Authentication

To call the employer sponsored job campaigns APIs, you need the following:

  1. A client ID and secret
  2. An access token

These instructions show you how to:

Step Do this step
Get a client ID and secret One time only
Get your app’s first access token One time only
Pass your token to the API With each API call
Refresh your token An hour after the last refresh or the next time you make an API call

Get a client ID and secret

Your client ID and secret identify your app. These are also called API keys.

You only need to get these once.

One-time Steps

  1. Navigate to Indeed’s API keys page.
  2. Log in to your Indeed account.
  3. Enter your Application Name. For example, Ace Recruiters LLC.
  4. Click the Add App Key button.
  5. The page shows a token (client ID) and secret generated for your application.

Store your client ID and secret securely. Do not share them except when you pass them to Indeed in API calls.

Example

Application Name: 	Ace Recruiters LLC
Token: 			5e175cbb7f88e2048bd95323bbc9ca2fcec32ad60f95f7ee66ab53e099abe6f3
Secret: 		pJ4qRe2sdXRP0Whr3bwz9D37exFuuOtqJDRHMmmlLWV7J25rH7oItrPNCKzhaQf2

Get your app’s first access token

You must pass your own unique access token in every API call. This is different from a client ID and secret. Your access token tells us which Indeed account to look up and that you are authorized to see the information. Indeed’s access tokens use the OAuth 2.0 protocol.

Prerequisite > Make sure you already have a client ID and secret before you proceed.

Follow these one-time steps to get your app’s first access token:

  1. Request an authorization code
  2. Receive the authorization code
  3. Request the first access token
  4. Receive the token

Request Authorization Code

The owner of an Indeed employer account must authorize your app to view its Indeed campaign information.

To do this:

  1. Create an Indeed authorization link using the following URL path and parameters.
  2. In a web browser, navigate to the authorization link.
    Note: If you are an ad agency representing multiple Indeed employers, send the authorization link to the specific employer.

URL path:

https://secure.indeed.com/account/oauth

Parameters:

Name Required Description Example
client_id Required Your client ID 6nwwcdklwgktryjw2j5fxh5t2fyneule7zg7mvw3pf9jbx3wmewzlxkdz1jxvs6b
redirect_uri Required Your redirect URL. Must be URL encoded. This is the page on your site that will capture the authorization code. http%3A%2F%2Fwww.acerecruitersllc.com%2Foauth%2Findeed
response_type Required Always is code code
state Optional If you are an ad agency, use this field to identify the individual employer. Pass your own tracking ID in this field. It is returned to you with the authorization code. employer1234

Example

https://secure.indeed.com/account/oauth?client_id6nwwcdklwgktryjw2j5fxh5t2fyneule7zg7mvw3pf9jbx3wmewzlxkdz1jxvs6b&redirect_uri=http%3A%2F%2Fwww.acerecruitersllc.com%2Foauth%2Findeed&response_type=code

Receive Authorization Code

First, the employer clicks on the authorization link and logs in to Indeed’s employer site. Then a pop-up window asks the employer to allow your app access. Finally, we redirect the employer to your redirect_uri with the following parameters appended to it:

Name Description Example
code The authorization code rXZSMNyYQHQ
state An optional value; if you passed one employer1234

Your redirect_uri page must capture the code parameter.
Note: If you are an ad agency representing multiple Indeed employers, also capture the state parameter that you passed in the previous step. This parameter helps you identify the employer with your own tracking ID.

Example

GET http://www.acerecruitersllc.com/oauth/indeed?code=rXZSMNyYQHQ

Next, use the authorization code you received to get your initial access token.

Request your app’s first access token

The employer is now done with the OAuth process.

Next, send the authorization code back to Indeed for an access token.

URL path

POST https://secure.indeed.com/oauth/tokens

Note: Be sure to use the POST HTTP method.

Fields

Name Required Description Example
code Required The authorization code you received in the previous step rXZSMNyYQHQ
client_id Required Your client ID 6nwwcdklwgktryjw2j5fxh5t2fyneule7zg7mvw3pf9jbx3wmewzlxkdz1jxvs6b
client_secret Required Your client secret 02KKpg6yLXw2v3FKf5lqyFGtMQCvPBNbJIw89SoSd9fts1LAdlvwUQQ6dwhAhEXv
redirect_uri Required Your redirect URL. Must be URL encoded. http%3A%2F%2Fwww.acerecruitersllc.com%2Foauth%2Findeed
grant_type Required authorization_code authorization_code

Headers

A couple of HTTP headers are required as well:

Header Value
Content-Type application/x-www-form-urlencoded
Accept application/json

Example

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" "https://secure.indeed.com/oauth/tokens?code=rXZSMNyYQHQ&client_id=6nwwcdklwgktryjw2j5fxh5t2fyneule7zg7mvw3pf9jbx3wmewzlxkdz1jxvs6b&client_secret=02KKpg6yLXw2v3FKf5lqyFGtMQCvPBNbJIw89SoSd9fts1LAdlvwUQQ6dwhAhEXv&redirect_uri=http%3A%2F%2Fwww.acerecruitersllc.com%2Foauth%2Findeed&grant_type=authorization_code"

Receive the access token

The JSON response contains the access token and the following fields:

Name Type Description Example
access_token string Your access token E2sRNrTexRA
expires_in integer Token is valid for 1 hour (3600 seconds) 3600
token_type string Always is Bearer Bearer
refresh_token string Your refresh token. Never expires. Store this securely rXZSMNyYQHQ

Example

{
  "access_token":"E2sRNrTexRA",
  "refresh_token":"rXZSMNyYQHQ",
  "expires_in":3600,
  "token_type":"Bearer"
}

Store the access token and refresh token securely.

Pass your token to the API

In every API call, pass your access token in an Authorization header.

Access tokens are valid for 1 hour (3600 seconds), so you need to refresh the token after that.

Example

Authorization: Bearer E2sRNrTexRA

You can now call the Sponsored Job Campaigns API.

Refresh your token

Access tokens are valid for 1 hour (3600 seconds). To refresh an expired access token, use the refresh token returned with your app’s first access token. The refresh token does not expire.

URL path

POST https://secure.indeed.com/oauth/tokens

Note: Be sure to use the POST HTTP method.

Fields

Name Required Description Example
refresh_token Required The refresh token returned with your first access token rXZSMNyYQHQ
client_id Required Your client ID 6nwwcdklwgktryjw2j5fxh5t2fyneule7zg7mvw3pf9jbx3wmewzlxkdz1jxvs6b
client_secret Required Your client secret 02KKpg6yLXw2v3FKf5lqyFGtMQCvPBNbJIw89SoSd9fts1LAdlvwUQQ6dwhAhEXv
redirect_uri Required Your redirect URL. Must be URL encoded. http%3A%2F%2Fwww.acerecruitersllc.com%2Foauth%2Findeed
grant_type Required refresh_token refresh_token

A couple of headers are required as well:

Header Value
Content-Type application/x-www-form-urlencoded
Accept application/json

Example request

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" "https://secure.indeed.com/oauth/tokens?refresh_token=rXZSMNyYQHQ&client_id=6nwwcdklwgktryjw2j5fxh5t2fyneule7zg7mvw3pf9jbx3wmewzlxkdz1jxvs6b&client_secret=02KKpg6yLXw2v3FKf5lqyFGtMQCvPBNbJIw89SoSd9fts1LAdlvwUQQ6dwhAhEXv&redirect_uri=http%3A%2F%2Fwww.acerecruitersllc.com%2Foauth%2Findeed&grant_type=refresh_token"

Response

{
  "access_token":"FNEDvUYcL8o",
  "convid":"1c1a1s8540kkt89p",
  "scope":["all"],
  "token_type":"Bearer",
  "expires_in":3600
}

Note: The new access token is also valid for 1 hour only. You will need to refresh this token after that.

Pass your valid access token in each API request. See pass the token to the API.