Does RingCentral recommend anything as far as safely storing your OAuth Access Token? Is it okay to save it in plain text in my database and allow users to see it? Should it be hidden from users? Should it be encrypted?
Remember that the Access Token expires in 60 minutes. If you store it somewhere (whether hidden or not) it will become invalid unless a renewal request is submitted in less than 60 minutes from the moment it was issued.
Personally, I save the App Key and App Secret in my programs and use a Base64 encoding function I wrote to generate the "Authorization" field in the REST statement (Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxx) when requesting an Access Token.
This way, the Access Token is not stored anywhere.
I would convert the id/app secret to binary and execute a logic operation like AND / NAND / OR / XOR with a particular value (such as the filename truncated or elongated so that its binary value would contain the same number of bits as the id/app secret) and save that value in your program.
This would allow you to save the id/ app secret in a form that would not be useful to anyone unless they know exactly what logic operation you are executing and what values you are using to perform the logic operation.
Whenever you need to use the id/app secret, simply read the value from your program and reverse the process.