Line Authentication: Methods, Credentials, and Security (2026)

Authentication overview

Line's authentication framework is designed to secure programmatic interactions with its services, primarily the Messaging API and LINE Login. For API requests to the Line Messaging API, authentication relies on Channel Access Tokens. These tokens authorize applications to send messages, manage rich menus, and perform other actions on behalf of a Line Official Account. For user-specific operations, such as obtaining user profiles or linking Line accounts with external services, Line implements OAuth 2.0 through LINE Login.

The authentication process typically involves obtaining specific credentials from the LINE Developers Console. These credentials, such as Channel IDs and Channel Secrets, are used to issue and validate tokens. Webhook requests, which are sent from Line to a configured endpoint, include a signature that can be verified to confirm the request's authenticity.

Supported authentication methods

Line supports distinct authentication methods tailored to different interaction types:

• Channel Access Token (Bearer Token): Used for server-to-server communication with the Line Messaging API. This token is included in the Authorization header of HTTP requests as a Bearer token. It grants applications permission to act on behalf of a Line Official Account.
• OAuth 2.0 (LINE Login): Implemented for user authorization flows, enabling applications to obtain user consent to access their Line profile information (e.g., user ID, display name, profile picture) and other authorized permissions. LINE Login supports various OAuth 2.0 grant types, including the authorization code flow, which is standard for web applications and mobile apps.
• Webhook Signature Verification: For incoming webhook events (e.g., messages from users, postbacks), Line includes an X-Line-Signature header. This signature is generated using HMAC-SHA256 with the Channel Secret. Developers must verify this signature to ensure that webhook requests originate from Line and have not been tampered with. This practice helps prevent unauthorized requests and enhances the security of webhook endpoints.

Authentication methods comparison

Getting your credentials

To authenticate with Line's APIs, you need to obtain specific credentials from the LINE Developers Console. The primary credentials include:

1. Channel ID: A unique identifier for your Line channel.
2. Channel Secret: A confidential key used to sign requests and verify webhook signatures. It is crucial to keep this secret secure.
3. Channel Access Token: This token is issued dynamically. For the Messaging API, you will typically issue a short-lived channel access token programmatically using your Channel ID and Channel Secret. For LINE Login, after a user authorizes your application, an authorization code is exchanged for an access token and optionally a refresh token.

Steps to obtain credentials:

1. Create a Line Developer Account: If you don't have one, register for a Line Developer account.
2. Create a Provider: In the LINE Developers Console, create a new Provider, which represents the entity offering services (e.g., your company or project).
3. Create a Channel: Within your Provider, create a new channel. You will typically create a "Messaging API" channel for chatbot and messaging features, and potentially a "LINE Login" channel for user authentication.
4. Retrieve Channel ID and Channel Secret: After creating a channel, navigate to the "Basic settings" tab of your channel in the console. Here you will find your Channel ID and Channel Secret.
5. Issue Channel Access Token (Messaging API): For the Messaging API, you will need to issue a channel access token. Short-lived tokens can be issued directly from the "Messaging API" tab in the Developers Console for testing, but for production, it's recommended to programmatically issue channel access tokens using your Channel ID and Channel Secret. These tokens have a limited validity period (e.g., 30 days) and should be refreshed.
6. Configure LINE Login Callback URLs: If using LINE Login, configure the callback URL(s) in the "LINE Login" tab of your channel settings. This is where Line will redirect users after authorization.

Authenticated request example

This example demonstrates how to send a text message using the Line Messaging API, authenticated with a Channel Access Token. The request uses a Node.js environment, but the principles apply across other Line SDKs.

const axios = require('axios');

const CHANNEL_ACCESS_TOKEN = 'YOUR_CHANNEL_ACCESS_TOKEN'; // Replace with your actual token
const USER_ID = 'Uxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'; // Replace with the Line user ID to send a message to

const messagePayload = {
  to: USER_ID,
  messages: [
    {
      type: 'text',
      text: 'Hello, this is a test message from Line API!'
    }
  ]
};

axios.post('https://api.line.me/v2/bot/message/push',
  messagePayload,
  {
    headers: {
      'Content-Type': 'application/json',
      'Authorization': `Bearer ${CHANNEL_ACCESS_TOKEN}`
    }
  })
  .then(response => {
    console.log('Message sent successfully:', response.data);
  })
  .catch(error => {
    console.error('Error sending message:', error.response ? error.response.data : error.message);
  });

In this example:

• YOUR_CHANNEL_ACCESS_TOKEN must be replaced with a valid Channel Access Token.
• USER_ID is the recipient's Line user ID.
• The Authorization header contains the Bearer token, which is the Channel Access Token.
• The Content-Type header is set to application/json.
• The request is sent to the /v2/bot/message/push endpoint.

Security best practices

Implementing strong security measures is critical when working with Line's authentication:

• Protect Channel Secrets: Your Channel Secret is a sensitive credential. Never hardcode it in your application's source code, commit it to version control, or expose it in client-side code. Use environment variables, secret management services (like AWS Secrets Manager or Google Secret Manager), or secure configuration files to store it.
• Secure Channel Access Tokens: While Channel Access Tokens are not as sensitive as Channel Secrets, they still grant access to your Line Official Account. Store them securely and ensure they are transmitted only over HTTPS. For short-lived tokens, refresh them before expiration.
• Validate Webhook Signatures: Always verify the X-Line-Signature header on incoming webhook requests. This prevents unauthorized third parties from sending spoofed requests to your webhook endpoint. Line provides documentation on webhook signature validation for various programming languages. Without validation, your application could process malicious or faked events.
• Use HTTPS Everywhere: All communication with Line's APIs and your webhook endpoints should occur over HTTPS to encrypt data in transit and prevent man-in-the-middle attacks.
• Implement OAuth 2.0 Securely: When using LINE Login, adhere to OAuth 2.0 best practices. Use the authorization code flow with PKCE (Proof Key for Code Exchange) for public clients (mobile apps, SPAs) to mitigate authorization code interception attacks. Always validate the state parameter to prevent cross-site request forgery (CSRF).
• Scope Permissions Carefully: When setting up LINE Login, request only the necessary permissions (scopes) from users. Requesting excessive permissions can reduce user trust and introduce unnecessary security risks.
• Error Handling and Logging: Implement robust error handling for authentication failures and log relevant security events. Monitor these logs for unusual activity that might indicate an attempted breach.
• Token Revocation: Understand how to revoke access tokens and refresh tokens in case of a security incident or when a user unlinks their Line account from your service.
• Regular Security Audits: Periodically review your application's security posture, including how credentials are managed and how authentication flows are implemented.