OAuth reference

application/x-www-form-urlencoded

application/json

Bearer <access_token>

In each API call, pass the access token in this header with the Bearer authentication scheme.

📘 Note:

• You can pass the Authorization header only when you request or refresh an access token through the /oauth/v2/tokens endpoint.

• When you get an access token, you can use the basic authentication scheme instead of passing your client ID and secret in the /oauth/v2/tokens request body. To use this scheme, you encode and pass these credentials in an Authorization Basic header.

For 3-legged authorization only.

When calling the userinfo endpoint, returns the email and email_verified fields in the ID token. With this scope, an app can read a user's email and email_verified status from an ID token or the userinfo endpoint.

Lists all employer accounts associated with the user and is required to get an access token for an employer.

To list employers and get an access token for an employer:

• See Associate user account with employer account for 3-legged authorization.
• See Associate user account with employer account for 2-legged authorization.

For 3-legged authorization only.

Required to generate a refresh token. Indeed OAuth access tokens expire after one hour. To get an access token, use a refresh token.

Required. Client ID.

Example:

6nwwcdklwgktryjw2j5f

xh5t2fyneule7zg7mvw3pf9

jbx3wmewzlxkdz1jxvs6b

Required. URL-encoded redirect URL. Identifies the redirect page on your site where the user captures the authorization code. It must match one of the redirect URLs that your app registers. See Get a client ID and secret.

Example:

Encode

https://www.acerecruitersllc.com/oauth/indeed

to

https%3A%2F%2Fwww.acerecruitersllc.com%2Foauth%2Findeed%3Fmy-param%3Dpass-me-this-value

Optional. Permissions that the client app requests. See scopes. You must URL-encode and space-delimit scopes, which replaces the spaces with plus signs ( +).

Example:

email+offline_access

Required. Value is always code.

Example:

code

Recommended. Prevents CSRF attacks. Can be any unique string your app creates to maintain state between the request and callback. Indeed passes this parameter to your redirect URI. See the RFC documentation on CSRF attack against redirect-uri for more information.

Example:

employer1234

Optional. Prompts the authorizing user with an Indeed employer selection screen, from which the user chooses the employer account assigned to your access token. To do this, add the prompt=select_employer parameter to the authorization link, and include the employer_access scope. See Show the Indeed employer selection screen.

Example:

prompt=select_employer

Required to exchange an authorization code for an access token.

The authorization code.

To exchange a refresh token for an access token, specify refresh_token instead.

Example:

rXZSMNyYQHQ

Required to exchange a refresh token for an access token.

The refresh token returned with your user's access token.

To exchange an authorization code for an access token, specify code instead.

Example:

rXZSMNyYQHQ

Required.

To get an authorization code, this value must be authorization_code.

To submit a refresh token to get an access token, this value must be refresh_token.

Example:

authorization_code

Or

refresh_token

Conditional. Your client ID.

Instead of sending your client_id in the request, you can pass it in an Authorization header. See Authorization header.

Example:

6nwwcdklwgktryjw2j5fxh5t2fyneule7zg7mvw3pf9jbx3wmewzlxkdz1jxvs6b

Conditional. Your client secret.

Instead of sending your client_secret in the request, you can pass it in an Authorization header. See Authorization header.

Example:

02KKpg6yLXw2v3FKf5lqyFGtMQCvPBNbJIw89SoSd9fts1LAdlvwUQQ6dwhAhEXv

Conditional. To list employer accounts associated with the user that registered the app or to get an access token for one of these associated employer accounts, pass employer_access.

Example:

employer_access

Required. Your URL-encoded redirect URL. Must match the redirect URL you specify when you request an authorization code.

Example:

Encode

https://www.acerecruitersllc.com/oauth/indeed

to

https%3A%2F%2Fwww.acerecruitersllc.com%2Foauth%2Findeed%3Fmy-param%3Dpass-me-this-value

String

Authorization code. Valid for 10 minutes.

Example:

rXZSMNyYQHQ

String

Optional. Appears only if you pass it in the request.

Example:

employer1234

String

Your access token.

Example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpv[...]

String

Your ID token — see the OpenID Connect 1.0 specification.

Example:

"eyJraWQiOiJlMzEzZTc4My1lM2YwLTQ3ZWMtY[...]

Integer

Token is valid for one hour (3600 seconds).

Example:

3600

String

Value is always Bearer.

Example:

Bearer

String

You'll receive a refresh token only when you request the offline_access scope. Store this securely. It expires 60 days after your most recent refresh request.

Example:

rXZSMNyYQHQ

String

The actual permissions granted to your app. For example, email and offline_access scopes. Scopes are space-delimited. See scopes.

Example:

email offline_access

String

A space-delimited string of all scopes that the user has granted to your app. Can include scopes that are not in this current access token – scopes in that token are represented by the scope field. This field is only included if the user grants the offline_access scope.

Example:

email offline_access

string

Unique identifier for the user's account.

Example:

string

User's email address.

Example:

boolean

Indicates whether the user has verified their email address.

Example:

true

object

List of employer accounts, including IDs and names, associated with the user account. This field requires that the user grant the employer_access scope.