- Authorization is always required when using RingCentral APIs like sending SMS messages to prevent abuse and misuse of the API. This acts as a protection for APIs that deal with real phone numbers. - For private apps within an organization, the password grant is used for authorization since it is restricted. However, passwords are vulnerable so public apps should use the authorization code grant which is more secure. - In conclusion, authentication is necessary for RingCentral APIs that send SMS to provide security and prevent misuse, and the authorization code grant should be used for public apps while private apps can use the password grant.

1. Anirban Sen Chowdhary
Is authorization always needed for sms messages in ringcentral-api

2. We all are familiar with RingCentral which provides a
powerful platform for it’s developer for developing it’s application for
different cloud based communications like call, fax, sms etc.
When using RingCentral API like send SMS message, we always calls
the API with some kind of “Authorization” attached with it;
either OAuth 2.0 with “Password flow” (grant_type=password) which
formally as the “Resource Owner Password Credentials”
or “Authorization flow” (grant_type=authorization code) .
Now the question is why do we need a Authorization in our SMS API ?

4. So, if an API is sending a SMS message to a phone number, does it
really need a “Authorization” ?
SMS API seems to be getting complicated in a way of sending a simple
SMS message, when “Authorization”, “Access Token”, “token expired …
needs to be refreshed” etc is involved in each process of calling a
simple API. Is this really required ?????

5. Short answer is “YES“… Sending SMS via the API requires authorization
to prevent all kind of abuse. Otherwise, anyone could send SMS over
HTTP and can misuse this facility. It acts a a protection for the API that
send message to phone numbers. RingCentral takes care of it’s APIs as
it deals with real phone numbers. And using OAuth 2.0 protection
with access and refresh tokens are good security practices followed.
Also, in case of sensitive data and messages a real time security feature
required which is filled by OAuth 2.0 .
Now, the question is which solution we should use? “Password flow”
or a “Authorization flow” ??

7. To make authorization easier for a back-end service private app uses
the password grant. Since the application is private and restricted to
the RingCentral organization, password grant can be used.
But password are vulnerable. A password can be easily stolen, misused
or used without the user’s consent. Phishing attacks or Brute-
force attacks are especially effective at stealing passwords from online
services.

8. So for the public app grant should always be 3-Legged Auth known
as Authorization code. Since the application is public available to all
other users, other users from other organizations can login through the
application with their own credentials.

9. An Authorization code solution is much stronger than a password
grant because customer needs to log in the system with their own
credentials to exchange a user’s credentials for an access token which
can be used to track and control the usage of the APIs.

10. Authorization code grant is the most widely used grant for publicly
available client applications which provides consistency, more trust and
additional capabilities making it ideal for web
application. RingCentral provides different SDK based on different
programming languages like Java, PHP, javascript etc, has methods to
handle the Authorization code grant flows.

12. At the end, we can conclude that yes, for an API of RingCentral it’s
absolutely necessary to use Authentication for for sending SMS
messages as it prevent misuse and provides security to the API.
And RingCentral private application can use password
grant while RingCentral public application accessible to public world
are implemented with Authorization code . Also, we can see as
a RingCentral developer, Sandbox environment application can be used
as password grant but the Production environment are always used
as Authorization code .