Are oAuth access and refresh tokens issued per user or account?
I'm integrating a CRM system with Ring Central and I cannot find a clear answer whether the access and refresh tokens are issued per user or they are valid for the whole account (main number and all extensions). I would like to know whether I should authenticate all agents separately and maintain independent tokens for all of them or I just need one set on account level. All agents have to be able to ring out and we should be able to access extensions related information and call logs in order to update call dispositions in our database. We use web-hooks in the background where we pick up the correct (user) access token to execute some follow-up API calls. I only have one extension in my sandbox so I cannot perform an appropriate test for this case.
access_tokens are issued as a combination of (user + application).
If you are integrating with a web application (which CRM is typically a SaaS web application), then you should implement 3-Legged OAuth (which will prevent your application from adding the security risk of storing RingCentral Usernames/Passwords).