หมายเหตุ
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลอง ลงชื่อเข้าใช้หรือเปลี่ยนไดเรกทอรีได้
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลองเปลี่ยนไดเรกทอรีได้
Verified on LinkedIn APIs use OAuth 2.0 for authentication. The authentication method depends on which API you're calling.
OAuth Flow by API
| API | OAuth Type | Member Consent | Tiers |
|---|---|---|---|
/identityMe |
3-legged | ✅ Required | All tiers |
/verificationReport |
3-legged | ✅ Required | All tiers |
/validationStatus |
2-legged | ❌ Not required | Plus only |
3-Legged OAuth (Authorization Code Flow)
Used for /identityMe and /verificationReport APIs. Requires member consent and authorization.
Quick Overview
- Redirect member to LinkedIn for authorization
- Member grants permission to your app
- LinkedIn redirects back with authorization code
- Exchange code for access token
- Call APIs with the access token
Required OAuth Scopes by Tier
| Scope | Development | Lite | Plus | Purpose |
|---|---|---|---|---|
r_profile_basicinfo |
✅ | ✅ | ✅ | Basic profile info (name, email, photo) |
r_verify |
✅ | ✅ | ❌ | Verification categories only (Dev & Lite) |
r_verify_details |
❌ | ❌ | ✅ | Detailed verification metadata (Plus only) + Verification categories |
r_primary_current_experience |
❌ | ❌ | ✅ | Current job details (Plus only) |
r_most_recent_education |
❌ | ❌ | ✅ | Education info (Plus only) |
Important
Key Difference: r_verify returns only verification categories (e.g., ["IDENTITY", "WORKPLACE"]), while r_verify_details returns full metadata including verified names, timestamps, methods, and organization details.
Token Characteristics
- Access token lifetime: 60 days
- Refresh token lifetime: 1 year
- Refresh tokens: Yes, included in response
- Member consent: Required once (unless scopes change)
Complete Guide
For detailed implementation, see:
- Authorization Code Flow Guide – Complete 3-legged OAuth walkthrough
- Refresh Tokens Guide – Token refresh implementation
2-Legged OAuth (Client Credentials Flow)
Used for /validationStatus API (Plus tier only). No member consent required.
Quick Overview
- Request access token using client credentials
- Call API with the access token
- Token expires in 30 minutes – request new token as needed
Required OAuth Scope
r_validation_status– Bulk validation checks (Plus tier only)
Token Characteristics
- Access token lifetime: 30 minutes
- Refresh tokens: No, request new token after expiry
- Member consent: Not required
Complete Guide
For detailed implementation, see:
- Client Credentials Flow Guide – Complete 2-legged OAuth walkthrough
Getting Started by Tier
Development Tier
- Scopes:
r_profile_basicinfo,r_verify - Test with admin accounts only
- See Quickstart Guide for setup instructions
Lite Tier
- Scopes:
r_profile_basicinfo,r_verify(same as Development) - Access all member data (with consent)
- See Upgrade to Lite Tier for setup instructions
Plus Tier
- Scopes:
r_verify_details,r_profile_basicinfo,r_primary_current_experience,r_most_recent_education - Access to 2-legged OAuth for bulk validation
- See Implementation Guide for setup instructions
Common Questions
Do tokens work across tier upgrades?
Yes! When you upgrade from Development to Lite or Lite to Plus:
- Existing access tokens remain valid
- Members don't need to re-authorize (unless you add new scopes)
- Only request new consent if adding scopes
How do I add more scopes?
If you need additional OAuth scopes (e.g., upgrading to Plus tier):
- Update your authorization URL with new scopes
- Ask member to re-authorize
- New tokens will include additional scopes
What happens when tokens expire?
3-legged OAuth (access token):
- Use refresh token to get new access token
- No member interaction required
Example: Refresh Token Request
curl -X POST "https://www.linkedin.com/oauth/v2/accessToken" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=<REFRESH_TOKEN>' \
--data-urlencode 'client_id=<CLIENT_ID>' \
--data-urlencode 'client_secret=<CLIENT_SECRET>'
2-legged OAuth:
- Request new token using client credentials
- No user interaction involved
- Happens automatically in 30 minutes
Best Practices
✅ Store tokens securely – Encrypt at rest, never expose in client-side code
✅ Use refresh tokens – Don't make users re-authenticate every 60 days
✅ Request minimum scopes – Only request what you need
✅ Handle token expiry gracefully – Implement automatic refresh logic
✅ Validate redirect URIs – Must match exactly with Developer Portal settings
Related Resources
Authentication Guides
- Authorization Code Flow – 3-legged OAuth
- Client Credentials Flow – 2-legged OAuth
- Refresh Tokens – Token refresh
- Developer Portal Tools – Token management
API Reference
- Profile Details API – Requires 3-legged OAuth
- Verification Report API – Requires 3-legged OAuth
- Validation Status API – Requires 2-legged OAuth (Plus only)
Getting Started
- Quickstart Guide – Get started in 5 minutes
- Implementation Guide – OAuth best practices