The XING API uses OAuth 1.0 to authenticate the user and enable him to authorize the client application to access his data. For a complete description of the OAuth workflow, please consult the OAuth 1.0 Protocol specification.

Common OAuth request parameters

For your reference, here are the basic OAuth parameters that are expected to be passed into most of the calls described in this documentation:

Parameters

oauth_token

Once obtained through the relevant authorization calls (see below), your consumer application is expected to pass a valid access token to calls that actually return XING data.

oauth_consumer_key

The consumer key assigned to your application. If in doubt, please contact the API team.

oauth_version

Version of the OAuth protocol used. Since the API currently only supports version 1.0, this will always need to be set to 1.0.

oauth_signature_method

The method your consumer is using to sign requests. The API currently supports the PLAINTEXT and HMAC-SHA1 methods.

oauth_signature

The actual signature for your request. Please see the OAuth 1.0 specification, section 3.4 for details on how to build these signatures.

oauth_timestamp

The current UNIX timestamp as seen by the client machine, expressed in the number of seconds since January 1, 1970 00:00:00 UTC. The timestamp value must be a positive integer, must be equal to or greater than the timestamp used in previous requests and must not be older than 24 hours.

oauth_nonce

A random string (“number used once”) that uniquely identifies the request you’re making. Your consumer application must ensure that a new and previously unused (within the last 24 hours) nonce is used with every request it makes. The API stores these nonces for 24 hours and will reject requests using a previously used nonce. This is to prevent simple reply attacks where an attacker would re-send request packages without even having to decrypt them.)

Authentication & authorization

In order to obtain a valid access token, your application will need to perform the following three steps:

Obtains a request token

POST /v1/request_token

Obtains a temporary token used to initiate the authentication and authorization process. This call can be invoke via GET as well.

The request token will be valid for 10 minutes.

Parameters

oauth_consumer_key required

The consumer key assigned to your application.

oauth_callback required

This URL will be used to redirect the user-agent after authorization has been granted. For non-web clients you can also use custom URL schemes like myapp://callback. The provided URL will be verified. Domains with not ASCII-compatible characters, must be converted(Wikipedia:IDN). For test consumers any callback will be accepted. If the client isn't accessible via an URL, use the value oob for out-of-band mode. In this case the user will see a pin verifier page.

oauth_signature_method required

The method your consumer is using to sign requests. The API currently supports the PLAINTEXT and HMAC-SHA1 methods.

oauth_signature required

The signature for your request. When calculating the signature, please remember to leave the access token blank because you have none yet.

Please see the OAuth 1.0 specification, section 3.4 for details on how to build these signatures.

If successful, this call returns a list of URL encoded value tuples:

Response Parameters

oauth_token

The request token to be used in the next call. Please note that this token is not an access token and you will not be able to perform calls with it in order to access XING data. Instead, your application should use the call described next to exchange this request token for an access token.

oauth_token_secret

The secret for this request token. This should be used to generate the request signature as described in OAuth 1.0 specification, section 3.4.

oauth_callback_confirmed

This parameter is used to differentiate between previous versions of the protocol. The value is always true.

Obtaining User Authorization

GET /v1/authorize

Instead of accessing the above URL directly, your application is expected to redirect the user to it so he can authenticate and authorize the application before being redirected back to it.

After successful authorization, the API will redirect the user to the URL specified in the previous call's oauth_callback parameter by passing a randomly generated OAuth verifier as the oauth_verifier parameter.

If oauth_callback was set to oob previously, the OAuth verifier will be displayed to the user in his browser and your application should prompt the user to enter this verifier in an input control native to your application.

Parameters

oauth_token required

The request token obtained previously.

Obtaining an Access Token

POST /v1/access_token

Once the user has completed the authentication and authorization step, your application is expected to try to exchange its previously obtained request token for an access token.

This access token will be used in subsequent calls to retrieve actual XING data. Your application is expected to store this access token so subsequent application starts won't force the user to go through the OAuth handshake again.

This call can be invoked via GET as well.

Parameters

oauth_token required

The request token obtained previously.

oauth_verifier required

The verification you received during the authorization step.

If successful, this call returns a list of URL encoded value tuples:

Response Parameters

oauth_token

The access token your application should use in order to access the user's data.

oauth_token_secret

The access token's secret, used for generating signatures in subsequent calls as described in OAuth 1.0 specification, section 3.4.

user_id

The scrambled user ID of the current user. Your application will need to remember this because it serves as an entry point to most of the data calls.