Authenticating with OAuth 2.0 Overview

The LinkedIn API uses OAuth 2.0 for member(user) authorization and API authentication. Applications must be authorized and authenticated before they can fetch data from LinkedIn or get access to LinkedIn member data.

Depending on the type of permissions your integration will require, follow one of the two authorization flows below in Permission Types to get started.

There are several third-party libraries in the open source community that abstract the OAuth 2.0 authentication process in every major programming language.

Note

LinkedIn does not support TLS 1.0. Support for TLS 1.1 has been marked for deprecation starting 02/01/2020. Please use TLS 1.2 when calling LinkedIn APIs. All API requests to api.linkedin.com must be made over HTTPS. Calls made over HTTP will fail.

Permission Types

Permissions are authorization consents to access LinkedIn resources. The LinkedIn platform uses permissions to protect and prevent abuse of member data. Your application must have the appropriate permissions before it can access data.

Permissions are classified into two types.

  • Member Authorization or Authorization Code Flow (3-legged authorization): A LinkedIn member grants permissions to your application to access the member’s resources on LinkedIn. Your application has no access to these resources without member approval. Use this flow if you are requesting access to a member's account to use their data and make requests on their behalf. This is the most commonly used permission type across LinkedIn APIs. Open permissions available to all applications are of this type. These include r_liteprofile, r_emailaddress, and w_member_social.

  • Application Authorization or Client Credential Flow (2-legged authorization): LinkedIn grants permissions to your application to access protected LinkedIn resources. If you are accessing APIs that are not member specific, use this flow. Not all APIs support Application Authorization. For example, Marketing APIs must use Member Authorization.

Note

Always request the minimal permission scopes necessary for your use case.