration and the service to give you best advice.

Do you expect one setup per RingCentral account, and all users under that account can use your integration as your integration will send SMS from a chosen phone number? Or, do you expect that each user (in a RingCentral account) will do the setup for himself/herself and your app will send SMS from his/her own phone number?


You can create a public app to allow users to login the app using 3-legged authorization or JWT. There are pros and cons with each auth methods. And each method requires different implementation on your side. For both methods, you should keep the app client id and client secret on your server side!

- 3-Legged authorization: you will provide a login page and after a user (the one who own the phone number for sending SMS messages) logs in, you will keep the tokens and handle auto refresh to keep the access token always valid (1 hour) until if the user logs out.

- JWT: you will provide a login page with some instruction and the app client id. A user (the one who own the phone number for sending SMS messages) will copy the app client id and follow the instructions to login their own RingCentral developer portal to generate a JWT for your app. Then on your login page, let them submit the JWT token to your server. Then you will store the JWT token on your database (together with any other user data) and use the JWT token to get the access token when you need to send SMS messages for that customer. You don't need to implement the auto refresh feature, but you should not use the JWT token to get an access token every time you send a text message (otherwise, you will hit the auth rate limit 5 calls/minute). Instead, keep the tokens object and check the access token expiration time, if the access token is still valid (for 1 hour), use it, if it expires, check if the refresh token is still valid (for 7 days). If the refresh token is still valid, use it to refresh and get a new access token (also new refresh token). If the refresh token also expires, use the JWT token to get a new token.


Thanks. Both scenarios align with my thought process.

My real question was about how to safely store the Client ID and Client Secret. I've reviewed a few other integrations written to connect this particular platform with third-party services via OAuth and I see that they are hard-coding those values in their codebase, so I will follow the same pattern.


Reply