Identity and SSO

Login with Ringnity

Login with Ringnity lets WordPress, CMS, CRM, partner portals, and mobile apps sign in users with a Ringnity account. It is planned as OAuth2 plus OpenID Connect, separate from SDK runtime tokens used for chat, audio call, video call, AI, and reports.

Current status: API contract, OAuth app registry, dashboard OAuth client UI, backend routes, authorization code storage, PKCE, token exchange, userinfo, JWKS, revoke, refresh token rotation, audit table foundation, live database migration, and persistent OIDC signing key configuration are implemented. Remaining rollout gates are WordPress/CMS plugin smoke testing, consent screen polish, broader API-backed scopes, and final security review.
Open Scalar reference Runtime token guide

What this is for

  • Let external apps authenticate a Ringnity user.
  • Map Ringnity tenant and role claims into the external app.
  • Support WordPress and CMS login plugins that understand OAuth2/OIDC.
  • Support CRM and mobile apps with Authorization Code Flow.

What this is not

  • It is not the token used by Android, iOS, Flutter, React Native, or Web SDK runtime.
  • It is not a replacement for the Server API key stored on the customer backend.
  • It is not required for a public website widget install.
  • It should not expose any Ringnity secret key to frontend code.

Token names that developers must not mix

NameUsed forStored inMeaning
OAuth access tokenLogin with RingnityExternal app backend or trusted pluginProves who the logged-in Ringnity user is.
OIDC ID tokenLogin with RingnityExternal app backend or trusted pluginContains identity claims such as subject, tenant, email, and nonce.
Ringnity runtime tokenSDK chat, audio, video, AI, reportsWebsite or mobile appShort-lived token used by SDK runtime only.
Server API keyCustomer backend integrationCustomer backend onlySecret key used to create runtime tokens and call server APIs.

WordPress / CMS setup fields

Create an OAuth client in Dashboard / Developer / SDK / Login, copy the client id and one-time client secret, then paste these values into the CMS OIDC plugin.

Issuer

https://api.ringnity.com

Discovery

https://api.ringnity.com/.well-known/openid-configuration

Authorize URL

https://api.ringnity.com/oauth/authorize

Token URL

https://api.ringnity.com/oauth/token

UserInfo URL

https://api.ringnity.com/oauth/userinfo

JWKS URL

https://api.ringnity.com/oauth/jwks.json

Scopes

openid profile email tenant.read roles.read

Authorization Code Flow

1. External app redirects user to Ringnity authorize URL.
2. Ringnity validates login, tenant, role, redirect URI, state, nonce, and scope.
3. Ringnity redirects back with an authorization code.
4. External app backend exchanges the code at /oauth/token.
5. External app verifies ID token and calls /oauth/userinfo when needed.
6. External app creates its own local session.

Native mobile apps should use Authorization Code Flow with PKCE. CMS and server-rendered apps can use confidential clients with a client secret.

Available scopes

These are the only scopes selectable for OAuth clients today. OIDC discovery also advertises only these available scopes.

openid

Required for OpenID Connect login.

profile

Basic user profile for display name and account identity.

email

Email address for local account matching.

tenant.read

Tenant id, slug, and company identity.

roles.read

User role names for app-side access decisions.

Planned scope groups

The dashboard can show these as disabled roadmap scopes. Ringnity will enable each group only after its API endpoint, permission policy, audit behavior, and docs are ready.

User profile

user.profile.*, user.avatar.* for profile and photo access.

Tenant / business

tenant.profile.*, tenant.branding.*, tenant.settings.*, tenant.domains.* for business profile, logo, colors, settings, and domains.

Staff and agents

staff.*, agents.*, agents.presence.* for staff management and agent availability.

SDK runtime

runtime.tokens.write and runtime.sessions.* for backend-issued SDK runtime sessions.

Contacts and conversations

contacts.* and conversations.* for customer records, message history, assignment, and close actions.

Calls and recordings

calls.* for call logs, outbound actions, and recording access policy.

AI and reports

ai.*, ai.knowledge.*, ai.usage.read, reports.read, and reports.export.

Webhooks and developer

webhooks.*, developer.*, sdk.keys.*, oauth.clients.* for integration administration.

Media and billing

media.* and billing.* for file assets, logos, attachments, and billing metadata.

CMS and app platforms that can use this

WordPressDrupalJoomlaStrapiDirectusGhostWagtailTypo3Craft CMSStatamicOctober CMSUmbracoPayload CMSKeystoneJSSanityContentful

Security guide

See the separation between public install keys, runtime tokens, Server API keys, and OAuth/OIDC tokens.

Open security

Server API

Use this for backend runtime token exchange, contacts, reports, and webhooks.

Open Server API

Start wizard

Choose platform, integration mode, and services to get the right SDK path.

Open wizard

Turn Your Website Into a Real-Time Call Center

Let customers call your team directly from your website, no phone numbers and no apps required. Just add one <script>.

Talk to SalesRegister Now