Tell us about your PDF experience.

LinkedIn API Overview

LinkedIn's home for API documentation for all LinkedIn business lines. Our API
documentation is organized by business lines covering Consumer, Compliance,
Learning, Marketing, Sales, and Talent Solutions. Follow the links below to learn more
about business lines and their possible integration types.

Where to Start

ｂ GET STARTED

LinkedIn Business Solutions

Get API Access

Authentication

API Concepts

Breaking Change Policy

Best Practices

Error Handling

Consumer Solutions

ｅ OVERVIEW

Consumer Overview

Sign in with LinkedIn using OpenID Connect

Share on LinkedIn

Plugins

Learning Solutions

ｅ OVERVIEW

Learning Home

Learning Overview
Request Access

API Terminology

API Foundations

Marketing Solutions

ｅ OVERVIEW

Marketing Overview

Getting Started

Use Cases

Integrations Overview

Apply for Access

Recent Changes

Talent Solutions

ｅ OVERVIEW

Talent Overview

Recruiter System Connect

Apply Connect

Talent Hub

Apply with LinkedIn

Job Posting

Easy Apply

Sales Solutions

ｅ OVERVIEW

Sales Overview
Analytics Services

Display Services

Sync Services

Compliance

ｅ OVERVIEW

Compliance Overview

Release Notes
Getting Access to LinkedIn APIs
Article • 02/05/2025

The LinkedIn API uses OAuth 2.0 for user authorization and API authentication.
Applications must be authorized and authenticated before they can fetch data from
LinkedIn or get access to member data. This page summarizes the available permissions
and partner programs available for accessing LinkedIn APIs. Most permissions and
partner programs require explicit approval from LinkedIn. Open Permissions are the only
permissions that are available to all developers without special approval.

All permissions listed below are used in either Member Authentication Flow (3-legged)
or Application Authentication Flow (2-legged). More about these permission types can
be found in Authenticating with OAuth 2.0 Overview.

Open Permissions (Consumer)

The following permissions are available to all developers, and may be added via self-
service through the LinkedIn Developer Portal , under the Products tab on your
application page. LinkedIn products can be enabled after creating a new application.

ﾉ Expand table

Product/Program Permission Description

Sign in with LinkedIn using profile Member Auth: Retrieve authenticated

OpenID Connect member's name, headline, and photo.

Sign in with LinkedIn using email Member Auth: Retrieve authenticated

OpenID Connect member's primary email address.

Share on LinkedIn w_member_social Member Auth: Post, comment and like posts
on behalf of an authenticated member.

Learning
Developers seeking to build a learning related integration should refer to the Request
API Access page within the LinkedIn Learning API space.

Marketing
Developers seeking to build a marketing related integration using Advertising APIs
permissions must be approved. You can apply for access through the Developer
Portal . This can be done by selecting your app from My Apps , navigate to the
Products tab, and add the Marketing Developer Platform product. Qualifications to be
an Advertising APIs partner are available at Become a Partner .

Audiences permissions may be applied for after being an approved Marketing

Developer Platform partner. Contact support or your partner rep for application
information.

ﾉ Expand table

Product/Program Permission Description

Advertising APIs rw_organization_admin Member Auth: Manage an

authenticated member’s company
pages and retrieve reporting data.

Advertising APIs r_organization_admin Member Auth: Retrieve an

authenticated member’s company
pages and their reporting data.

Advertising APIs w_organization_social Member Auth: Post, comment and like

posts on behalf of an organization.
Restricted to organizations in which the
authenticated member has one of the
following company page roles.
ADMINISTRATOR
DIRECT_SPONSORED_CONTENT_POSTER
LEAD_GEN_FORMS_MANAGER

Advertising APIs r_organization_social Member Auth: Retrieve organizations'

posts, comments, and likes.
Product/Program Permission Description

Marketing w_member_social Member Auth: Post, comment, and like

Developer Platform posts on behalf of an authenticated
(MDP) member.

Advertising APIs rw_ads Member Auth: Manage and read an

authenticated member's ad accounts.
Restricted to ad accounts in which the
authenticated member has one of the
following ad account roles.
ACCOUNT_BILLING_ADMIN
ACCOUNT_MANAGER
CAMPAIGN_MANAGER
CREATIVE_MANAGER

Advertising APIs r_ads Member Auth: Read an authenticated

member's ad accounts. Restricted to ad
accounts in which the authenticated
member has one of the following ad
account roles:

ACCOUNT_BILLING_ADMIN
ACCOUNT_MANAGER
CAMPAIGN_MANAGER
CREATIVE_MANAGER
VIEWER

Advertising APIs r_ads_reporting Member Auth: Retrieve reporting for

advertising accounts.

Advertising APIs r_1st_connections_size Member Auth: Retrieve the count of an

authenticated member's 1st-degree
connections.

Advertising APIs r_basicprofile Member Auth: Read an authenticated

member's basic profile including name,
photo, headline, and public profile URL.

Lead Sync r_marketing_leadgen_automation Member Auth: Access your lead

generation forms and retrieve leads
(including event leads, ad leads, and
organization page leads).

Audiences rw_dmp_segments Member Auth: Create and manage

matched audiences.

Sales
Developers seeking to build sales related integration using one of the permissions
below must be approved as a Sales Navigator Application Platform (SNAP) partner.
Apply here to be a SNAP partner.

ﾉ Expand table

Product/Program Permission Description

Sales Navigator r_sales_nav_analytics Member Auth: Enables access to Sales

Application Navigator Analytics retrieval.
Platform(SNAP)

Sales Navigator r_sales_nav_display Member Auth: Display Services permission

Application for Sales Navigator.
Platform(SNAP)

Sales Navigator r_sales_nav_validation Application Auth: Access Sales Navigator

Application endpoints for CRM data validation.
Platform(SNAP)

Sales Navigator r_sales_nav_profiles Application Auth: Access Sales Navigator

Application endpoints that present matched, publicly
Platform(SNAP) available member profile information.

Talent
Developers seeking to build talent related integrations through one of the programs
listed below can apply here . We recommend familiarizing yourself with the types of
partner integrations available before applying by visiting here and here .

Recruiter System Connect (RSC)

Apply Connect
Talent Hub
Apply with LinkedIn
Premium Job Posting
Easy Apply

Compliance (Closed)
The following permissions used for Compliance integrations are listed for reference
purposes only. Access is closed and may not be requested.

ﾉ Expand table
 Product/Program Permission Description

Compliance r_compliance Member Auth: Retrieve activities for compliance monitoring

and archiving

Compliance w_compliance Member Auth: Manage and delete data for compliance.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Overview
Article • 05/08/2023

The LinkedIn API uses OAuth 2.0 for member (user) authorization and API
authentication. Applications must be authorized and authenticated before they can
fetch data from LinkedIn or get access to LinkedIn member data.

There are two types of Authorization Flows available:

Member Authorization (3-legged OAuth)

Application Authorization (2-legged OAuth)

Depending on the type of permissions your integration will require, follow one of the
authorization flows to get started.

７ Note

There are several third-party libraries in the open source community which
abstract the OAuth 2.0 authentication process in every major programming
language.
LinkedIn does not support TLS 1.0.

Member Authorization (3-legged OAuth Flow)

The Member Authorization grants permissions to your application by a LinkedIn
member to access the member’s resources on LinkedIn. Your application has no access
to these resources without member approval. The Member Auth uses the 3-legged
OAuth code flow. For step-by-step instructions on how to implement 3-legged OAuth,
see Authorization Code Flow (3-legged OAuth) page.

 Tip

When to use 3-legged OAuth

Use this flow if you are requesting access to a member's account to use their data
and make requests on their behalf. This is the most commonly used permission
type across LinkedIn APIs. Open permissions available to all applications are of this
type such as r_liteprofile , r_emailaddress , and w_member_social .
Member Auth Permissions
Member Authorization Permissions are granted by a LinkedIn member to access
members resources on LinkedIn. Permissions are authorization consents to access
LinkedIn resources. The LinkedIn platform uses permissions to protect and prevent
abuse of member data. Your application must have the appropriate permissions before
it can access data. To see the list of permissions, descriptions and access details, refer to
Getting Access to LinkedIn APIs page.

Application Authorization (2-legged OAuth

Client Credential Flow)
Application Authorization or using 2-Legged OAuth grants permissions to your
application to access protected LinkedIn resources. If you are accessing APIs that are not
member specific, use this flow. Not all APIs support Application Authorization. For
example, Marketing APIs you must use Member Authorization explained above. For
step-by-step instructions on how to implement 2-legged OAuth, see Client Credential
Flow (2-legged OAuth) page.

７ Note

Always request the minimal permission scopes necessary for your use case.

Application Auth Permissions

Application Authorization Permissions are granted to applications to access LinkedIn
protected resources. To see the list of permissions, descriptions and access details, refer
to Getting Access to LinkedIn APIs page.

Sample Application
You can explore the OAuth Sample Applications that enables you to try out RESTful
OAuth calls to the LinkedIn Authentication server. The sample app is available in Java.

Additionally, you can also explore the Marketing Sample Application.

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Authorization Code Flow (3-legged
OAuth)
Article • 11/30/2023

The Authorization Code Flow is used for applications to request permission from a
LinkedIn member to access their account data. The level of access or profile detail is
explicitly requested using the scope parameter during the authorization process
outlined below. This workflow will send a consent prompt to a selected member, and
once approved your application may begin making API calls on behalf of that member.

This approval process ensures that LinkedIn members are aware of what level of detail
an application may access or action it may perform on their behalf.

If multiple scopes are requested, the user must be consent to all of them and may not
select individual scopes. For the benefit of your LinkedIn users, please ensure that your
application requests the least number of scope permissions.

７ Note

Generate a Token Manually Using the Developer Portal

The LinkedIn Developer Portal has a token generator for manually creating tokens.
Visit the LinkedIn Developer Portal Token Generator or follow the steps outlined
in Developer Portal Tools.

Authorization Code Flow

1. Configure your application in the Developer Portal to obtain Client ID and Client
Secret.
2. Your application directs the browser to LinkedIn's OAuth 2.0 authorization page
where the member authenticates.
3. After authentication, LinkedIn's authorization server passes an authorization code
to your application.
4. Your application sends this code to LinkedIn and LinkedIn returns an access token.
5. Your application uses this token to make API calls on behalf of the member.
How to Implement 3-legged OAuth
Follow the steps given below to implement the 3-legged OAuth for LinkedIn APIs:

Prerequisites
A LinkedIn Developer application to create a new application or select your
existing application
Prior authorization access granted for at least one 3-legged OAuth permission.

The permission request workflow is outlined in the Getting Access section.

Step 1: Configure Your Application

1. Select your application in the LinkedIn Developer Portal .
2. Click the Auth tab to view your application credentials.
3. Add the redirect (callback) URL via HTTPS to your server.

７ Note

LinkedIn servers will only communicate with URLs that you have identified as
trusted.

URLs must be absolute:

 https://dev.example.com/auth/linkedin/callback

not /auth/linkedin/callback
parameters are ignored:
https://dev.example.com/auth/linkedin/callback?id=1

will be https://dev.example.com/auth/linkedin/callback
URLs cannot include a #
https://dev.example.com/auth/linkedin/callback#linkedin is invalid.

If you are using Postman to test this flow, use https://oauth.pstmn.io/v1/callback as

your redirect URL and enable Authorize using browser.

Each application is assigned a unique Client ID (Consumer key/API key) and Client
Secret. Please make a note of these values as they will be integrated into your
application. Your Client Secret protects your application's security so be sure to keep it
secure!

２ Warning

Do not share your Client Secret value with anyone, and do not pass it in the URL
when making API calls, or URI query-string parameters, or post in support forums,
chat, etc.

Step 2: Request an Authorization Code

To request an authorization code, you must direct the member's browser to LinkedIn's
OAuth 2.0 authorization page, where the member either accepts or denies your
application's permission request.

Once the request is made, one of the following occurs:

1. If it is a first-time request, the permission request timed out, or was manually

revoked by the member: the browser is redirected to LinkedIn's authorization
consent window.

2. If there is an existing permission grant from the member: the authorization screen
is bypassed and the member is immediately redirected to the URL provided in the
redirect_uri query parameter.

When the member completes the authorization process, the browser is redirected to the
URL provided in the redirect_uri query parameter.

７ Note

If the scope permissions are changed in your app, your users must re-authenticate
to ensure that they have explicitly granted your application all of the permissions
that it is requesting on their behalf.

https

GET https://www.linkedin.com/oauth/v2/authorization
 ﾉ Expand table

Parameter Type Description Required

response_type string The value of this field should always be: code Yes

client_id string The API Key value generated when you registered your Yes
application.

redirect_uri url The URI your users are sent back to after authorization. This Yes
value must match one of the Redirect URLs defined in your
application configuration . For example,
https://dev.example.com/auth/linkedin/callback .

state string A unique string value of your choice that is hard to guess. No
Used to prevent CSRF . For example,
state=DCEeFWf45A53sdfKef424 .

scope string URL-encoded, space-delimited list of member permissions Yes

your application is requesting on behalf of the user. These
must be explicitly requested. For example,
scope=liteprofile%20emailaddress%20w_member_social . See
Permissions and Best Practices for Application Development
for additional information.

The scopes available to your app depend on which Products or Partner Programs your
app has access to. This information is available in the Developer Portal . Your app's
Auth tab will show current scopes available. You can apply for new Products under the
Products tab. If approved, your app will have access to new scopes.

Sample Request

https

GET https://www.linkedin.com/oauth/v2/authorization?
response_type=code&client_id={your_client_id}&redirect_uri=
{your_callback_url}&state=foobar&scope=liteprofile%20emailaddress%20w_member
_social

Once redirected, the member is presented with LinkedIn's authentication screen. This
identifies your application and outlines the particular member permissions/scopes that
your application is requesting. You can change the logo and application name in the
Developer Portal under My apps > Settings
Member Approves Request
By providing valid LinkedIn credentials and clicking Allow, the member approves your
application's request to access their member data and interact with LinkedIn on their
behalf. This approval instructs LinkedIn to redirect the member to the redirect URL that
you defined in your redirect_uri parameter.

https

https://dev.example.com/auth/linkedin/callback?
state=foobar&code=AQTQmah11lalyH65DAIivsjsAQV5P-
1VTVVebnLl_SCiyMXoIjDmJ4s6rO1VBGP5Hx2542KaR_eNawkrWiCiAGxIaV-TCK-
mkxDISDak08tdaBzgUYfnTJL1fHRoDWCcC2L6LXBCR_z2XHzeWSuqTkR1_jO8CeV9E_WshsJBgE-
PWElyvsmfuEXLQbCLfj8CHasuLafFpGb0glO4d7M

Attached to the redirect_uri are two important URL arguments that you need to read
from the request:

code — The OAuth 2.0 authorization code.

state — A value used to test for possible CSRF attacks.

The code is a value that you exchange with LinkedIn for an OAuth 2.0 access token in
the next step of the authentication process. For security reasons, the authorization code
has a 30-minute lifespan and must be used immediately. If it expires, you must repeat all
of the previous steps to request another authorization code.
 ２ Warning

Before you use the authorization code, your application should ensure that the
value returned in the state parameter matches the state value from your original
authorization code request. This ensures that you are dealing with the real member
and not a malicious script. If the state values do not match, you are likely the victim
of a CSRF attack and your application should return a 401 Unauthorized error
code in response.

Failed Requests

If the member chooses to cancel, or the request fails for any reason, the client is
redirected to your redirect_uri with the following additional query parameters
appended:

error - A code indicating one of these errors:

user_cancelled_login - The member declined to log in to their LinkedIn

account.
user_cancelled_authorize - The member refused to authorize the permissions

request from your application.

error_description - A URL-encoded textual description that summarizes the error.

state - A value passed by your application to prevent CSRF attacks.

For more error details, refer here

Step 3: Exchange Authorization Code for an

Access Token
The next step is to get an access token for your application using the authorization code
from the previous step.

https

POST https://www.linkedin.com/oauth/v2/accessToken

To do this, make the following HTTP POST request with a Content-Type header of x-www-
form-urlencoded using the following parameters:

ﾉ Expand table
 Parameter Type Description Required

grant_type string The value of this field should always be: authorization_code Yes

code string The authorization code you received in Step 2. Yes

client_id string The Client ID value generated in Step 1. Yes

client_secret string The Secret Key value generated in Step 1. See the Best Yes
Practices Guide for ways to keep your client_secret value
secure.

redirect_uri url The same redirect_uri value that you passed in the previous Yes
step.

Sample Request

https

https

POST https://www.linkedin.com/oauth/v2/accessToken

Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
code={authorization_code_from_step2_response}
client_id={your_client_id}
client_secret={your_client_secret}
redirect_uri={your_callback_url}

Response
A successful access token request returns a JSON object containing the following
fields:

ﾉ Expand table

Parameter Type Description

access_token string The access token for the application. This value must be kept
secure as specified in the API Terms of Use . The length of
access tokens is ~500 characters. We recommend that you
plan for your application to handle tokens with length of at
least 1000 characters to accommodate any future expansion
plans. This applies to both access tokens and refresh tokens.
 Parameter Type Description

expires_in int The number of seconds remaining until the token expires.
Currently, all access tokens are issued with a 60-day lifespan.

refresh_token string Your refresh token for the application. This token must be kept
secure.

refresh_token_expires_in int The number of seconds remaining until the refresh token
expires. Refresh tokens usually have a longer lifespan than
access tokens.

scope string URL-encoded, space-delimited list of member permissions

your application has requested on behalf of the user.

JSON

{
"access_token":"AQUvlL_DYEzvT2wz1QJiEPeLioeA",
"expires_in":5184000,
"scope":"r_basicprofile"
}

For more error details, refer to the API Error Details table.

７ Note

Access Token Scopes and Lifetime

Access tokens stay valid until the number of seconds indicated in the expires_in
field in the API response. You can go through the OAuth flow on multiple clients
(browsers or devices) and simultaneously hold multiple valid access tokens if the
same scope is requested. If you request a different scope than the previously
granted scope, all the previous access tokens are invalidated.

Step 4: Make Authenticated Requests

Once you've obtained an access token, you can start making authenticated API requests
on behalf of the member by including an Authorization header in the HTTP call to
LinkedIn's API.

Sample Request

Bash
 curl -X GET https://api.linkedin.com/v2/me' \
-H 'Authorization: Bearer {INSERT_TOKEN}'

Step 5: Refresh Access Token

 Tip

To protect members' data, LinkedIn does not generate long-lived access tokens.

Make sure your application refreshes access tokens before they expire, to avoid
unnecessarily sending your application's users through the authorization
process again.

Refreshing an access token is a seamless user experience. To refresh an access token, go

through the authorization process again to fetch a new token. This time however, in the
refresh workflow, the authorization screen is bypassed, and the member is redirected to
your redirect URL, provided the following conditions are met:

The member is still logged into www.linkedin.com

The member's current access token has not expired

If the member is no longer logged in to www.linkedin.com or their access token has

expired, they are sent through the normal authorization process.

Programmatic refresh tokens are available for a limited set of partners. If this feature has
been enabled for your application, see Programmatic Refresh Tokens for instructions.

API Error Details

Following are the API errors and its resolution for 3-legged OAuth. If you wish to view
the standard HTTP status codes and its meaning, see Error Handling page.

/oauth/v2/authorization

ﾉ Expand table
HTTP ERROR ERROR DESCRIPTION RESOLUTION
STATUS MESSAGE
CODE

401 Redirect_uri Redirect URI passed in the Ensure that the redirect URI passed
doesn’t match request does not match the in the request match the redirect
redirect URI added to the URI added in the developer
developer application. application under the
Authorization tab.

401 Client_id Client ID passed in the Ensure that the client ID passed is
doesn’t match request does not match the in match with the developer
client ID of the developer application.
application.

401 Invalid scope Permissions passed in the Ensure that the permissions sent in
request is invalid scope parameter is assigned to the
developer application in the
developer portal.

/oauth/v2/accessToken

ﾉ Expand table

HTTP ERROR MESSAGE ERROR RESOLUTION

STATUS DESCRIPTION
CODE

401 invalid_request "Unable to Authorization Check whether the sent

retrieve access token: code sent is authorization code is valid.
authorization code not found" invalid or not
found.

400 invalid_request "A required Redirect_uri in the Pass the redirect_uri in the
parameter "redirect_uri" is request is missing. request to route user back to
missing" It is mandatory correct landing page.
parameter.

400 invalid_request "A required Authorization Pass the Authorization code

parameter "code" is missing" code in the received as part of
request is missing. authorization API call.
It is mandatory
parameter.

400 invalid_request "A required Grant type in the Add grant_type as

parameter "grant_type" is request is missing. "authorization_code" in the
missing" It is mandatory request.
parameter.
 HTTP ERROR MESSAGE ERROR RESOLUTION
STATUS DESCRIPTION
CODE

400 invalid_request "A required Client ID in the Pass the client id of the app in
parameter "client_id" is request is missing. request.
missing" It is mandatory
parameter.

400 invalid_request "A required Client Secret in the Pass the client secret of the
parameter "client_secret" is request is missing. app in request.
missing" It is mandatory
parameter.

400 invalid_redirect_uri "Unable to Invalid redirect uri Pass the right redirect uri
retrieve access token: is passed in the tagged to the developer
appid/redirect uri/code verifier request. application.
does not match authorization
code. Or authorization code
expired. Or external member
binding exists"

400 invalid_redirect_uri "Unable to Invalid Authorization code expired

retrieve access token: Authorization and re-authenticate member
appid/redirect uri/code verifier code is sent as to generate new authorization
does not match authorization part of the code and pass the fresh
code. Or authorization code request" authorization code to
expired. Or external member exchange for access token.
binding exists

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Client Credential Flow (2-legged OAuth)
Article • 02/05/2025

If your application needs to access APIs that are not member specific, use the Client
Credential Flow. Your application cannot access these APIs by default.

Learn more:

LinkedIn Developer Enterprise products and permission requests.

LinkedIn Developers Platform knowledge base.

） Important

2-legged OAuth authentication is not available for Marketing APIs

７ Note

Generate a Token Manually Using the Developer Portal

The LinkedIn Developer Portal has a token generator for manually creating tokens.
Visit the LinkedIn Developer Portal Token Generator or follow the steps outlined
in Developer Portal Tools.

Step 1: Get Client ID and Client Secret

Getting started? Create a new application on the Developer Portal.
Existing application? Go to My apps to modify your app settings.

Each application is assigned a unique Client ID (Consumer key/API key) and Client
Secret. Please make a note of these values as they will be integrated into your
application config files. Your Client Secret protects your application's security so be sure
to keep it secure!
 ２ Warning

Do not share your Client Secret value with anyone, and do not pass it in the URL
when making API calls, or URI query-string parameters, or post in support forums,
chat, etc.

Step 2: Generate an Access Token

To generate an access token, issue a HTTP POST against accessToken with a Content-
Type header of x-www-form-urlencoded and the following parameters in the request

body:

https

https://www.linkedin.com/oauth/v2/accessToken

ﾉ Expand table

Parameter Description Required

grant_type The value of this field should always be client_credentials Yes

client_id The Client ID value generated when you registered your application Yes

client_secret The Client Secret value generated when you registered your Yes
application. All values requiring URL encoding must be encoded. Client
secrets can include characters like / , = , + which require URL encoding.

View the Best Practices for Secure Applications page for more security info.

Sample Request (Secure Approach)

 https

https

POST https://www.linkedin.com/oauth/v2/accessToken HTTP/1.1

Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
client_id={your_client_id}
client_secret={your_client_secret}

A successful access token request returns a JSON object containing the following
fields:

access_token — The access token for the application. This token must be kept

secure.
expires_in — Seconds until token expiration.
The access token has a 30-minute lifespan and must be used immediately. You
may request a new token once your current token expires.

Sample Response
JSON

{
"access_token": "AQV8...",
"expires_in": "1800"
}

For error details, refer the API Error Details section.

Step 3: Make API Requests

Once you've received an access token, you can make API requests by including an
Authorization header with your token in the HTTP call to LinkedIn's API.

Sample Request
https

GET https://api.linkedin.com/v2/jobs HTTP/1.1

 Connection: Keep-Alive
Authorization: Bearer {access_token}

API Error Details

ﾉ Expand table

HTTP ERROR MESSAGE DESCRIPTION RESOLUTION

STATUS
CODE

401 invalid_client_id "Client Client Authentication Check whether the right Client
authentication failed" failed due to bad client ID, Client Secret are passed as
credentials passed as part of the request.
part of the request.

401 access_denied "This The developer Reach out to the LinkedIn

application is not application doesn’t have Relationship Manager or
allowed to create enough permission to Business Development team to
application tokens" generate 2L application get the necessary access.
token.

400 invalid_request "A Grant type in the request Add grant_type as

required parameter is missing. It is a client_credentials in the
"grant_type" is mandatory parameter. request.
missing"

400 invalid_request "A Client ID in the request is Pass the Client ID of the
required parameter missing. It is a developer application in
"client_id" is missing" mandatory parameter. request.

400 invalid_request "A Client Secret in the Pass the Client Secret of the
required parameter request is missing. It is a developer application in the
"client_secret" is mandatory parameter. request.
missing"

400 invalid_client_id "The Invalid client ID is passed Pass the right client ID from the
passed in client_id is in the request. developer application.
invalid "abcdefghijk""

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Generate an Access Token - Getting
Started with Postman
Article • 05/08/2023

Summary
The full process your application will need to implement for 3-legged tokens is
described in Authorization Code Flow and 2-legged tokens is described in Client
Credentials Flow. The steps outlined below describe the process for using LinkedIn's
Public Postman workspaces to generate OAuth tokens for testing. For any specific
examples, we will use the Marketing Solutions workspace, but all steps should easily
apply to all workspaces. These steps assume you have already created a free Postman
account .

Step 1 - Application
Go to the LinkedIn Developer Portal , select the app you'll be using, click the "Auth"
tab, and locate your Client ID and Client Secret. Please note these values for use later
during this process.

Step 2 - Auth Settings

From the same "Auth" tab, scroll to the bottom of the page. Under "OAuth 2.0 Settings",
add the Postman callback URLs https://oauth.pstmn.io/v1/callback and
https://oauth.pstmn.io/v1/browser-callback to your Redirect URL list.
 Ｕ Caution

Postman uses the term "Callback URL"

LinkedIn uses the term "Redirect URL"

Step 3 - Fork Collections and Environments

Navigate to LinkedIn's public Postman workspaces:

Choose a workspace and fork the collections and relevant environments of interest. Each
collection will have an environment it should be used with. For example, if you were to
navigate to the LinkedIn Marketing Solutions workspace, the Campaign Management
collection should be used with the campaign-management-env environment.

Fork a Postman Collection

Fork a collection:
https://www.microsoft.com/en-us/videoplayer/embed/RWNqGu?postJsllMsg=true

Fork an environment:
https://www.microsoft.com/en-us/videoplayer/embed/RWNqGv?postJsllMsg=true
Step 4 - Fill in Environment Variables
Fill in the Client ID and Client Secret environment variables before moving onto the next
step. Don't forget to save your changes!

Step 5 - Headers
Each collection in each workspace will have its OAuth 2.0 Authorization settings pre-
populated with the correct URLs, environment variables, and scopes to be able to
successfully run the requests within the corresponding Use Cases folder. Click on a
collection title to open it's Authorization tab. Ensure that the correct environment is
selected and click "Get new access token":

Grant Type: Authorization Code (3-legged token) or Client Credentials (2-legged

token)
Callback (Redirect) URL: https://oauth.pstmn.io/v1/browser-callback
Note the Callback URL should be https://oauth.pstmn.io/v1/callback with the
"Authorize using browser" box checked if you are using the Postman Desktop
app
Auth URL: https://www.linkedin.com/oauth/v2/authorization
Access Token URL: https://www.linkedin.com/oauth/v2/accessToken
Client ID: {using the client_id from the environment variables}
Client Secret: {using the client_secret from the environment variables}
Scope: Differs per collection but an example is
{ rw_ads,r_basicprofile,w_organization_social,w_member_social,rw_organization_
admin }
Client Authentication: Send client credentials in body when the Grant Type is
Authorization Code. Send as Basic Auth header when the Grant Type is Client
Credentials.
Step 6 - Identity Authentication
If the Grant Type in Step 5 was Authorization Code then Postman will take you to the
LinkedIn authorization page, where you may be prompted to log into LinkedIn. Click
"Allow" to authorize the request. The prompt on the authorization page is dictated by
the requested scopes in the previous step.
Step 7 - Use Token
Postman will then display your access token to be used for testing. Choose the 'Use
Token' button to set this as the currently used token. The token will automatically be
propagated to all requests within the corresponding collection. The video below shows
an example of requesting a 3-legged token via the Authorization Code Grant Type.
https://www.microsoft.com/en-us/videoplayer/embed/RWQmh5?postJsllMsg=true

Step 8 - Testing
Finally, send a request within the Use Cases folder. Ensure the correct environment is
selected and that if any environment or collection level variables are being used in the
request, ensure they are set. For example, in the screenshot below, the request uses the
sponsoredaccount_id variable from the campaign-management-env environment.

Learn more about Postman variables in Postman's online documentation

Note that some requests dynamically set variables via a script that runs post request
execution. You will know if a script is set to run for a request if there is a green dot next
to the Tests tab.

To see an example sample response, view the saved example.

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Refresh Tokens with OAuth 2.0
Article • 05/08/2023

LinkedIn supports programmatic refresh tokens for all approved Marketing Developer
Platform (MDP) partners.

Introduction
Refresh tokens are used to get a new access token when your current access token
expires. For more information, see the OAuth 2.0 RFC .

LinkedIn offers programmatic refresh tokens that are valid for a fixed length of time. By
default, access tokens are valid for 60 days and programmatic refresh tokens are valid
for a year. The member must reauthorize your application when refresh tokens expire.

When you use a refresh token to generate a new access token, the lifespan or Time To
Live (TTL) of the refresh token remains the same as specified in the initial OAuth flow
(365 days), and the new access token has a new TTL of 60 days.

For example, on:

 Day 1 - Your refresh token has a TTL of 365 days, and your access token has a TTL
of 60 days.
Day 59 - If you generate a new access token using the refresh token, the access
token will have a TTL of 60 days and the refresh token will have a TTL of 306 days
(365-59=306).
Day 360- If you generate a new access token, your access token and refresh token
will both expire in 5 days (365-360=5) and you must get your application
reauthorized by the member using the authorization flow.

７ Note

Refresh Tokens are useful in minting new Access tokens and allow for seamless
operations for extended periods of time. However, LinkedIn reserves the right to
revoke Refresh Tokens or Access Tokens at any time due to technical or policy
reasons. In such scenarios, the expectation from products leveraging Refresh
Tokens is to fallback to the standard OAuth flow, and present the login screen to
the end users.

Step 1: Getting a Refresh Token

Use the Authorization Code Flow to get both a refresh token and access token. If your
application is authorized for programmatic refresh tokens, the following fields are
returned when you exchange the authorization code for an access token:

refresh_token — Your refresh token for the application. This token must be kept
secure.
refresh_token_expires_in — The number of seconds remaining until the refresh
token expires. Refresh tokens usually have a longer lifespan than access tokens.
scope — URL-encoded, space-delimited list of member permissions your

application has requested on behalf of the user.|

Sample Response

JSON

{
"access_token": "AQXNnd2kXITHELmWblJigbHEuoFdfRhOwGA0QNnumBI8XOVSs0HtOHEU-
wvaKrkMLfxxaB1O4poRg2svCWWgwhebQhqrETYlLikJJMgRAvH1ostjXd3DP3BtwzCGeTQ7K9vvA
qfQK5iG_eyS-q-
y8WNt2SnZKZumGaeUw_zKqtgCQavfEVCddKHcHLaLPGVUvjCH_KW0DJIdUMXd90kWqwuw3UKH27k
i5raFDPuMyQXLYxkqq4mYU-IUuZRwq1pcrYp1Vv-
ltbA_svUxGt_xeWeSxKkmgivY_DlT3jQylL44q36ybGBSbaFn-
 UU7zzio4EmOzdmm2tlGwG7dDeivdPDsGbj5ig",
"expires_in": 86400,
"refresh_token": "AQWAft_WjYZKwuWXLC5hQlghgTam-tuT8CvFej9-
XxGyqeER_7jTr8HmjiGjqil13i7gMFjyDxh1g7C_G1gyTZmfcD0Bo2oEHofNAkr_76mSk84sppsG
bygwW-5oLsb_OH_EXADPIFo0kppznrK55VMIBv_d7SINunt-
7DtXCRAv0YnET5KroQOlmAhc1_HwW68EZniFw1YnB2dgDSxCkXnrfHYq7h63w0hjFXmgrdxeeAuO
HBHnFFYHOWWjI8sLLenPy_EBrgYIitXsAkLUGvZXlCjAWl-
W459feNjHZ0SIsyTVwzAQtl5lmw1ht08z5Du-RiQahQE0sv89eimHVg9VSNOaTvw",
"refresh_token_expires_in": 525600,
"scope":"r_basicprofile"

７ Note

Refresh tokens are approximately 500 characters long. We recommend that your
application stack be made to handle tokens of at least 1000 characters to
accommodate future expansion plans. This applies to access tokens as well as
refresh tokens.

Step 2: Exchanging a Refresh Token for a New Access

Token
You can exchange the refresh token for a new access token by making the following
HTTP POST request with a Content-Type header of x-www-form-urlencoded and the
following parameters in the request body:

POST

https://www.linkedin.com/oauth/v2/accessToken

Parameter Description Required

grant_type The value of this field should always be refresh_token. Yes

refresh_token The refresh token from Step 1. Yes

client_id The Client ID value generated when you registered your application. Yes

client_secret The Client Secret value generated when you registered your Yes
application.

Sample Request
 https

POST https://www.linkedin.com/oauth/v2/accessToken

Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=AQQOMeCIQMa6-zjU-
02w8EJW67wPVk3hjJE5x1lZhU013LihKD8i1DpvaAl2jnuP8F1uXMgkm8nzjPfnaJR_kQNOxsLRL
ZWnAMzHMm81S0yQlkBYicw&client_id=861hhm46p48to2&client_secret=gPecS7yqHkyySh
vR

A successful request returns a new access token with a new expiration time and the
refresh token.

JSON

{
"access_token": "BBBB2kXITHELmWblJigbHEuoFdfRhOwGA0QNnumBI8XOVSs0HtOHEU-
wvaKrkMLfxxaB1O4poRg2svCWWgwhebQhqrETYlLikJJMgRAvH1ostjXd3DP3BtwzCGeTQ7K9vvA
qfQK5iG_eyS-q-
y8WNt2SnZKZumGaeUw_zKqtgCQavfEVCddKHcHLaLPGVUvjCH_KW0DJIdUMXd90kWqwuw3UKH27k
i5raFDPuMyQXLYxkqq4mYU-IUuZRwq1pcrYp1Vv-
ltbA_svUxGt_xeWeSxKkmgivY_DlT3jQylL44q36ybGBSbaFn-
UU7zzio4EmOzdmm2tlGwG7dDeivdPDsGbj5ig",
"expires_in": 86400,
"refresh_token": "AQWAft_WjYZKwuWXLC5hQlghgTam-tuT8CvFej9-
XxGyqeER_7jTr8HmjiGjqil13i7gMFjyDxh1g7C_G1gyTZmfcD0Bo2oEHofNAkr_76mSk84sppsG
bygwW-5oLsb_OH_EXADPIFo0kppznrK55VMIBv_d7SINunt-
7DtXCRAv0YnET5KroQOlmAhc1_HwW68EZniFw1YnB2dgDSxCkXnrfHYq7h63w0hjFXmgrdxeeAuO
HBHnFFYHOWWjI8sLenPy_EBrgYIitXsAkLUGvZXlCjAWl-
W459feNjHZ0SIsyTVwzAQtl5lmw1ht08z5Du-RiQahQE0sv89eimHVg9VSNOaTvw",
"refresh_token_expires_in": 439200,
"scope":"r_basicprofile"
}

API Error Details

HTTP ERROR MESSAGE ERROR RESOLUTION

STATUS DESCRIPTION
CODE

400 invalid_request "The Invalid or expired or Refresh Token expired or revoked

provided authorization revoked refresh or invalid, hence reauthenticate
grant or refresh token is token is sent as part the member to generate the new
invalid, expired or revoked" of the request. refresh token.

400 invalid_request "A required Redirect_URI in the Pass the Redirect_URI in the
parameter "redirect_uri" is request is missing. It request to route user back to
missing" is mandatory correct landing page.
parameter.
 HTTP ERROR MESSAGE ERROR RESOLUTION
STATUS DESCRIPTION
CODE

400 invalid_request "A required Grant type in the Add grant_type as

parameter "grant_type" is request is missing. It "refresh_token" in the request.
missing" is mandatory
parameter.

400 invalid_request "A required Client ID in the Pass the client id of the app in
parameter "client_id" is request is missing. It request.
missing" is mandatory
parameter.

400 invalid_request "A required Refresh Token in the Pass the stored Refresh Token
parameter "refresh_token" request is missing. It received as part of initial access
is missing" is mandatory token call.
parameter.

Feedback
Was this page helpful? ﾂ Yes ﾄ No

Provide product feedback | Get help at Microsoft Q&A

Developer Portal Tools
Article • 05/08/2023

The LinkedIn Developer Portal Token Generator Tool allows a quick and easy method for
generating an access token to make authenticated API calls.

Generate a Token in the Developer Portal

Once a token is generated, users are redirected to the token information page which
includes details like OAuth scopes and token time to live (TTL) for reference during
development activities.

1. Visit the LinkedIn Developer Portal Token Generator tool.

2. Select the app you'd like to generate a token for.

3. Select OAuth flow and permission scopes.

4. Member approval
The authenticated member will receive a request for your app to access to their profile.

5. Token Generation

Once the token is generated, the "Token Details" will be shown along with the token.
Click "Copy token" to paste it into your application code.