Client credentials grant type (2-legged OAuth)

Authorize your app to act on behalf of itself.

 

legal notice

By using this API and its documentation and building an integration, you agree to the Additional API Terms and Guidelines.

Client credentials grant type (2-legged OAuth) overview

When you become an Indeed partner, Indeed sets up an app that integrates Indeed APIs and services into your product. View your app and its OAuth credentials (a client ID and secret) in Partner Console, then exchange these credentials for an access token to authenticate your Indeed API calls.

You can also:

• Get an access token that represents an employer.
• Authorize an app to act on your behalf.
• Enable another company to act on your behalf.

Become an Indeed partner

If you are not already a partner, become an Indeed partner.

Get your OAuth credentials

1. Sign in to Partner Console with your Indeed user account.

   The Credentials tab on the app details page lists your OAuth credentials: a client ID and secret.

Get an access token

To get an access token, send a POST request to https://apis.indeed.com/oauth/v2/tokens with these headers and body parameters, using a command-line tool like curl or a UI tool like Insomnia.

Don't expose the client secret to end users. Indeed recommends generating tokens in the backend.

curl -L 'https://apis.indeed.com/oauth/v2/tokens' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'client_id=<client_id>' \
  -d 'client_secret=<client_secret>' \
  -d 'grant_type=client_credentials' \
  -d 'scope=employer_access'

The request headers are:

Get an access token request headers

Header	Value
Accept	application/json
Content-Type	application/x-www-form-urlencoded

The request body parameters are:

Get an access token request body parameters

Request body parameter	Value	Description
client_id	<client_id>	Replace with your client ID.
client_secret	<client_secret>	Replace with your client secret.
grant_type	client_credentials	Requests the client credentials grant (2-legged OAuth).
scope	employer_access	Lists employer accounts associated with the user that registered the app, or gets an access token for an associated employer account.

{
  "access_token": "<access_token>",
  "scope": "employer_access",
  "token_type": "Bearer",
  "expires_in": 3600
}

Your token expires in one hour (3600 seconds). Refresh your token hourly.

Call Indeed APIs

To call an Indeed GraphQL API, send a POST request to https://apis.indeed.com/graphql with these headers and your GraphQL query or mutation:

curl -L 'https://apis.indeed.com/graphql' \
  -H 'Authorization: Bearer <access_token>' \
  -H 'Content-Type: application/json' \
  -d '{"query":"query {\n  jobSearch(\n    location: { radius: 5, radiusUnit: MILES, where: \"Austin\" }\n    what: \"Nurse\"\n    limit: 5\n  ) {\n    results {\n      job {\n        title\n        sourceEmployerName\n      }\n    }\n  }\n}","variables":{}}'

Request headers:

HTTP request headers

Header	Value	Description
Authorization	Bearer <token>	Use this header to authenticate with the server and access protected resources. Pass the access token in this header with the Bearer authentication scheme. For the oauth/v2/tokens endpoint, use the basic authentication scheme instead of passing client_id and client_secret in the request body. See Get an access token, Authorization header, and Basic authentication scheme.
Content-Type	application/json	The media type of the resource. See Content-Type header.

The -d parameter specifies the GraphQL query:

query {
  jobSearch(location: {
      radius: 5,
      radiusUnit: MILES,
      where: "Austin"
    }
    what: "Nurse"
    limit: 5) {
    results {
      job {
        title
        sourceEmployerName
      }
    }
  }
}

{
  "errors": [{
    "message": "The client does not have access to the 'job-retrieval-service' service.",
    "extensions": {
      "code": "INTERNAL_SERVER_ERROR"
    }
  }],
  "data": null
}

Get an access token that represents an employer

Some Indeed APIs require an access token that represents an employer or advertiser.

To get an access token for an employer:

1. Build an employer selection screen that lists the employers the user can manage.
2. Select an employer, and get an access token that represents that employer.

Each access token represents one employer. To switch employers, get a new access token.

Build employer selection screen

1. Get an access token with scope=employer_access.

   Use this scope to list the employer accounts that the user can manage.

2. Call the https://secure.indeed.com/v2/api/appinfo endpoint with the Authorization: Bearer <access_token> header, where <access_token> is your access token:

   curl -L 'https://secure.indeed.com/v2/api/appinfo' \
     -H 'Authorization: Bearer <access_token>'

   The request header is:

   Request header

   Header	Value
   Authorization	Bearer <access_token> where <access_token> is your access token.

   If the user has associated employer accounts, the response includes an id and name for each employer:

   {
     "employers": [
       {
         "id": "084a39249af95beedfb90cc5d2b8833c",
         "name": "Dharma Initiative"
       },
       {
         "id": "865e08b649774436ee1f410b611fad7c",
         "name": "Umbrella Corporation"
       },
       {
         "id": "4bc393648e880bc94dd6cef8efbc8486",
         "name": "US Robotics and Mechanical Men"
       }
     ]
   }

   In this example, the id for US Robotics and Mechanical Men is 4bc393648e880bc94dd6cef8efbc8486.

3. Display the employer list, and let the user select one.

Get employer access token

After the user selects an employer, POST to https://apis.indeed.com/oauth/v2/tokens with Accept and Content-Type headers and these body parameters:

curl -L 'https://apis.indeed.com/oauth/v2/tokens' \
 -H 'Accept: application/json' \
 -H 'Content-Type: application/x-www-form-urlencoded' \
 -d 'grant_type=client_credentials' \
 -d 'scope=employer_access' \
 -d 'client_id=<client_id>' \
 -d 'client_secret=<client_secret>' \
 -d 'employer=<employer_id>'

The request headers are:

Get an employer access token request headers

Header	Value
Accept	application/json
Content-Type	application/json

The request body parameters are:

Get an employer access token request body parameters

Request body parameter	Required	Value
grant_type	✔	client_credentials
scope	✔	employer_access
client_id	✔	Your client ID.
client_secret	✔	Your client secret.
employer	✔	The ID of the employer that the user selected.

The response contains an access token that represents the selected employer:

{
  "access_token": "<access_token>",
  "scope": "employer_access",
  "token_type": "Bearer",
  "expires_in": 3600
}

If you request an access token for an employer that the user does not manage, you get this error:

{
  "error_description": "Invalid request",
  "error": "invalid_request"
}

Authorize an app to act on your behalf

Use the Indeed Users page to authorize an app, or remove an app's authorization, to act on your behalf.

1. On the Indeed Users page, select an employer account, and select Add users.

2. Enter the user's email address.

   Select the access level, and select Save and notify new users.

   The user receives an email invitation to join your organization on Indeed. If they accept, they receive the selected permissions.

Enable another company to act on your behalf

To enable another company to act on your behalf, share your employer ID with the company.

This ID appears in a small font above the page footer on the Indeed Users page. The employer ID is not secret — you can share it with other companies.

See also

• Credentials
• HTTP request headers
• oauth/v2/tokens endpoint
• v2/api/appinfo endpoint
• Basic authentication scheme
• Troubleshoot OAuth errors
• Troubleshoot GraphQL errors

 

Was this page helpful?