OAuth 2.0 Client Credentials Flow (2-Legged)

For certain endpoints we offer OAuth 2.0 application access via the Client Credentials Flow.  Commonly referred to as "OAuth two-legged", this flow allows your application to authorize with LinkedIn's API directly - outside the context of any specific user.

By default, your application will not have the ability to use LinkedIn's client credentials flow.  Contact us to have your application granted permission to use this flow.

Configuring your App

To proceed with generating a token, make sure you've completed Step 1 of the Authenticating with OAuth 2.0 tutorial.

  • API Key and Secret Key example

Once you have your Client ID and Client Secret values, as in the example above, you are ready to proceed.

Generating an Access Token

Using the Client Credentials Flow is straightforward - simply issue an HTTP GET against the endpoint with both your client_id and client_secret set appropriately.

GET
https://www.linkedin.com/oauth/v2/accessToken
Parameter Description Required
grant_type The value of this field should always be:  client_credentials Yes
client_id The "Client ID" value generated when you registered your application. Yes
client_secret

The "Client Secret" value generated when you registered your application.

 

Follow the Best Practices guide for handing your client_secret value.

Yes
Sample request
https://www.linkedin.com/oauth/v2/accessToken?grant_type=client_credentials&client_id=93r29maplxr58u&client_secret=rA1z8zBOM3yrX123

A successful Access Token request will return a JSON object containing the following fields:

  • access_token — The access token for the user.  This value must be kept secure, as per your agreement to the API Terms of Use.
  • expires_in — The number of seconds remaining, from the time it was requested, before the token will expire.  Access tokens are issued with a 30 minute lifespan.  You can request a new token once your previous token expires.
Sample response
{  
   "access_token":"AQV8...",
   "expires_in":"1800"
}

Making API requests

Once you've obtained an Access Token, you can start making API requests. This is accomplished by including an "Authorization" header in your HTTP call to LinkedIn's API.  Here is a sample HTTP request including the header value that includes the token:

Sample call
GET /v2/jobs HTTP/1.1
Host: api.linkedin.com
Connection: Keep-Alive
Authorization: Bearer AQXd...

Handling Invalid Tokens

If you make an API call using an invalid token, you will receive a "401 Unauthorized" response back from the server.  A token could be invalid and in need of regeneration because:

  • It has expired.
  • It was revoked.

Since a predictable expiry time is not the only contributing factor to token invalidation, it is very important that you code your applications to properly handle an encounter with a 401 error.