Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Manage secrets for your parent, child, and standalone applications to keep your integrations secure. You can rotate secrets on demand or on a regular schedule, and manage up to two secrets per application. You can perform the following actions to manage secrets:
Rotate a Secret
Rotate your application secrets regularly to maintain security. When you rotate a secret, the new secret gets added without removing the old one—both remain active so you can update your integration without downtime.
Recommended Rotation Schedule
- Every 60–90 days
- After any potential exposure
- Before major releases or infrastructure changes
- During security or compliance audits
Important
- Each application can have a maximum of two secrets
- If two secrets already exist, delete one before rotating, else the rotation API request will fail
Rotate Parent or Standalone Application Secret
Endpoint
POST https://api.linkedin.com/v2/developerApplicationsSecurity?action=rollDeveloperApplicationSecret
Headers
| Header Name | Value |
|---|---|
| X-RestLi-Method | action |
| X-RestLi-Protocol-Version | 2.0.0 |
| Authorization | Bearer 2L/3L token |
Note
Generate the Bearer token using the application's credentials.
Request Body
{}
Request Body Fields
| Field | Description | Format | Required |
|---|---|---|---|
| {} | Empty braces | Object | Yes |
Response
Success: HTTP 200 OK
Response Body:
{
"value": {
"client_secret": "bFWEECAwQp1AT6rJ"
}
}
Rotate Child Application Secret
Endpoint
POST https://api.linkedin.com/v2/developerApplicationsSecurity?action=rollDeveloperApplicationSecret
Headers
| Header | Value |
|---|---|
| X-RestLi-Method | action |
| X-RestLi-Protocol-Version | 2.0.0 |
| Authorization | Bearer 2L/3L <token> |
Note
- Use your parent application credentials to generate the Bearer token for child applications.
Request Body
{
"childDeveloperApplication": "urn:li:developerApplication:<child-application-id>"
}
Request Body Fields
| Field | Description | Type | Required |
|---|---|---|---|
| childDeveloperApplication | The URN of the child application (for example, urn:li:developerApplication:123456). |
String | Yes |
Sample Request (Shell)
curl --location "https://api.linkedin.com/v2/developerApplicationsSecurity?action=rollDeveloperApplicationSecret" \
-X POST \
-H 'X-RestLi-Method:action' \
-H 'Accept:application/json' \
-H 'Content-Type:application/json' \
-H 'X-RestLi-Protocol-Version:2.0.0' \
-H 'Authorization: Bearer <token>' \
--data '{
"childDeveloperApplication": "urn:li:developerApplication:123456"
}'
Sample Response
Success: HTTP 200 OK
{
"value": {
"client_secret": "bFWEECAwQp1AT6rJ"
}
}
Delete a Secret
Delete a secret when you need to rotate but already have two active secrets, or when removing a secret that's no longer needed. While deleting a secret, the same secret needs to be passed as part of the API payload.
Delete Parent or Standalone Application Secret
Endpoint
POST https://api.linkedin.com/v2/developerApplicationsSecurity?action=removeDeveloperApplicationSecret
Request Headers
| Header Name | Value |
|---|---|
| X-RestLi-Method | action |
| X-RestLi-Protocol-Version | 2.0.0 |
| Authorization | Bearer 2L/3L token |
Request Body
{
"secret": "<your_app_secret>"
}
Request Body Fields
| Field | Description | Type | Required |
|---|---|---|---|
| secret | The secret to be deleted | String | Yes |
Sample Request (Shell)
curl --location "https://api.linkedin.com/v2/developerApplicationsSecurity?action=removeDeveloperApplicationSecret" \
-X POST \
-H 'X-RestLi-Method:action' \
-H 'Accept:application/json' \
-H 'Content-Type:application/json' \
-H 'X-RestLi-Protocol-Version:2.0.0' \
-H 'Authorization: Bearer <2L/3L token>' \
--data '{
"secret": "<your_app_secret>"
}'
Response
Success: HTTP 200 OK
The API returns an HTTP 200 status code with an empty response body when the secret is successfully deleted.
Delete Child Application Secret
Endpoint
POST https://api.linkedin.com/v2/developerApplicationsSecurity?action=removeDeveloperApplicationSecret
Request Headers
| Header | Value |
|---|---|
| X-RestLi-Method | action |
| X-RestLi-Protocol-Version | 2.0.0 |
| Authorization | Bearer 2L/3L <token> |
Request Body
{
"childDeveloperApplication": "urn:li:developerApplication:<child-application-id>",
"secret": "<your_app_secret>"
}
Request Body Fields
| Field | Description | Type | Required |
|---|---|---|---|
| childDeveloperApplication | The URN of the child application. | String | Yes |
| secret | The secret to be deleted. | String | Yes |
Response
Success: HTTP 200 OK
The API returns an HTTP 200 status code with an empty response body when the secret is successfully deleted.
Sample Request (Shell)
curl --location "https://api.linkedin.com/v2/developerApplicationsSecurity?action=removeDeveloperApplicationSecret" \
-X POST \
-H 'X-RestLi-Method:action' \
-H 'Accept:application/json' \
-H 'Content-Type:application/json' \
-H 'X-RestLi-Protocol-Version:2.0.0' \
-H 'Authorization: Bearer <token>' \
--data '{
"childDeveloperApplication": "urn:li:developerApplication:123456",
"secret": "<your_app_secret>"
}'
Error Codes
| HTTP code | Status | Description |
|---|---|---|
| 500 | Internal Server Error | • Occurs when a different parent-app-id or secret token is used for a child-app not linked to the selected parent-app. • Removing the last remaining secret from a child-app. • Attempting to create a third secret when two already exist. |
Note
These error codes are specific to secret rotation and deletion APIs. Error codes may change in future updates.