As mentioned, the access_token field contains the JS API bearer token which you will use for the actual exchange API call later. Before performing the exchange, however, you should be sure that this is a valid cookie written to your domain by LinkedIn (more information on why you should care about this validation is included below in the FAQ). To validate, we provide you with other details that allow you to calculate a cookie signature using your API key secret. Compare your generated signature with the one in the cookie's signature field; if they match, you know the cookie is legit and from LinkedIn.
The signature base is calculated by concatenating the values of the fields listed in the signature_order field in the order they appear. In this case, it's access_token followed by member_id, or "AD2dpVe1tOclAsNYsCri4nOatfstw7ZnMzWPvvUNSej47H".
After you construct the signature base, use the encryption algorithm specified in the signature_method to calculate the signature using your API secret. For now, the only value we're using is Base64 encoded HMAC-SHA1, the same algorithm used by OAuth. (We separated this out for compatibility just in case.) The value for the HMAC-SHA1 key is the value of the "API secret" from your Application Details page. (This is called the consumer_secret in OAuth.)
Note: For future compatibility, we provide a version field in the cookie. Today, there is only one version, 1. That may change in the future, but it's best to check now.
When you're done, you have a signature to compare to the one from the cookie: