SupportPartner

OAuth security considerations

The Indeed OAuth framework enables you to avoid sharing your Indeed password with other organizations.

📘

Note:

By using this API and its documentation and building an integration, you agree to the Additional API Terms and Guidelines.

The Indeed 3-legged OAuth and 2-legged OAuth frameworks ensure that you never need to share your secrets with another organization. Specifically, you never need to share your Indeed password or Indeed OAuth client secret.

3-legged OAuth

If an OAuth app uses the authorization code flow (3-legged OAuth), you never need to share your Indeed password or Indeed OAuth client secret with the app. Instead, you can use the OAuth consent screen to grant permission to the app to act on your behalf without sharing any secret information.

For example, to grant the AAA Advertising permission to sponsor jobs on your behalf:

  1. AAA Advertising registers their OAuth client ID and secret.
  2. You navigate to their app, sign in to Indeed, and submit the Indeed OAuth consent screen to grant the advertising agency permission to act on your behalf.
  3. If your Indeed account is associated with multiple employers, a screen prompts you to select an employer account.
  4. AAA Advertising can call Indeed APIs on your behalf.

You never share any secret information with AAA Advertising. To sign in to Indeed, you use the standard Indeed sign-in page that Indeed hosts. You submit the Indeed OAuth consent screen that the Indeed hosts to consent to share your information with AAA Advertising. Your secrets are never leaked to AAA Advertising.

2-legged OAuth

If an OAuth app uses the client credentials flow (2-legged OAuth), the app does not require user interaction. A user never submits an OAuth consent screen.

To grant permission for an app to act on your behalf:

  1. Go to Indeed Users.
  2. Select the appropriate employer account.
  3. Click Add users.
  4. To add a user to your company, enter their email address.
  5. Select the level of access to grant to the user.
  6. Click Save and notify.

The user receives an email invitation to join your organization on Indeed. If they accept, they are granted the permissions that you provided them.

The employer ID

If another company that uses client credentials flow (2-legged OAuth) wants to act on your behalf, they need your employer ID. The employer ID appears in a small font above the page footer of the Indeed Users page. Because the employer ID is not secret, you can share it with other companies.

See also

Updated about 1 month ago