Client Credential Flow (2-legged OAuth)

If your application needs to access APIs that are not member specific, use the Client Credential Flow. Your application cannot access these APIs by default. Learn more about LinkedIn Developer Enterprise products to request permission to the Client Credential Flow.

Important

2-legged OAuth authentication is not available for marketing APIs.

Step 1: Get Client ID and Client Secret

If you are just getting started, create a new application and enter details.

If you have an existing application, select it to modify its settings.

Each application is assigned a unique Client ID (also known as Consumer key or API key) and Client Secret. Make note of these values as they have to be integrated into the configuration files or the actual code of your application.

Redirect URLS

Important

Your Client Secret protects your application's security so be sure to keep it secure! Do not share your Client Secret value with anyone, including posting it in support forums for help with your application.

Step 2: Generate an Access Token

To generate an access token, issue a HTTP POST against accessToken with both your Client ID and Client Secret values.

https://www.linkedin.com/oauth/v2/accessToken
Parameter Description Required
grant_type The value of this field should always be client_credentials. Yes
client_id The Client ID value generated when you registered your application. Yes
client_secret The Client Secret value generated when you registered your application. See the Best Practices Guide for ways to keep your client_secret value secure. Yes

Sample Request (Secure Approach)

POST /oauth/v2/accessToken HTTP/1.1
Host: www.linkedin.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id={your_client_id}&client_secret={your_client_secret}

A successful access token request returns a JSON object containing the following fields:

  • access_token — The access token for the application. This token must be kept secure.
  • expires_in — The number of seconds remaining until the token expires. Access tokens are issued with a 30 minute lifespan. You can request a new token once your current token expires.

Sample Response

{
    "access_token": "AQV8...",
    "expires_in": "1800"
}

Step 3: Make API Requests

Once you've received an access token, you can make API requests by including an Authorization header with your token in the HTTP call to LinkedIn's API.

Sample Request

GET /v2/jobs HTTP/1.1
Host: api.linkedin.com
Connection: Keep-Alive
Authorization: Bearer {access_token}

Handling Invalid Tokens

If you make an API call using an invalid token, you'll receive a 401 Unauthorized response from the server. In this case, the token may need to be regenerated because it expired or was revoked.

These are not the only reasons for an invalid token. Make sure your applications are coded to properly handle a 401 Unauthorized error.