Meetings - Integrations and Authorization

Meetings

Integrations and Authorization

Add features from third-party services to Webex or perform actions on behalf of another user with Integrations.

anchorWhat are Integrations?

Integrations are how you request permission to invoke the Webex REST API on behalf of another Webex user. To do this in a secure way the API supports the OAuth 2 standard which allows third-party integrations to get a temporary access token for authenticating API calls instead of asking users for their password.

If you're sure that your integrations require authenticating on behalf of another Webex user, read on, we'll get you there in a few easy steps:

Register your integration with Webex
Request permission using an OAuth Grant Flow
Exchange the resulting authorization code for an access token
Use the access token to make your API calls

anchorRegistering your Integration

anchor

Registering an integration with Webex is super easy. If you're logged in, select My Webex Apps from the menu under your avatar at the top of this page, click "Create a New App" then "Create an Integration" to start the wizard. You'll need to provide some basic information like your integration's name, description, and logo. This information should be user-facing since that's what they'll see in the permission dialog.

After successful registration you'll be taken to a different screen containing your integration's newly created Client ID and Client Secret. The Client Secret will only be shown once so please copy and keep it safe!

Each Webex user account is limited to 20 integrations.

anchorRequesting Permission

anchor

This step requires that your integration have a user interface capable of temporarily sending users to a Webex login page. For web apps this is typically done as a popup or redirect. For mobile apps consider using a "WebView" or equivalent on your mobile platform of choice.

To kick off the flow send your user to the following URL along with a standard set of OAuth query parameters:

https://webexapis.com/v1/authorize

The required query parameters are:

Query Parameter	Value
`response_type`	Must be set to "code"
`client_id`	Issued when creating your app
`redirect_uri`	Must match one of the URIs provided during integration registration
`scope`	A space-separated list of scopes being requested by your integration (see below)
`state`	A unique string that will be passed back to your integration upon completion (see below)

After logging in, users will see a grant dialog like this one: App grant dialog

anchorScopes

anchor

Scopes define the level of access that your integration requires. The following is a complete list of scopes and their user-facing descriptions as shown in the permission dialog.

Scope

Usage

meeting:schedules_read

Retrieve your Webex meeting lists and details

meeting:schedules_write

Create, manage, or cancel your scheduled Webex meetings

meeting:recordings_read

Retrieve your Webex meeting recordings for playback

meeting:recordings_write

Manage or delete your meeting recordings for playback

meeting:preferences_read

Retrieve your Webex meeting preferences

meeting:preferences_write

Edit your Webex meeting preferences

meeting:controls_read

Read meeting control information for in-progress meetings

meeting:controls_write

Update meeting controls for in-progress meetings

meeting:participants_read

Read participant information from meetings

meeting:participants_write

Manage participants within meetings

meeting:admin_participants_read

Read participant information from meetings for all Webex users of your organization

spark-admin:telephony_config_read

Read and list telephony configuration

spark-admin:telephony_config_write

Create, edit and delete telephony configuration

meeting:admin_schedule_read

Retrieve meetings of all Webex users of your organization

meeting:admin_schedule_write

Create, manage, or cancel meetings of all Webex users of your organization

meeting:admin_recordings_read

Retrieve recordings of all Webex users of your organization

meeting:admin_recordings_write

Manage or delete recordings of all Webex users of your organization

meeting:admin_transcripts_read

Retrieve Webex meetings transcripts of all Webex users of your organization

meeting:admin_preferences_write

Manage meeting preferences of all Webex users of your organization

meeting:admin_preferences_read

Retrieve Webex meeting preferences of all Webex users of your organization

spark-compliance:meetings_read

Access to read recording and transcript resources in your user’s organization.

meeting:transcripts_read

Retrieve your Webex meetings transcripts

spark-compliance:meetings_write

Access to update/delete recordings and transcripts in your user’s organization.

spark-admin:workspace_locations_read

See details for your workspace locations

spark-admin:workspace_locations_write

Create, modify and delete your workspace locations

spark-admin:workspace_metrics_read

See metrics for your workspaces

identity:contacts_rw

Manage contacts.

identity:contacts_read

Read contacts.

spark:all

Full access to your Webex account

spark:webrtc_calling

Access webrtc services for Webex calling

spark:calls_read

List all active calls you are part of / List call history from Webex Calling

spark:devices_read

See details for your devices

spark:devices_write

Modify and delete your devices

spark:memberships_read

List people in the rooms you are in

spark:memberships_write

Invite people to rooms on your behalf

spark:messages_read

Read the content of rooms that you are in

spark:messages_write

Post and delete messages on your behalf

spark:organizations_read

Access to read your user's organizations

spark:people_read

Read your users' company directory

spark:places_read

See details for places and place services you manage

spark:places_write

Create, modify and delete places and place services you manage

spark:rooms_read

List the titles of rooms that you are in

spark:rooms_write

Manage rooms on your behalf

spark:team_memberships_read

List the people in the teams your user belongs to

spark:team_memberships_write

Add people to teams on your users' behalf

spark:teams_read

List the teams your user's a member of

spark:teams_write

Create teams on your users' behalf

spark-compliance:recordings_read

Access to read converged recording resources in your user’s organization.

spark-compliance:recordings_write

Access to update/delete converged recording resources in your user’s organization

spark:xapi_statuses

Retrieve all information from RoomOS-enabled devices.

spark:xapi_commands

Execute all commands on RoomOS-enabled devices.

spark:xsi

Access to your Webex Calling resources (e.g. calls & call settings)

spark-admin:devices_read

See details for any device in your organization

spark-admin:devices_write

Create, update and delete devices and device configurations in your organization

spark-admin:licenses_read

Access to read licenses available in your user's organizations

spark-admin:organizations_read

Access to read your user's organizations

spark-admin:people_read

Access to read your user's company directory

spark-admin:people_write

Access to write to your user's company directory

spark-admin:places_read

See details for any places and place service in your organization

spark-admin:places_write

Create, update and delete any place and place service in your organization

spark-admin:resource_group_memberships_read

Access to read your organization's resource group memberships

spark-admin:resource_group_memberships_write

Access to update your organization's resource group memberships

spark-admin:resource_groups_read

Access to read your organization's resource groups

spark-admin:roles_read

Access to read roles available in your user's organization

spark-admin:call_qualities_read

Access to read organization's call qualities

spark-admin:workspaces_read

See details for your workspaces

spark-admin:wholesale_sub_partners_read

Read or list sub-partners associated with a partner, subscribed to the Webex for Wholesale solution.

spark-admin:wholesale_sub_partners_write

Create or delete sub-partners associated with a partner, subscribed to the Webex for Wholesale solution.

spark-compliance:events_read

Access to read events in your user's organization

spark-compliance:memberships_read

Access to read memberships in your user's organization

spark-compliance:memberships_write

Access to create/update/delete memberships in your user's organization

spark-compliance:messages_read

Access to read messages in your user's organization

spark-compliance:messages_write

Delete messages in all spaces in your user's organization

spark-compliance:rooms_read

Access to read rooms in your user's organization

spark-compliance:rooms_write

Access to modify rooms in your user's organization

spark-compliance:team_memberships_read

Access to read team memberships in your user's organization

spark-compliance:team_memberships_write

Access to update team memberships in your user's organization

spark-compliance:teams_read

Access to read teams in your user's organization

spark-admin:broadworks_enterprises_read

Read or List BroadWorks Enterprise, provisioned as part of Webex for BroadWorks Solution.

identity:placeonetimepassword_create

Access to a one time password to a place to create an activation code

Identity:one_time_password

Request a one time password for people, devices, and things.

spark-compliance:webhooks_write

Delete org wide webhooks

spark-compliance:webhooks_read

Inspect org wide webhooks

spark:calls_write

Allow users to invoke call commands on themselves

spark-admin:hybrid_clusters_read

Access to read hybrid clusters for your organization

spark-admin:hybrid_connectors_read

Access to read hybrid connectors for your organization

spark-admin:broadworks_subscribers_read

Read or List BroadWorks Subscribers, provisioned as part of Webex for BroadWorks Solution.

spark-admin:broadworks_subscribers_write

Provision, Update or Remove a BroadWorks Subscriber as part of Webex for BroadWorks Solution.

audit:events_read

Access to the audit log for an organization

spark-admin:wholesale_customers_write

Provision, Update or Remove a Customer as part of Webex Wholesale Solution.

spark-admin:wholesale_customers_read

Read or List Customers, provisioned as part of Webex Wholesale Solution.

spark-admin:wholesale_subscribers_write

Provision, Update or Remove a Subscriber as part of Webex Wholesale Solution.

spark-admin:wholesale_subscribers_read

Read or List Subscribers, provisioned as part of Webex Wholesale Solution.

cjp:user

cjp:user

cjp:config_read

Read configurations details like teams, queue, sites, entry-points of your Contact Center

cjp:config_write

cjp:config_write

cjp:config

cjp:config

cloud-contact-center:pod_read

cloud-contact-center:pod_read

cloud-contact-center:pod_conv

cloud-contact-center:pod_conv

identity:groups_rw

Read Write groups

identity:groups_read

Read group

guest-issuer:read

Retrieve guest and guest metadata via Service App

guest-issuer:write

Create and manage guest users via Service App

spark:telephony_config_read

Read and list your telephony configuration

spark:telephony_config_write

Create, edit and delete your telephony configuration

spark-admin:locations_write

Create and edit location configuration.

identity:tokens_read

Admin can list token Ids for a user

identity:tokens_write

Admin can delete token for a user

meeting:admin_config_read

Retrieve Webex meeting configurations as an administrator

meeting:admin_config_write

Manage Webex meeting configurations as an administrator

spark-admin:locations_read

Read and list location configuration.

spark-admin:datasource_write

Allows a Service App to create new datasources and update existing datasources.

spark-admin:datasource_read

Allows a Service App to read datasources.

spark:applications_token

Retrieve Service App token. Not for FedRAMP customers.

application:webhooks_write

application:webhooks_read

List webhooks for Service App authorization. Not for FedRAMP customers.

spark-admin:metrics_read

Retrieve Webex metrics

guest-meeting:rw

Ability to orchestrate guest-to-guest meetings via Service App

webexsquare:get_conversation

Access Directory Search Service endpoints

dedicated-instance-uc:admin_perfmon_read

spark-admin:recordings_read

Read access to converged recording resources for admins in your user's organization.

spark-admin:recordings_write

Update and delete access to converged recording resources for admins in your user's organization.

spark:recordings_read

Read access to converged recordings for recording owners.

spark:recordings_write

Updated and delete access to converged recordings for recording owners.

identity:organizations_read

Read an organizations data, like name

identity:organizations_rw

Modify organizations data like name

spark-admin:telephony_pstn_write

Scope to limit the write access for partner telephony PSTN

spark-admin:telephony_pstn_read

Scope to limit the read access for partner telephony PSTN

spark-admin:broadworks_enterprises_write

Change BroadWorks Enterprise configuration, provisioned as part of Webex for BroadWorks Solution.

Scopes that begin with spark-admin can only be used by users with administrative access to an organization. Requesting these scopes during a grant flow will not give non-admin users access to administrative functions.

The spark-compliance scopes can only be used by an organization's compliance officers. See the Compliance Guide for more information.

The spark:all scope grants access to certain Webex account features that are not granted via the other user-level scopes. Applications which use the Webex SDKs for calling features may require this scope. Most other applications will not need to use this scope. Consult the SDK documentation for information about whether your application will need to use this scope.

As a general best practice, your integration should request only the scope, or scopes, it needs. For example, if you are creating an integration that notifies users of updates in a third-party service, and never responds to any commands, we recommend using only the spark:messages_write scope.

KMS Scope

After registering an integration, it will include the scopes you selected along with an additional scope: spark:kms. This scope is required to give your integration permission to interact with encrypted content (such as messages). For convenience, the scope is included in the integrations's scope list in the example OAuth Authorization URL on the integration's application detail page. If you don't use the example URL, be sure to include the scope when creating authorization URLs for your integration.

State

The state parameter is used to verify that the response from grant flow has not been tampered with along the way. It is recommended that your integration set this to a value that is verifiable once the user gives permission and the web browser is sent to your redirect_uri. A second use for this parameter is to encode basic state information like an internal user ID or the URL of the last page they were on before entering the grant flow.

anchorGetting an Access Token

anchor

If the user granted permission to your integration, the Webex REST API will redirect the user's web browser to the redirect_uri you specified when entering the grant flow. The request to the redirect URL will contain a code parameter in the query string like so:

http://your-server.com/auth?code=YjAzYzgyNDYtZTE3YS00OWZkLTg2YTgtNDc3Zjg4YzFiZDlkNTRlN2FhMjMtYzUz

Your integration will then need to exchange this authorization code for an access token that can be used to invoke the APIs. To do this your app will need to perform an HTTP POST to the following URL with a standard set of OAuth parameters. This endpoint will only accept a message body encoded with the application/x-www-form-urlencoded content type.

https://webexapis.com/v1/access_token

The required parameters are:

Parameter	Value
`grant_type`	This should be set to "authorization_code"
`client_id`	Issued when creating your integration
`client_secret`	Remember this guy? You kept it safe somewhere when creating your integration
`code`	The authorization code from the previous step
`redirect_uri`	Must match the one used in the previous step

The Webex REST API will then respond with JSON containing an access token and a refresh token, as shown in the example below:

{
 "access_token":"ZDI3MGEyYzQtNmFlNS00NDNhLWFlNzAtZGVjNjE0MGU1OGZmZWNmZDEwN2ItYTU3",
 "expires_in":1209600, //seconds
 "refresh_token":"MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTEyMzQ1Njc4",
 "refresh_token_expires_in":7776000 //seconds
}

After the access token expires, using it to make a request from the API will result in an HTTP 401 "Invalid Token Error" response, such as:

{
    "message": "The request requires a valid access token set in the Authorization request header.",
    "errors": [
        {
            "description": "The request requires a valid access token set in the Authorization request header."
        }
    ],
    "trackingId": "API_12345678-90AB-CDEF-1234-567890ABCDEF"
}

At this point, you should use the refresh token to generate a new access token from the authorization server.

anchorUsing the Refresh Token

anchor

Using access tokens that are short-lived and requiring that they periodically be refreshed helps to keep data secure. If the access token is ever compromised, the attacker will have a limited time in which to use it. If a refresh token is compromised, it is useless to the attacker because the client ID and secret are also required to obtain a new access token.

To refresh the access token, issue a POST to https://webexapis.com/v1/access_token with the following fields:

Field	Value
`grant_type`	This should be set to "refresh_token"
`client_id`	Issued when creating your integration
`client_secret`	Remember this guy? You kept it safe somewhere when creating your integration
`refresh_token`	The refresh token you received from the previous step

The Webex REST API will then respond with JSON containing a new access token. Generating a new access token automatically renews the lifetime of your refresh token.

Refreshing an access token before its expiration date will not cause the original access token to expire.

After the refresh token expires, using it to request a new access token from the API will result in an HTTP 400 "Invalid Request" response, such as:

{
    "message": "The refresh token provided is expired, revoked, malformed, or invalid.",
    "errors": [
        {
            "description": "The refresh token provided is expired, revoked, malformed, or invalid."
        }
    ],
    "trackingId": "API_12345678-90AB-CDEF-1234-567890ABCDEF"
}

anchorAccess Token Invalidation

anchor

An access token that's been issued to your app may be invalidated as a result of changes to a user's account. This includes, but is not limited to, the following scenarios:

A user's account access changes as a result of updates to their email address or password.
A user's Webex organization administrator deactivates and reactivates their account.

anchorInvoking the Webex REST API

anchor

Authenticating with another user's access token works just like your developer token; supply the token in an Authorization header like so:

GET /rooms
Authorization: Bearer THE_ACCESS_TOKEN
Accept: application/json

or in cURL it would be

curl https://webexapis.com/v1/rooms \
-H "Authorization: Bearer THE_ACCESS_TOKEN" \
-H "Accept: application/json"

The Bearer part is important as it instructs the API that this is an OAuth token instead of HTTP Basic Auth.

With the API, you can perform actions as the user such as sending a message with an interactive card to someone. To respond to events, you'll need to configure webhooks. Webhooks will let your app know when an activity has occurred so you can take action. Check out the Webhooks Guide for more information about configuring webhooks.

With cards, you can give your users even more ways to interact with your integration or service, right in the Webex clients. See the Buttons and Cards Guide for more information.