To integrate with the LinkedIn API, you need an access token. An access token allows you to make requests to the LinkedIn API on behalf of a user or application. There are a few different ways to get a LinkedIn access token depending on your use case. This article will explain what a LinkedIn access token is, the different types of access tokens, and how to get an access token for different LinkedIn API use cases.
What is a LinkedIn Access Token?
A LinkedIn access token is a credential that allows you to access the LinkedIn API. It is similar to a username and password, but specifically designed for programmatic API access.
The access token represents the permission of the LinkedIn member or app to access certain data or perform certain actions through the API. When you make a request to the LinkedIn API, you pass the access token in an HTTP header called Authorization. LinkedIn uses the access token to authenticate the request and determine what you are allowed to access.
Access tokens are issued by LinkedIn after a member or app has been authenticated and authorized. They have a limited lifetime and expire after a set period. After expiration, a new access token must be generated to continue accessing the API. This limits the impact of a token being compromised.
Types of LinkedIn Access Tokens
There are several types of access tokens available from LinkedIn:
Access Token Type | Description |
---|---|
User access token | Allows access to a LinkedIn member’s own account data and perform actions as that member. |
Application access token | Allows access on behalf of a LinkedIn app to data permitted by the app’s permissions. |
Client access token | Allows read-only access to public data on behalf of a developer application. |
User+app access token | Allows a member to link their account to an app and access their data through that app. |
The type of access token you need depends on your specific LinkedIn API use case. The main scenarios are outlined below.
Get Access Token for LinkedIn User Data Access
If you want to access a LinkedIn member’s private data and perform actions on their behalf through the API, you need a user access token. This allows you to access data and perform actions just as if the member was using the LinkedIn website themselves.
Here are the steps to get a LinkedIn user access token:
- Member signs into LinkedIn and authorizes your app to access their account.
- Your app makes an OAuth 2.0 authorization code request to LinkedIn.
- LinkedIn returns an authorization code to your app.
- Your app exchanges the authorization code for an access token.
- Use the access token to make API calls to access member data and perform actions.
To implement this, you need to register your app through LinkedIn’s developer portal to get a client ID and client secret. Then use OAuth 2.0 libraries to handle the authorization flow and token exchange.
The authorization and token exchange occurs between the user’s browser and LinkedIn. The access token is then provided to your app server to store and use.
Here is an example request to get a user access token using the authorization code flow:
“`
POST https://www.linkedin.com/oauth/v2/accessToken
grant_type=authorization_code
&code={AUTHORIZATION_CODE}
&redirect_uri={REDIRECT_URI}
&client_id={CLIENT_ID}
&client_secret={CLIENT_SECRET}
“`
This access token allows you to make API calls to retrieve the member’s profile, connections, share posts, and more, on their behalf.
Get Access Token for LinkedIn App Data Access
If you want to access LinkedIn data on behalf of an application rather than a specific user, you need an application access token. This allows the app to access data permitted by its defined permissions.
Here are the steps to get a LinkedIn application access token:
- Register your app in LinkedIn’s developer portal.
- Select the app permissions for data access you need.
- Generate an access token through the developer portal or API.
- Use the token to make API calls to access permitted data.
You can generate an application access token programmatically by making the following API call:
“`
POST https://www.linkedin.com/oauth/v2/accessToken
grant_type=client_credentials
&client_id={CLIENT_ID}
&client_secret={CLIENT_SECRET}
&redirect_uri={YOUR_REDIRECT_URI}
&state={LONG_RANDOM_STRING}
“`
The application access token will be returned in the API response. You can then use this token to access company pages, jobs, user profiles, groups and other data the app has been permitted to access.
Get Access Token for Public Data Access
If you only need to access public LinkedIn data rather than user private data, you can get a client access token. This allows read-only access to public data without needing a user context.
To get a client access token:
- Register your developer app with LinkedIn.
- Generate a client access token through the API using your client ID and secret.
- Use the token to access public API endpoints.
For example:
“`
POST https://www.linkedin.com/oauth/v2/accessToken
grant_type=client_credentials
&client_id={CLIENT_ID}
&client_secret={CLIENT_SECRET}
&redirect_uri={YOUR_REDIRECT_URI}
&state={LONG_RANDOM_STRING}
“`
This token can be used to retrieve public company, group, post data, and conduct search queries against public profiles and posts. But cannot access private user data.
Get Access Token to Link App to User
If you want users to be able to link their LinkedIn account with your app and access their data through your app, you need a user+app access token.
This is a combination of user authorization and app permissions to access both the member’s private data and app permitted data.
To get a user+app access token:
- Register your app and select needed permissions.
- User authorizes your app to access their account.
- Your app makes an OAuth 2.0 authorization code request.
- Exchange the authorization code for a user+app access token.
- Use the token to access user and app data through the API.
For example:
“`
POST https://www.linkedin.com/oauth/v2/accessToken
grant_type=authorization_code
&code={AUTHORIZATION_CODE}
&redirect_uri={REDIRECT_URI}
&client_id={CLIENT_ID}
&client_secret={CLIENT_SECRET}
“`
This provides the combined permissions of the member’s authorization and your app’s defined permissions. Enabling you to build personalized experiences leveraging both user and app data.
Refreshing a LinkedIn Access Token
LinkedIn access tokens eventually expire. The expiry time depends on the token type:
– User access tokens last for 60 days.
– Application access tokens last for 365 days.
– Client access tokens last for 60 days.
Once expired, calling the API with that access token will result in authentication errors.
To continue accessing the API, you need to refresh the access token before it expires:
- Your app makes a refresh token request to LinkedIn.
- LinkedIn issues a new access token.
- Update your app to use the new access token.
To request a refresh, make a POST call:
“`
POST https://www.linkedin.com/oauth/v2/accessToken
grant_type=refresh_token
&refresh_token={REFRESH_TOKEN}
&client_id={CLIENT_ID}
&client_secret={CLIENT_SECRET}
“`
The response will contain a new access token to replace the expired one.
Be sure to persist the refresh token so you can continue obtaining new access tokens when needed.
Revoking a LinkedIn Access Token
If an access token becomes compromised or should be made invalid before expiry, you can revoke it through the LinkedIn API:
“`
POST https://api.linkedin.com/v2/oauth2AccessTokenRevocation
client_id={CLIENT_ID}
client_secret={CLIENT_SECRET}
access_token={ACCESS_TOKEN}
“`
This immediately invalidates the access token so it cannot be used anymore. The application will have to generate a new access token to reauthenticate.
Revocation is useful for security reasons if a token is compromised or for logout flows to invalidate a user’s access token.
Conclusion
Obtaining a properly scoped and trusted access token is crucial for accessing LinkedIn’s powerful social data through their API platform. By determining your specific API use case and following the best practices outlined above, you can implement secure OAuth user authorization and token exchange flows to enable your application. Keep access tokens protected, refresh them when they expire, and revoke them when needed. This will provide your app’s users with streamlined access to enriching LinkedIn platform while adhering to necessary security protocols.