Authenticating API Requests

v2 API Concepts

Alert: Starting 10 October 2017 developers must use TLS 1.1 or 1.2 when calling LinkedIn APIs. LinkedIn no longer supports TLS 1.0 for security reasons.

Additionally,  there are some upgrades to OAuth 2.0 framework that affect access token length and lifetime. Please go through our updated documentation.

OAuth 2.0

At LinkedIn, we value the integrity and security of our members' data above all else.  In order for your applications to access LinkedIn member data and/or act on their behalf, they must be authenticated.  LinkedIn relies on the industry standard OAuth 2.0 protocol for granting access, due to its simplicity and ease of implementation.

Please read our Authenticating with OAuth 2.0 guide for a detailed walk-through of how to get your application authenticated and successfully interacting with LinkedIn's v2 REST APIs. 

As a convenience, if you are developing an Android or iOS application, we provide SDKs to handle the authentication process for you. 

Additionally, there are several 3rd party libraries available in the open source community that abstract the OAuth 2.0 authentication process for you in every major programming language.

Permissions

Permissions are authorization consents to access LinkedIn resources. The LinkedIn platform utilizes permissions to protect our members’ information from violence or abuse.

Every permission will grant a different subset of APIs. To get access to permissions, you will need to go through the OAuth flow to generate an access token. There are two main types of access tokens:

3-legged vs 2-legged

At LinkedIn, authorizing 3-legged access token grants permissions to the application to access a member’s resources on LinkedIn, and authorizing 2-legged access token grants permissions to the application to access LinkedIn resources.

Permission Type

Permissions are classified into two different types as follows:   

  • Member Permission - Requires user’s approval during the authorization flow. Until a user approves, the application has no access to the API.
  • Application Permission - Granted to the application directly. It’s used to return the LinkedIn resource, not relevant to any specific user’s context.

Since these permissions stand for different types of data, you should make sure your application requests the proper access token. The following table shows major differences:

Type Member Permission Application Permission
Shown on My Apps Yes No
Default to Authorize Checked on app center or specified while requesting the user’s authorization Yes
Access Token 3-legged 2-legged

HTTPS

All API requests made to api.linkedin.com must use the HTTPS protocol.  HTTP is not supported.