Skip to main content
To homepage To homepage
Solved

Setting Up API to Send SMS From Particular User's Phone Number

  • December 18, 2025
  • 2 replies
  • 201 views
H

As developer with a “Super Admin” role, and logged in to the developer portal as myself, I created an RC app with JWT authentication.  Our database uses the API to send automated SMS/MMS messages, for which I use the app’s ClientID, ClientSecret, and JWT auth. 

If I send an SMS “from” a phone number connected to my extension, it gets sent with no problem.  But I’m not the user, just a developer.  If I send with extensionID of “~”, I get error “ "Phone number doesn't belong to extension".  And if I set extensionID to the specific user’s actual extensionID, I get the error message explained by ​@PhongVu’s answer in this older post:

But what I don’t understand is HOW to authenticate with the correct extension’s username and password.  Do I have to explain to the agent how to log into the developer portal and create their own app in order to provide me with their own ClientID and ClientSecret?  Or are they expected to provide me with their personal username and password and I use the Base64 capture of that for the ‘Basic’ authorization header (which would break every time they change their password)?  Or… ?

I thought the whole idea of creating an app as Super Admin was that the combination of clientID, secret, and JWT cert was enough to authenticate across all of the company’s SMS phone numbers… no?

Best answer by PhongVu

First of all, sending SMS messages on behalf of other extensions is forbidden. This means that using the access token of one extension to send SMS message from another extension’s phone number is not allowed. Please refer to this dev guide for details.

In RingCentral platform, a JWT token represents the extension who owns (normally who creates) the token. For SMS messaging, a super admin user can only access other user extensions’ message store to read the messages and message metadata. A super admin cannot send SMS messages on behalf of other user extensions.

For you app, you should implement the code flow authentication which is flexible and scalable for multiple users. Each user will need to login (authenticate) the app at least once, then your app will keep and maintain the user access tokens to keep it valid as long as the user wants to use your app to send SMS messages from their phone number.

With the code flow authentication, after the user successfully logged in your app, your app will receive the token object which contain the access token which is valid for 1 hour, and the refresh token which is valid for 7 days. When the access token expires, you can use the refresh token to get a new token object, which contains the new valid access token and new refresh token with new the expiration time. Example of a token object:

{
   "access_token" : "U1BCMDFUMDRKV1MwMXxzLFSvXdw5PHMsVLEn_MrtcyxUsw",
   "token_type" : "bearer",
   "expires_in" : 3600,
   "refresh_token" : "U1BCMDFUMDRKV1MwMXxzLFL4ec6A0XMsUv9wLriecyxS_w",
   "refresh_token_expires_in" : 604799,
   "scope" : "AccountInfo CallLog ExtensionInfo Messages SMS",
   "owner_id" : "256440016"
}

The owner_id is the extension ID of the user extension. You can use that ID to read the extension’s phone number and send messages from that phone number using the access token of that extension.

You will need to securely save the user tokens in your app database. Every time the app sends a messages, you can retrieve the token, validate the access token and if it expired, then use the refresh token to get a new token object, replace the new token object with the old one in the database, and use the new access token to call the API to send a message.

If your users send SMS messages once a week or more often, your app does not need to deliberately refresh the tokens. Otherwise, create a cronjob or a timer which will automatically refresh the user token periodically (e.g. every 6-day period) to prevent the refresh token from getting expired.

2 replies

PhongVu
Community Manager
Forum|alt.badge.img
  • PhongVu
  • Community Manager
  • Answer
  • December 18, 2025

First of all, sending SMS messages on behalf of other extensions is forbidden. This means that using the access token of one extension to send SMS message from another extension’s phone number is not allowed. Please refer to this dev guide for details.

In RingCentral platform, a JWT token represents the extension who owns (normally who creates) the token. For SMS messaging, a super admin user can only access other user extensions’ message store to read the messages and message metadata. A super admin cannot send SMS messages on behalf of other user extensions.

For you app, you should implement the code flow authentication which is flexible and scalable for multiple users. Each user will need to login (authenticate) the app at least once, then your app will keep and maintain the user access tokens to keep it valid as long as the user wants to use your app to send SMS messages from their phone number.

With the code flow authentication, after the user successfully logged in your app, your app will receive the token object which contain the access token which is valid for 1 hour, and the refresh token which is valid for 7 days. When the access token expires, you can use the refresh token to get a new token object, which contains the new valid access token and new refresh token with new the expiration time. Example of a token object:

{
   "access_token" : "U1BCMDFUMDRKV1MwMXxzLFSvXdw5PHMsVLEn_MrtcyxUsw",
   "token_type" : "bearer",
   "expires_in" : 3600,
   "refresh_token" : "U1BCMDFUMDRKV1MwMXxzLFL4ec6A0XMsUv9wLriecyxS_w",
   "refresh_token_expires_in" : 604799,
   "scope" : "AccountInfo CallLog ExtensionInfo Messages SMS",
   "owner_id" : "256440016"
}

The owner_id is the extension ID of the user extension. You can use that ID to read the extension’s phone number and send messages from that phone number using the access token of that extension.

You will need to securely save the user tokens in your app database. Every time the app sends a messages, you can retrieve the token, validate the access token and if it expired, then use the refresh token to get a new token object, replace the new token object with the old one in the database, and use the new access token to call the API to send a message.

If your users send SMS messages once a week or more often, your app does not need to deliberately refresh the tokens. Otherwise, create a cronjob or a timer which will automatically refresh the user token periodically (e.g. every 6-day period) to prevent the refresh token from getting expired.

H
  • howards
  • Author
  • New Participant
  • December 18, 2025

Thanks ​@PhongVu for your detailed explanation.  That makes total sense.  However, I had to use JWT because there is no user interface.  I ended up just asking the end user for her log-in (and she just gave it to me, which is terrible security practice) and I was able to log in to her account and add an app and JWT credentials for her.  I’ve got it working now, but I probably spent about 8 hours just to get it to send an SMS.

Anyhow, thanks again for your help. Perhaps your answer will help someone else!

Terms & ConditionsCookie settingsAccessibility statement
PRODUCTS
RingEX
Message
Video
Phone
OPEN ECOSYSTEM
Developer Platform
APIs
Integrated Apps
App Gallery
Developer support
Games and rewards

RESOURCES
Resource center
Blog
Product Releases
Accessibility
QUICK LINKS
App Download
RingCentral App login
Admin Portal Login
Contact Sales
© 1999-2024 RingCentral, Inc. All rights reserved. Privacy Notice