OAuth glossary

📘
Note:
By using this API and its documentation and building an integration, you agree to the Additional API Terms and Guidelines.

[ A ] | [ C ] | [ E ] | [ G ] | [ I ] | [ O ] | [ P ] | [ R ]

access token	A token that you include in every API call to prove that your app is authorized to make API calls: In the authorization code flow (3‑legged OAuth), a token proves that your app is authorized to make API calls on behalf of Indeed user accounts and those accounts' associated employers. To get an access token in this flow, you pass an authorization code, client ID, and client secret. In the client credentials flow (2‑legged OAuth), a token proves that your app is authorized to make API calls on behalf of the Indeed user account that registers the app and that account's associated employers. To get a token in this flow, you pass a client ID and secret. The access token looks like a long, garbled string. 📘 Note: Indeed's access tokens use the OAuth 2.0 protocol, and follow the authorization request guidelines in RFC6749: The OAuth 2.0 Authorization Framework.
authorization code	In the authorization code flow (3‑legged OAuth), a code that the owner of an Indeed account sends to your app to enable calling the API on their behalf. To get an access token in this flow, you pass an authorization code and client ID and secret.
authorization code flow (3‑legged OAuth)	A flow that enables you to authorize your app to act on behalf of other Indeed user accounts and those accounts' associated employers. In this flow, after Indeed shows the user the OAuth consent screen, the user grants permissions to your app.
— C —
client credentials flow (2‑legged OAuth)	A flow that enables you to authorize your app to act on behalf of itself and its associated employer accounts.
client ID and secret	Credentials that identify your app. Get these credentials one time for each app. If you have both test and production versions of your app, you must generate a separate set of API credentials for each version. Also called API keys or API credentials.
credential type	The crednetial type to request for your app: OAuth 2.0 Generates a client ID and secret to authorize your app to access Indeed APIs through OAuth 2.0. You cannot use these credentials for Indeed Apply. Indeed Apply Generates an Indeed Apply API Token that enables you to mark your jobs with the Easily Apply label and allows job seekers to apply to your jobs without leaving Indeed. You cannot use these credentials to get access tokens for Indeed APIs.
— E —
employer selection screen	Enables a user to select an employer from a list of employers associated with the user. Hosted on Indeed.
— G —
grant type	How the client is authenticated: Authorization code Indeed shows users the OAuth consent screen, users log in, and users grant permissions to your app. You must add at least one redirect URL for this grant type. Indeed sends an authorization code to the redirect URL, which you then capture and exchange for an access token. See also Authorization code grant. Client credentials Applications request an access token to access their own resources.
— I —
incremental authorization	Enables apps to request only the scopes that they need. Incremental authorization requires the `offline_access` scope, which maintains the permissions that your app has. For example, if your app requests the `email` scope, your app must also request the `offline_access` scope.
— O —
OAuth consent screen	Indeed-hosted screen that enables a user to grant consent for any scopes requested by the OAuth app, such as the `employer_access` scope.
— P —
public client	A client that cannot maintain the confidentiality of their credentials and cannot secure client authentication through any other means. That is, clients that run on the device that the resource owner uses, such as an installed native app or a web browser-based app. For information about public clients, see Client Types in RFC6749 The OAuth 2.0 Authorization Framework. Public clients can use authentication code grant type only.
— R —
redirect URL	A page on your website where Indeed redirects a user after trying to authorize your app on behalf of the user. If the user authorized your app, then Indeed passes an authorization code to your specified redirect URL. To test your OAuth app on your local machine, set one of your redirect URLs to `http://localhost`.
refresh token	When you include the `offline_access` scope when you get an access token, you receive a refresh token with your access token. Access tokens are valid for one hour (3600 seconds). Use this refresh token to get a new access token. The refresh token is valid for 60 days from when it was issued. With each refresh, the refresh token's expiration date is extended to 60 days from the most recent refresh. Indeed returns a refresh token with the access token only when your app requests and is granted the offline_access scope.