Investigated the staff RingCentral iframe sign-in failure shown as invalid_client, OAU-113, and No redirect URI is registered for this client application.
Confirmed Salesforce is not the source of this specific sign-in error. Earlier live checks showed Janelle has the RingCentral_Panel_User permission set and the LWC/Apex access needed for the panel. This new error occurs after the iframe opens RingCentral OAuth.
Confirmed the live Salesforce custom label RingCentral_Embeddable_Client_Id points to client ID ending BnSK.
Opened RingCentral Developer Console and found that the matching app is SMS Quick Start App. Its settings are configured for JWT auth flow, not 3-legged OAuth. Because of that, RingCentral has no redirect URI registered for the Embeddable browser login flow.
Checked other visible RingCentral apps in the account. The saved candidate apps also return the same no-redirect error for the Embeddable callback URI.
Applied a reversible Salesforce-side unblock in litifyRingCentralPanel: removed the custom clientId parameter from the iframe URL while keeping enableSMSTemplate=1 and enableSmsSettingEvent=1. This prevents staff from being sent into the broken JWT-only app during iframe sign-in.
Official RingCentral Embeddable docs say the 3-legged app should use the latest redirect URI https://apps.ringcentral.com/integration/ringcentral-embeddable/latest/redirect.html.
Direct OAuth test for client ID ending BnSK returned HTTP 403 with OAU-113, matching the user screenshot.
Live-before snapshot saved at tmp/ringcentral-oauth-unblock-2026-05-19/live-before/lwc/litifyRingCentralPanel/.
Check-only deploy succeeded: 0AfUV000001X7gT0AS, zero component errors.
Production deploy succeeded: 0AfUV000001X7i50AC, zero component errors.
Fresh Salesforce Tooling API readback confirmed the live iframe URL is now https://apps.ringcentral.com/integration/ringcentral-embeddable/latest/app.html?enableSMSTemplate=1&enableSmsSettingEvent=1 and no longer includes the broken clientId parameter.
The hosted RingCentral Embeddable URL returned HTTP 200 after the change.
The immediate staff-facing blocker was remediated with a reversible Salesforce deploy. The permanent production-quality fix requires a RingCentral Developer Console OAuth app change or a new dedicated Embeddable app. That is a persistent OAuth access configuration change and should be handled deliberately because the current SMS Quick Start App appears to be JWT-oriented and may be used by scripts.
Preferred durable follow-up: create a dedicated RingCentral Embeddable browser app or repurpose an unused zero-traffic app, set it to 3-legged OAuth authorization code flow, set the redirect URI to https://apps.ringcentral.com/integration/ringcentral-embeddable/latest/redirect.html, add the needed Embeddable scopes, then update the Salesforce custom label to the new production client ID.
Avoid converting the existing SMS Quick Start App from JWT to 3-legged OAuth unless the JWT consumers are checked first.