The XING API uses OAuth (Version 1.0) to authenticate the user and enable him to authorize the client application to access his data. This is done by performing the OAuth handshake.

The result of the OAuth handshake is an access token, that authenticates the user. This token can be stored in your application until it becomes invalid. In that case you have to perform the OAuth handshake again. Reasons for invalid tokens are expired tokens, token revocation by the user or password changes.

For a complete description of the OAuth workflow, please consult the OAuth 1.0 Protocol specification.

Common OAuth request parameters

For your reference, here are the basic OAuth parameters that are expected to be passed into most of the calls described in this documentation:

Parameters

oauth_token

Once obtained through the relevant authorization calls (see below), your consumer application is expected to pass a valid access token to calls that actually return XING data.

oauth_consumer_key

The consumer key assigned to your application. If in doubt, please contact the API team.

oauth_version

Version of the OAuth protocol used. Since the API currently only supports version 1.0, this will always need to be set to 1.0.

oauth_signature_method

The method your consumer is using to sign requests. The API currently supports the PLAINTEXT and HMAC-SHA1 methods.

oauth_signature

The actual signature for your request. Please see the OAuth 1.0 specification, section 3.4 for details on how to build these signatures.

oauth_timestamp

The current UNIX timestamp as seen by the client machine, expressed in the number of seconds since January 1, 1970 00:00:00 UTC. The timestamp value must be a positive integer, must be equal to or greater than the timestamp used in previous requests and must not be older than 24 hours.

oauth_nonce

A random string (“number used once”) that uniquely identifies the request you’re making. Your consumer application must ensure that a new and previously unused (within the last 24 hours) nonce is used with every request it makes. The API stores these nonces for 24 hours and will reject requests using a previously used nonce. This is to prevent simple reply attacks where an attacker would re-send request packages without even having to decrypt them.)

Authentication & authorization

In order to obtain a valid access token, your application will need to perform the following three steps:

Obtains a request token

POST /v1/request_token

Obtains a temporary token used to initiate the authentication and authorization process. This call can be invoke via GET as well.

The request token will be valid for 10 minutes.

Parameters

oauth_consumer_key required

The consumer key assigned to your application.

oauth_callback required

This URL will be used to redirect the user-agent after authorization has been granted. For non-web clients you can also use custom URL schemes like myapp://callback. The provided URL will be verified. Domains with not ASCII-compatible characters, must be converted(Wikipedia:IDN). For test consumers any callback will be accepted. If the client isn't accessible via an URL, use the value oob for out-of-band mode. In this case the user will see a pin verifier page.

oauth_signature_method required

The method your consumer is using to sign requests. The API currently supports the PLAINTEXT and HMAC-SHA1 methods.

oauth_signature required

The signature for your request. When calculating the signature, please remember to leave the access token blank because you have none yet.

Please see the OAuth 1.0 specification, section 3.4 for details on how to build these signatures.

If successful, this call returns a list of URL encoded value tuples:

Response Parameters

oauth_token

The request token to be used in the next call. Please note that this token is not an access token and you will not be able to perform calls with it in order to access XING data. Instead, your application should use the call described next to exchange this request token for an access token.

oauth_token_secret

The secret for this request token. This should be used to generate the request signature as described in OAuth 1.0 specification, section 3.4.

oauth_callback_confirmed

This parameter is used to differentiate between previous versions of the protocol. The value is always true.

Obtaining User Authorization

GET /v1/authorize

Instead of accessing the above URL directly, your application is expected to redirect the user to it so he can authenticate and authorize the application before being redirected back to it.

After successful authorization, the API will redirect the user to the URL specified in the previous call's oauth_callback parameter by passing a randomly generated OAuth verifier as the oauth_verifier parameter.

If oauth_callback was set to oob previously, the OAuth verifier will be displayed to the user in his browser and your application should prompt the user to enter this verifier in an input control native to your application.

Parameters

oauth_token required

The request token obtained previously.

Obtaining an Access Token

POST /v1/access_token

Once the user has completed the authentication and authorization step, your application is expected to try to exchange its previously obtained request token for an access token.

This access token will be used in subsequent calls to retrieve actual XING data. Your application is expected to store this access token so subsequent application starts won't force the user to go through the OAuth handshake again.

You have to expect that the access token can become invalid at any time. Possible reasons for invalid tokens are expired tokens, token revocation by user or password changes.

This call implements the token credentials step as specified by RFC 5849 and can be invoked via GET as well.

Parameters

oauth_consumer_key required

The consumer key assigned to your application.

oauth_token required

The request token obtained previously.

oauth_verifier required

The verification you received during the authorization step.

oauth_signature_method required

The method your consumer is using to sign requests. The API currently supports the PLAINTEXT and HMAC-SHA1 methods.

oauth_signature required

The signature for your request. When calculating the signature, please remember to use the consumer key secret together with the request token secret.

Please see the OAuth 1.0 specification, section 3.4 for details on how to build these signatures.

If successful, this call returns a list of URL encoded value tuples:

Response Parameters

oauth_token

The access token your application should use in order to access the user's data.

You should store this token together with the oauth_token_secret in your application. Please be aware that the token can become invalid due to various reasons at any time.

oauth_token_secret

The access token's secret, used for generating signatures in subsequent calls as described in OAuth 1.0 specification, section 3.4.