A LinkedIn token is an access token that allows third-party applications to access a user’s LinkedIn data and perform actions on behalf of that user. LinkedIn uses the OAuth 2.0 protocol to authorize these third-party applications and issue access tokens.
How do LinkedIn tokens work?
Here is a quick overview of how LinkedIn tokens work:
- A user tries to login to a third-party app using their LinkedIn account.
- The app redirects the user to LinkedIn’s OAuth authorization page to log in.
- Once logged in, the user is asked to authorize the app and grant access to their LinkedIn data.
- If the user grants access, LinkedIn generates an access token unique to that user and app.
- The token is sent back to the app so it can make API calls on behalf of the user.
- The app stores the token and presents the LinkedIn data to the user.
- When the token expires, the app can use a refresh token to get a new access token without user intervention.
The access token allows the app to access the user’s LinkedIn data based on the permissions granted by the user. The token acts as a key that gives temporary access to make API calls to retrieve profile data, share updates, or access other LinkedIn capabilities.
What permissions can a LinkedIn token provide?
A LinkedIn token can provide varying levels of access based on the permissions a user grants during the OAuth flow. Here are some common permissions a token may provide:
- r_basicprofile – Read access to basic profile data like photo, headline, and public profile URL.
- r_emailaddress – Read access to the user’s primary email address.
- w_share – Ability to share content on behalf of the user.
- rw_nus – Read/write access to network updates and make posts on the user’s behalf.
- r_fullprofile – Read access to full profile including experience, education, skills, and recommendations.
- r_contactinfo – Read access to contact information like phone numbers and addresses.
Apps request the permissions they need during the initial OAuth flow. The tokens generated will be limited to only those permissions approved by the user.
What is the structure of a LinkedIn token?
A LinkedIn OAuth 2.0 access token is a long string containing multiple elements separated by dots (.) that encode authentication and authorization data. Here is an example:
A256FXE.8J7Iu1C19UYXlAWU7J-gaSMD.lxW8
While the contents are encrypted, in general a LinkedIn token contains these components:
- Header – Specifies the token type and hashing algorithm used to sign it.
- Payload – Contains claims like user ID, token lifetime, permissions granted, etc.
- Signature – String generated by encrypting header and payload used to verify token integrity.
Together, these provide proof that the token is valid and encode the authorized access it provides.
How long do LinkedIn tokens last?
The lifespan of a LinkedIn access token depends on the type:
- User access tokens – Lasts for 60 days and can be refreshed.
- Client access tokens – Lasts for 1 year and cannot be refreshed.
- Refresh tokens – Lasts until use or revoked by user.
For user access tokens, the default lifetime is 60 days. However, the tokens can be refreshed to get a new 60 day token by using the refresh token until it is revoked. Client access tokens last 1 year before a new one must be generated.
How to get a LinkedIn token?
There are a few ways to get a LinkedIn access token:
- Use LinkedIn’s OAuth 2.0 authorization code flow in your app.
- Generate a token using LinkedIn’s OAuth 2.0 Playground.
- Get user test tokens from LinkedIn’s App Console.
- Use the Sign In with LinkedIn button.
The OAuth code flow is recommended for production apps. The playground and test tokens are for testing. The Sign In button simplifies the OAuth flow for consumer apps.
How to refresh a LinkedIn token?
To refresh an expired user access token and get a new one, make a POST request to LinkedIn’s OAuth 2.0 token endpoint with these parameters:
- grant_type = refresh_token
- refresh_token = your_refresh_token
- client_id = your_client_id
- client_secret = your_client_secret
This will return a new access token (and refresh token) to replace the expired one. Use the new access token in your API calls. Client access tokens cannot be refreshed.
How to revoke a LinkedIn token?
To revoke a LinkedIn access token, make a POST request to LinkedIn’s OAuth 2.0 revoke endpoint with these parameters:
- client_id = your_client_id
- client_secret = your_client_secret
- token = the_token_to_revoke
This will invalidate the access and refresh tokens immediately. The user will have to re-authorize the app to generate new tokens.
Common issues with LinkedIn tokens
Here are some common issues that can come up with LinkedIn tokens and how to fix them:
- Expired token – Refresh the token to get a new valid one.
- Invalid token – User may have revoked access. Redo OAuth flow to get new token.
- Insufficient scopes – Request additional permissions and get an updated token.
- Using client token for user API call – Use the correct user access token, not a client token.
- Hardcoded tokens – Avoid this. Use the OAuth code flow to always get fresh tokens.
Properly handling the tokens and OAuth flow will prevent most issues. Request only needed scopes, refresh expired tokens, and redo the OAuth flow if tokens become invalid.
Storing LinkedIn tokens securely
Since LinkedIn tokens provide access to user data, they should be stored securely. Here are some tips:
- Use OAuth code flow and only store tokens temporarily in server memory.
- Encrypt the tokens when persisting them to a database or storage.
- Store tokens in a server-side session instead of client-side cookies.
- Set secure cookie flags if storing tokens in cookies.
- Use short token lifetimes and auto-reset when compromised.
- Revoke tokens on the server if they are no longer needed.
Avoid storing tokens in client-side code or plaintext files. The tokens provide access to sensitive account data and should be protected accordingly.
Uses for LinkedIn tokens
Here are some common uses cases for using a LinkedIn access token in an app:
- Retrieving a user’s profile data to personalize experience.
- Posting share updates to a user’s LinkedIn feed.
- Importing a user’s LinkedIn connections and network.
- Analyzing skills, endorsements, and recommendations of a user.
- Enabling LinkedIn login and account linking.
- Fetching a user’s list of LinkedIn Pages to curate content.
- Any app needing access to LinkedIn’s APIs on behalf of a user.
The token can provide access to many LinkedIn capabilities without needing the user’s username and password directly. The OAuth flow lets the user control what data they allow the app to access.
LinkedIn API Rate Limits
When making API calls with a LinkedIn token, there are rate limits in place that may trigger errors if exceeded:
- 150 calls per hour for most endpoints.
- 20 calls per hour for messaging endpoints.
- 80 calls per hour for search endpoints.
- 30 calls per hour for Share API.
The limits reset on an hourly basis. If you exceed the limits, you will get HTTP 429 “Too Many Requests” errors. Make sure to throttle API calls from your app and not make excessive requests in short bursts.
Conclusion
In summary, a LinkedIn token is an access token that provides temporary access to LinkedIn APIs on behalf of a user. It is obtained through LinkedIn’s OAuth 2.0 authorization flow and encoded with authentication data and approved permissions. Tokens last 60 days for users and 1 year for clients, and can be refreshed to get new access. Handle tokens securely, request only needed scopes, and leverage them to enable LinkedIn data access from your apps.