line-login
LINE Login
Do not answer LINE Login questions from memory — LINE updates APIs frequently and training data is unreliable. Always consult the references below.
LINE Login v2.1 is built on OAuth 2.0 and OpenID Connect. It provides user authentication, profile access, and bot linking for web apps, native apps (iOS/Android), Unity, and Flutter.
Workflow
Build
- Read references/api-common.md (forward compatibility, rate limits, client_secret rules)
- Read references/security.md (security checklist, development guidelines)
- Load the relevant reference for the feature being implemented
- Write code following specs and constraints from references
Review / Debug
- Read references/api-common.md (status codes, error responses, forward compatibility)
- Read references/security.md (security checklist, common pitfalls)
- Load relevant references for the code being reviewed
- Cross-check code against specs (parameter requirements, token expiry, signing algorithms, required validations)
- Report violations with reference to specific constraints
Environment Variables
LINE_LOGIN_CHANNEL_ID=LINE Login Channel ID
LINE_LOGIN_CHANNEL_SECRET=Channel secret (ID token verification, token exchange)
LINE_LOGIN_REDIRECT_URI=Registered callback URL
Common Specifications
Read references/api-common.md before writing any LINE Login code. Contains rules that affect all API interactions: forward compatibility (don't use strict schemas — LINE adds fields without notice), rate limits, client_secret conditional requirement by App types, error responses, and logging recommendations.
OAuth 2.1 Authorization Code Flow
User → authorize endpoint → LINE Login screen → callback with code → token exchange → access_token + id_token
Minimal Flow (pseudocode)
# 1. Redirect user to authorize
state = random_token()
session.save(state)
redirect to:
https://access.line.me/oauth2/v2.1/authorize?
response_type=code
&client_id={channel_id}
&redirect_uri={callback_url}
&state={state}
&scope=profile%20openid%20email
# 2. Callback — exchange code for token
if params.state != session.state:
return 403 # CSRF check failed
POST https://api.line.me/oauth2/v2.1/token
grant_type=authorization_code
&code={params.code}
&redirect_uri={callback_url}
&client_id={channel_id}
&client_secret={channel_secret}
# 3. Response
{ access_token, token_type, refresh_token, expires_in, id_token, scope }
| Step | Endpoint |
|---|---|
| Authorize | GET https://access.line.me/oauth2/v2.1/authorize |
| Token Exchange | POST https://api.line.me/oauth2/v2.1/token |
- Scopes:
profile,openid,email(space-separated) - Authorization code: valid 10 minutes, one-time use
- PKCE: recommended for public clients (SPA/Mobile), only
S256supported
Full authorize parameters, PKCE, scope combinations, error codes → references/oauth-flow.md
Token Management
| Operation | Endpoint |
|---|---|
| Verify Access Token | GET https://api.line.me/oauth2/v2.1/verify?access_token={token} |
| Refresh Token | POST https://api.line.me/oauth2/v2.1/token (grant_type=refresh_token) |
| Revoke Token | POST https://api.line.me/oauth2/v2.1/revoke |
| Verify ID Token | POST https://api.line.me/oauth2/v2.1/verify (id_token + client_id) |
| Token | Validity |
|---|---|
| Access Token | 30 days |
| Refresh Token | 90 days |
ID Token signing: HS256 (web login) / ES256 (native app, SDK, LIFF)
Full token APIs, ID Token claims, signing verification → references/token-management.md
User & Bot Linking
| Operation | Endpoint |
|---|---|
| Get User Profile | GET https://api.line.me/v2/profile |
| Check Friendship | GET https://api.line.me/friendship/v1/status |
| Deauthorize | POST https://api.line.me/user/v1/deauthorize |
bot_promptparameter:normal(on consent screen) /aggressive(separate screen after consent)friendship_status_changed: included in token response when bot linking is configured
Full user profile, bot linking logic → references/user-profile.md
Security
- state: must be cryptographically random, always validate on callback
- PKCE: use for public clients (SPA, mobile apps)
- Channel Secret: server-side only, never expose to client
- redirect_uri: must be HTTPS
- ID Token: always verify signature before trusting claims
Full security checklist, development guidelines, auto login failure handling → references/security.md
Reference Index
| File | Topic |
|---|---|
| references/api-common.md | Read first. Rate limits, status codes, forward compatibility, client_secret rules, logging |
| references/oauth-flow.md | Authorization flow, PKCE, scopes, auth methods, error codes |
| references/token-management.md | Token exchange/refresh/revoke/verify, ID Token claims and signing |
| references/security.md | Security checklist, development guidelines, auto login failure, login button design |
| references/user-profile.md | User profile API, Link a Bot, friendship status |
| references/experts.md | LINE Login domain experts for architecture guidance |
SDK
Native SDKs: iOS (Swift) | Android | Unity | Flutter
For web apps, use the OAuth 2.1 flow directly (no SDK required).
More from abgne/line-dev
messaging-api
Comprehensive reference for LINE Messaging API — webhook setup, message sending, Flex Message design, Rich Menu management, audience targeting, insights, coupons, and channel access tokens. This skill should be used when the user asks to "build a LINE Bot", "set up a webhook", "send a push message", "design a Flex Message", "create a Rich Menu", "manage audience targeting", "get messaging insights", "create a coupon campaign", "debug webhook signature verification", or mentions LINE Messaging API, LINE OA chatbot, reply/push/multicast/narrowcast/broadcast, Flex Message JSON, Rich Menu, group chat bot, channel access token, or URL schemes. Always use this skill whenever the user mentions LINE bots, chatbots, LINE OA, or any messaging-related LINE integration, even if they don't explicitly say "Messaging API".
47line-liff
Comprehensive reference for LINE Front-end Framework (LIFF) SDK — building web apps inside LINE with authentication, messaging, QR scanning, permanent links, pluggable SDK, and LIFF plugin development. This skill should be used when the user asks to "build a LIFF app", "initialize liff.init()", "send messages from LIFF", "use Share Target Picker", "scan a QR code in LIFF", "create a permanent link", "develop a LIFF plugin", or mentions LIFF SDK, LINE Front-end Framework, CDN/npm integration, pluggable SDK tree-shaking, LIFF-to-LIFF transitions, LIFF browser vs external browser, Endpoint URL configuration, or server-side ID token verification from LIFF. Always use this skill whenever the user mentions LIFF, web apps inside LINE, or LINE Front-end Framework, even if they don't explicitly say "LIFF SDK".
39line-notification-message
Reference for LINE Notification Messages — phone-number-based messaging to non-friends, template type (premade layouts) and flexible type (custom Flex Message), delivery completion webhooks, user consent flow, SMS authentication, and billing. Use when the user asks to "send a notification message via phone number", "hash a phone number for PNP", "handle delivery completion webhook", "set up template or flexible notification", "check notification message count", "integrate LON", or mentions LINE notification messages, LINE Official Notification (LON), PNP push, phone-number-based delivery, hashed phone number, notification template, delivery completion event, consent states, or SMS authentication for notifications. Always use this skill whenever the user mentions LINE notification messages, PNP, LON, LINE Official Notification, LINE 通知型訊息, or phone-based LINE messaging to non-friends, even if they don't explicitly say "notification message".
21line-mini-app
Comprehensive reference for LINE MINI App — Service Messages, Common Profile Quick Fill, In-App Purchase, Console setup (3 internal channels), submission review, and performance guidelines for web apps running inside LINE as an enhanced LIFF platform. This skill should be used when the user asks to "build a LINE MINI App", "send a service message", "set up Common Profile Quick Fill", "implement in-app purchase", "configure MINI App Console", "submit MINI App for review", or mentions LINE MINI App, Service Messages, notification token, Common Profile, IAP purchase flow, 3 internal channels, consent simplification, Custom Path, custom share messages, or verified vs unverified MINI App. Always use this skill whenever the user mentions LINE MINI App, mini apps in LINE, or enhanced LIFF features like service messages or in-app purchase, even if they don't explicitly say "MINI App".
16line-creators-market
Comprehensive reference for LINE Creators Market — sticker character design (static, animated, custom, message, big, popup, effect stickers), emoji series planning, theme creation, technical specifications, review guidelines, submission workflow, revenue model, AI usage declaration, and market strategies for Japan, Taiwan, Thailand, and global audiences. This skill should be used when the user asks to "design a LINE sticker character", "plan an emoji series", "create a LINE theme", "check sticker submission specs", "understand review guidelines", "optimize sticker SEO", "plan market strategy for LINE stickers", "calculate creator revenue", or mentions LINE stickers, LINE emoji, LINE themes, Creators Market, sticker submission, sticker review, sticker pricing, sticker rejection, APNG animated stickers, creator revenue sharing, LINE Sticker Premium, LINE Sticker Maker, custom stickers, message stickers, big stickers, popup stickers, effect stickers, or AI-generated stickers. Always use this skill whenever the user mentions LINE stickers, LINE emoji, LINE themes, sticker creation, or LINE Creators Market, even if they don't explicitly say "Creators Market".
10