LinkedIn Ads User Management API Guide

Auth method: OAuth 2.0

Setup steps

1. Register an application at https://www.linkedin.com/developers/apps and obtain a Client ID and Client Secret.
2. Request the required OAuth 2.0 scopes (e.g., rw_ads, r_ads_reporting) during app configuration.
3. Redirect the user to LinkedIn's authorization endpoint: https://www.linkedin.com/oauth/v2/authorization with response_type=code, client_id, redirect_uri, scope, and state parameters.
4. Exchange the returned authorization code for an access token via POST to https://www.linkedin.com/oauth/v2/accessToken.
5. Include the access token in all API requests as a Bearer token in the Authorization header.
6. For server-to-server flows, use the 2-legged OAuth (client credentials) flow if your app is approved for it.

Required scopes

List users on an ad account

• Method: GET
• URL: https://api.linkedin.com/rest/adAccountUsers?q=accounts&accounts=List(urn:li:sponsoredAccount:{id})
• Watch out for: The accounts parameter must be URL-encoded. Multiple accounts can be passed as a comma-separated list inside List().

Request example

GET /rest/adAccountUsers?q=accounts&accounts=List(urn%3Ali%3AsponsoredAccount%3A123456)
Authorization: Bearer {access_token}
LinkedIn-Version: 202406

Response example

{
  "elements": [
    {
      "user": "urn:li:person:abc123",
      "account": "urn:li:sponsoredAccount:123456",
      "role": "CAMPAIGN_MANAGER"
    }
  ],
  "paging": {"start":0,"count":10,"total":1}
}

Get a specific ad account user

• Method: GET
• URL: https://api.linkedin.com/rest/adAccountUsers/(account:urn:li:sponsoredAccount:{id},user:urn:li:person:{personId})
• Watch out for: The compound key in the URL path must be fully URL-encoded.

Request example

GET /rest/adAccountUsers/(account:urn%3Ali%3AsponsoredAccount%3A123456,user:urn%3Ali%3Aperson%3Aabc123)
Authorization: Bearer {access_token}
LinkedIn-Version: 202406

Response example

{
  "user": "urn:li:person:abc123",
  "account": "urn:li:sponsoredAccount:123456",
  "role": "CAMPAIGN_MANAGER"
}

Add a user to an ad account

• Method: POST
• URL: https://api.linkedin.com/rest/adAccountUsers
• Watch out for: The user must have an existing LinkedIn account and must have previously accepted a connection or have a valid member URN resolvable by your app. You cannot invite net-new LinkedIn members via this API.

Request example

POST /rest/adAccountUsers
Authorization: Bearer {access_token}
LinkedIn-Version: 202406
Content-Type: application/json

{"account":"urn:li:sponsoredAccount:123456","user":"urn:li:person:abc123","role":"CAMPAIGN_MANAGER"}

Response example

HTTP 201 Created
X-RestLi-Id: (account:urn%3Ali%3AsponsoredAccount%3A123456,user:urn%3Ali%3Aperson%3Aabc123)

Update a user's role on an ad account

• Method: PATCH
• URL: https://api.linkedin.com/rest/adAccountUsers/(account:urn:li:sponsoredAccount:{id},user:urn:li:person:{personId})
• Watch out for: LinkedIn REST API PATCH uses the JSON Patch-like $set syntax, not standard JSON Merge Patch.

Request example

PATCH /rest/adAccountUsers/(account:urn%3Ali%3AsponsoredAccount%3A123456,user:urn%3Ali%3Aperson%3Aabc123)
Authorization: Bearer {access_token}
LinkedIn-Version: 202406
Content-Type: application/json

{"patch":{"$set":{"role":"ACCOUNT_MANAGER"}}}

Response example

HTTP 204 No Content

Remove a user from an ad account

• Method: DELETE
• URL: https://api.linkedin.com/rest/adAccountUsers/(account:urn:li:sponsoredAccount:{id},user:urn:li:person:{personId})
• Watch out for: Deleting the last ACCOUNT_BILLING_ADMIN will fail. Ensure at least one billing admin remains.

Request example

DELETE /rest/adAccountUsers/(account:urn%3Ali%3AsponsoredAccount%3A123456,user:urn%3Ali%3Aperson%3Aabc123)
Authorization: Bearer {access_token}
LinkedIn-Version: 202406

Response example

HTTP 204 No Content

List ad accounts accessible to the authenticated user

• Method: GET
• URL: https://api.linkedin.com/rest/adAccounts?q=search
• Watch out for: Only accounts the authenticated user has access to are returned. Use this to discover account URNs before managing users.

Request example

GET /rest/adAccounts?q=search&search=(status:(values:List(ACTIVE)))
Authorization: Bearer {access_token}
LinkedIn-Version: 202406

Response example

{
  "elements": [
    {
      "id": 123456,
      "name": "My Ad Account",
      "status": "ACTIVE",
      "type": "BUSINESS"
    }
  ]
}

Batch create ad account users

• Method: POST
• URL: https://api.linkedin.com/rest/adAccountUsers?action=bulkCreate
• Watch out for: Bulk operations return per-element status codes. Partial failures are possible; check each element's status individually.

Request example

POST /rest/adAccountUsers?action=bulkCreate
Authorization: Bearer {access_token}
LinkedIn-Version: 202406
Content-Type: application/json

{"elements":[{"account":"urn:li:sponsoredAccount:123456","user":"urn:li:person:abc123","role":"VIEWER"}]}

Response example

HTTP 200 OK
{
  "results": {
    "0": {"status": 201}
  },
  "errors": {}
}

• Rate limits: LinkedIn Marketing APIs enforce daily and per-minute rate limits per application. Limits vary by endpoint category and are enforced at the application level, not per user.
• Rate-limit headers: Yes
• Retry-After header: No
• Rate-limit notes: LinkedIn returns X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers on responses. A 429 status code is returned when limits are exceeded. The official docs do not explicitly document a Retry-After header for Marketing APIs.
• Pagination method: offset
• Default page size: 10
• Max page size: 100
• Pagination pointer: start / count

• Webhooks available: No
• Webhook notes: LinkedIn Marketing APIs do not offer native webhook support for ad account user events as of the current documentation.
• Alternative event strategy: Poll the adAccountUsers endpoint periodically to detect changes in user membership or roles.

• SCIM available: No
• SCIM version: Not documented
• Plan required: N/A
• Endpoint: Not documented

Limitations:

• LinkedIn Ads does not expose a SCIM 2.0 endpoint for ad account user management.
• LinkedIn's enterprise SSO/SCIM (for LinkedIn.com employee accounts) is separate from LinkedIn Ads account user management and does not apply to ad account roles.
• No IdP connectors (Okta, Entra ID, etc.) are available for LinkedIn Ads ad account user provisioning via SCIM.

Three core automation scenarios are supported by the API.

First, provisioning: POST to /rest/adAccountUsers with the target account URN, the user's urn:li:person:{id} URN, and the desired role enum

but the member URN must be known in advance, as there is no Marketing API endpoint to resolve a user by email address.

Second, role updates: PATCH to the compound key (account:urn:li:sponsoredAccount:{id},user:urn:li:person:{personId}) using LinkedIn's $set patch syntax, not standard JSON Merge Patch.

Third, cross-account auditing: paginate GET /rest/adAccountUsers per account using start and count parameters (max page size 100), but note that each paginated request counts against the 500 calls/day application-level rate limit

plan pagination budgets carefully across large account portfolios.

Bulk provisioning via ?action=bulkCreate is available but returns per-element status codes;

partial failures are possible and must be checked individually.

Provision a new user as Campaign Manager on an ad account

1. Obtain the target ad account URN by calling GET /rest/adAccounts?q=search and locating the account by name or ID.
2. Obtain the LinkedIn member URN for the user (urn:li:person:{id}) via the Profile API or from a prior OAuth flow where the user authenticated.
3. Call POST /rest/adAccountUsers with the account URN, user URN, and role: CAMPAIGN_MANAGER.
4. Verify the 201 Created response and store the compound key for future updates or removal.

Watch out for: If the member URN is unknown, there is no Marketing API endpoint to look up a user by email. The user must authenticate via OAuth to expose their URN, or you must use the People Search API (requires separate approval).

Update a user's role from Viewer to Account Manager

1. Construct the compound key: (account:urn:li:sponsoredAccount:{id},user:urn:li:person:{personId}).
2. Call PATCH /rest/adAccountUsers/(compound-key) with body {"patch":{"$set":{"role":"ACCOUNT_MANAGER"}}}.
3. Confirm 204 No Content response.
4. Optionally call GET on the same compound key to verify the updated role.

Watch out for: Use the $set patch syntax specific to LinkedIn's REST framework. Standard JSON Merge Patch format will be rejected.

Audit all users across multiple ad accounts

1. Call GET /rest/adAccounts?q=search to retrieve all accessible ad account URNs.
2. For each account URN, call GET /rest/adAccountUsers?q=accounts&accounts=List(urn:li:sponsoredAccount:{id}) with pagination (start, count).
3. Iterate through paging.total to collect all users, incrementing start by count until all records are retrieved.
4. Aggregate results by account and role for reporting.

Watch out for: Each paginated request counts against your daily rate limit. For accounts with many users, plan pagination carefully to avoid exhausting the 500 calls/day limit across all operations.

The most significant integration trap is URN resolution: there is no Marketing API endpoint to look up a LinkedIn member URN by email, meaning any identity graph that stores users by email must either require users to complete an OAuth flow to expose their URN or obtain separate approval for the People Search API.

A second trap is the compound key URL-encoding requirement - urn:li:sponsoredAccount:123456 must be percent-encoded in path parameters, and malformed keys return opaque errors. OAuth access tokens expire after 60 days in 3-legged flows; refresh token handling (365-day validity) must be implemented explicitly or automations will silently fail.

Finally, Marketing API production access requires LinkedIn application review and approval; sandbox access is limited, which constrains pre-production testing of provisioning workflows.