Best Practices for Application Development

In order to increase the trust and comfort of LinkedIn members when granting your application access to their data, it is important to give transparency to how their data will be used. Follow these suggestions to help your application succeed at delivering value to LinkedIn members:

Posting on member's behalf

Members assume that they will have control on what content is posted and shared on their behalf. You should assure users that you will not post or send mail on their behalf without their consent, and give them the option to edit content before it is posted or not share content if they choose.

Permission Request

You should educate users on which permissions you are requesting and how this data will be used. LinkedIn does not support incremental permission request, so all permissions must be granted during the authorization step. Providing users with the rationale behind each requested permission in advance will give them more confidence in why you would need their member data in your application. Requesting too many permissions may cause users not to authorize your application, so you should only ask for the permissions that you need.


Whenever possible, remind the user that they are logged into your application by displaying their name, portrait, and/or account settings. You should also avoid multiple log in prompts. Cache the user's access token after they grant your application and do not bring the user through the authentication flow again unless they log out or the access token expires or is otherwise invalid. You should allow the user to log out, and when they do log out you should destroy the access token you had been granted.

If you authorize the user via the JS SDK do not send the user through the REST authorization flow. If you do they will have to re-authorize your application again. You can exchange the JS SDK token for an OAuth 1.0 REST access token if you want to make REST calls. Otherwise use the JS SDK token to make calls with the JS SDK.

If a user authorizes your application via the REST workflow, they are not automatically logged into You should not assume that the user has access to resources that are on the website when in your application.