Back to blog
LinkedIn APITokensOAuthDevelopment

Ultimate Guide: How to Get Your LinkedIn Access Tokens

Postslify Team
15 min read
Ultimate Guide: How to Get Your LinkedIn Access Tokens

Introduction: The Master Key to Automation

To connect any external application (like Postslify) or your own scripts to LinkedIn, you need "permission". This permission is managed via OAuth 2.0 tokens. However, the official documentation can be a maze. This guide is your detailed map to getting out with your credentials in hand.

Step 1: Creating the App in the Developer Portal

It all starts here. You cannot interact with the API without a registered "App".

  1. Go to the LinkedIn Developer Portal and log in.
  2. Click the blue "Create app" button.
  3. Complete the form:
    • App name: The name users will see when authorizing (e.g., "My B2B Automator").
    • LinkedIn Page: You must associate the app with an existing Company Page. Type the name or paste your Company Page URL.
    • Privacy policy URL: Mandatory. If you don't have one, you can use a temporary generator or your website's.
    • App logo: Upload a square image (min 100x100px).
  4. Accept the legal terms and click "Create app".

Step 2: Page Verification (Crucial)

Once created, you will see a yellow warning. Your app needs a Company Page admin to confirm the association.

  1. In your new app's "Settings" tab, find the "LinkedIn Page" section.
  2. Click "Verify". This will generate a verification link.
  3. Copy that link and open it (or send it to the page admin).
  4. When opening it, click "Verify" to confirm. The yellow warning will disappear.

Step 3: Configuring "Products" (Permissions)

By default, your app has no permissions. You must request them by adding "Products".

  1. Go to the "Products" tab.
  2. Find and request to add these two products:
    • Share on LinkedIn: Allows posting content (Grants scopes: w_member_social, w_organization_social).
    • Sign In with LinkedIn using OpenID Connect: Allows user authentication (Grants scopes: openid, profile, email).
  3. Approval is usually immediate for these basic products.

Step 4: Getting Client ID and Client Secret

Now go to the "Auth" tab. Here are your keys to the kingdom:

  • Client ID: It's public, identifies your app.
  • Client Secret: It's private and critical. If someone has it, they can impersonate your app. Never share it or upload it to GitHub!

Redirect URL Configuration: In this same tab, scroll down to "OAuth 2.0 settings" and add an "Authorized redirect URL for your app". If testing with Postman, use https://oauth.pstmn.io/v1/callback. If it's a local script, it could be http://localhost:3000/api/callback.

Step 5: The OAuth 2.0 Flow (How to get the Token)

This is where many get lost. The process has two parts: getting a code and exchanging it for the token.

A. Getting the Authorization Code

You must construct and visit this URL in your browser (replace values with yours):

https://www.linkedin.com/oauth/v2/authorization?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=YOUR_ENCODED_REDIRECT_URI
&scope=openid%20profile%20w_member_social%20offline_access

Important note on offline_access: This scope is magic. If your app has this permission enabled (sometimes requires extra approval or being a Partner), it will allow you to get the Refresh Token.

When visiting the link, LinkedIn will ask you to log in and authorize the app. Upon accepting, it will redirect you to your configured URL with an extra parameter in the address bar: ?code=THIS_IS_THE_CODE. Copy it quickly, it expires in minutes.

B. Exchanging the Code for the Token (POST Request)

Now make a POST request to https://www.linkedin.com/oauth/v2/accessToken with these parameters in the body (x-www-form-urlencoded):

  • grant_type: authorization_code
  • code: The code you copied in the previous step.
  • client_id: Your Client ID.
  • client_secret: Your Client Secret.
  • redirect_uri: The same URL you used before.

Step 6: Understanding the Response (Your Tokens)

If everything went well, you will receive a JSON like this:

{
  "access_token": "AQW...", // Access Token (60 days)
  "expires_in": 5183999,
  "refresh_token": "AQE...", // Refresh Token (1 year)
  "refresh_token_expires_in": 31535999
}

Vital Difference: 60-Day vs 12-Month Token

  • Access Token (60 days): Used in the Header Authorization: Bearer AQW... to publish posts, get profile, etc. Expires in 2 months.
  • Refresh Token (12 months): Your life insurance. When the Access Token expires, you DO NOT need to log in manually again. You make an API request using grant_type=refresh_token and this long token to get a fresh Access Token.

Conclusion

Getting these tokens manually is an excellent exercise to understand LinkedIn security, but it is tedious to maintain for production. Postslify automates this entire cycle: we store your Refresh Token encrypted and silently renew your credentials so your scheduled posts never fail.

Ready to boost your LinkedIn?

Try Postslify today and start creating viral content with AI.

Start free

© 2026 Postslify. All rights reserved.