Token exchange grant type (OAuth)
Exchange a security token for an Indeed access token.
By using this API and its documentation and building an integration, you agree to the Additional API Terms and Guidelines.
Use Indeed's token exchange grant type (OAuth) to generate an Indeed access token.
Token exchange grant type (OAuth) steps
To start this integration or ask questions, contact indeed-ciam-integrations-support@indeed.com.
Complete these steps:
| # | Step |
|---|---|
| 1. | |
| 2. | |
| 3. |
Register your app
Japan only
-
Sign in to your Indeed account on the Manage app credentials page, and select Register new application.
-
Enter your app name and description on the Provide basic information page. For Credential type, select OAuth 2.0, and select Save and continue.
-
Select Client credentials on the Select OAuth grant types page, and select Save and continue.
-
Add more details on the Provide additional information page if needed, and select Save and continue.
-
Review your app information on the Preview app page, and select Complete registration.
Note your client ID and secret on the Credentials page. Do not share your secret.
-
Share your client ID with Indeed so Indeed can add the registered OAuth client to the token exchange allowlist.
Outside of Japan
To build an Indeed Apply XML integration, contact the Indeed Client Success team. After you sign the Developer Agreement, Indeed sets up an app that integrates Indeed APIs and services into your product.
Sign in to Partner Console to view your app and its Indeed Apply API token credentials:
- The API token credentials are a client ID and a client secret.
- Include the API token with each job you post to Indeed.
Generate the Authorization Basic header value
See also Basic Authentication Scheme in RFC 2617: HTTP Authentication: Basic and Digest Access Authentication.
To generate the Authorization Basic header value:
-
Concatenate the
client_idandclient_secretwith a colon (:) as a separator.base64.encode("<client_id>:<client_secret>"); -
Apply the Base64-encoding algorithm to the string:
base64.encode("5e175cbb7f88e2048bd95323bbc9ca2fcec32ad60f95f7ee66ab53e099abe6f3:pJ4qRe2sdXRP0Whr3bwz9D37exFuuOtqJDRHMmmlLWV7J25rH7oItrPNCKzhaQf2"); -
Pass the Base64-encoded string as a basic HTTP
Authorizationheader:Authorization: Basic NWUxNzVjYmI3Zjg4ZTIwNDhiZDk1MzIzYmJjOWNhMmZjZWMzMmFkNjBmOTVmN2VlNjZhYjUzZTA5OWFiZTZmMzpwSjRxUmUyc2RYUlAwV2hyM2J3ejlEMzdleEZ1dU90cUpEUkhNbW1sTFdWN0oyNXJIN29JdHJQTkNLemhhUWYy
Get access token
To use the token exchange grant type to get an access token, make a POST request to the https://apis.indeed.com/oauth/v2/tokens endpoint with these HTTP request headers:
POST https://apis.indeed.com/oauth/v2/tokensContent-Type: application/jsonAuthorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3
grant_type=urn:ietf:params:oauth:grant-type:token-exchange&subject_token=xxxxx.yyyyy.zzzzz&subject_token_type=urn:ietf:params:oauth:token-type:id_tokenTo get an access token, make a POST request to the https://apis.indeed.com/oauth/v2/tokens endpoint with Authorization: Bearer <access_token> and Content-Type request headers, and request body parameters.
This curl example gets an access token:
curl -L 'https://apis.indeed.com/oauth/v2/tokens' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Authorization: Bearer <access_token>' \ -d 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \ -d 'client_id=<client_id>' \ -d 'client_secret=<client_secret>' \ -d 'subject_token_type=urn:ietf:params:oauth:token-type:id_token' \ -d 'scope=email offline_access' \ -d 'subject_token=xxxxx.yyyyy.zzzzz'The request headers are:
| Header | Value |
|---|---|
Authorization |
where |
Content-Type |
|
The request body parameters for oauth/v2/tokens are:
| Request body parameter | Required | Value |
|---|---|---|
grant_type | ✔ |
Type: string |
scope | Optional | Scopes to be granted in the issued Indeed token. See Scopes. Example:
|
subject_token | ✔ | The token representing the identity of the party the request is made on behalf of. The token issuer must give Indeed a way to validate it. Indeed supports only ID tokens. Example:
|
subject_token_type | ✔ | Type of token passed in the Example:
|
A successful JSON response is:
HTTP/1.1 200 OKContent-Type: application/json
{ "access_token": "<access_token>", "scope": "" "issued_token_type": "urn:ietf:params:oauth:token-type:access_token", "token_type": "Bearer", "expires_in": 1419356238}A failed JSON response is:
HTTP/1.1 400 Bad RequestContent-Type: application/json
{ "error": "invalid_request"}The response fields are:
| Response field | Type | Description |
|---|---|---|
access_token | String | Your access token. Example:
|
error | String | The error type. Example:
|
error_description | String | A description of the error. Example:
|
expires_in | Integer | Token is valid for one hour (3600 seconds). Example:
|
issued_token_type | String | The token type of the issued token. Example:
|
scope | String | The actual permissions granted to your app. For example, Example:
See Scopes. |
token_type | String | Value is always Example:
|
ID tokens
Indeed inspects these claims in the specified ID token.
Beyond the fields required by OpenID Connect Core 1.0 incorporating errata set 2 – Standard Claims, Indeed's Identity system inspects these fields when available.
The ID token is a JSON Web Token (JWT). The following table defines the supported and required fields in the JWT body:
OpenID Connect Core 1.0 incorporating errata set 2 – Standard Claims defines all fields except auth_ip.
See also OpenID Connect Core 1.0 incorporating errata set 2 – Standard Claims.
| Field | Required | Description |
|---|---|---|
Type: | The intended recipient of the ID token. In the token exchange flow, this field holds the client ID of the external application that received the token. When the external application presents this token for exchange, this value identifies the original audience. Example: | |
Type: | Correctly formatted IPv4 address of the user when they signed in. See RFC 1918. Example: | |
Type: JSON number | When the user last authenticated. Example: | |
Type: JSON number | Indeed rejects any token after the expiration time. The issued access token matches the Example: | |
Type: JSON number | ✔ for all integrations | Time when the JWT was issued. Example: |
Type: | The unique ID of the entity that issued the JWT. The URI of the issuing system. Example: | |
Type: | ✔ for all integrations | User ID in the identity provider. Must map to Example: |
Type: | The end user's full name, formatted for display per their locale and preferences. Example: | |
Type: | ✔ for all integrations | The user's preferred email address. Must follow the Addr-Spec Specification in RFC 5322. Example: |
Type: | If you omit this value, Indeed assumes the partner has not verified the user's email address. Example: | |
Type: | ✔ for some integrations | The user's last name. In some cultures, people have multiple last names. Separate multiple last names with a space. Example: |
Type: | The user's first name. In some cultures, people have multiple first names. Separate multiple first names with a space. Example: | |
Type: | The user's locale as a BCP47 (RFC 5646) language tag. Typically a lowercase ISO 639 Alpha-2 ISO639 language code and an uppercase ISO 3166-1 Alpha-2 ISO3166‑1 country code, separated by a dash. Example: | |
Type: | The user's phone number. Must follow E164 formatting. Example: | |
Type: | Whether the phone number is verified. If you include the phone number but omit Example: | |
Type: JSON number | When the end user's information was last updated. Defined in the OpenID Connect specification. Example: |
RFCs
- RFC 1918: Address Allocation for Private Internets
- RFC 5322: Internet Message Format
- RFC 5646: Tags for Identifying Languages
- RFC 8693: OAuth 2.0 Token Exchange