abgne/line-login
skills/line-login/SKILL.md
Comprehensive reference for LINE Login (OAuth 2.1) — authorization code flow, PKCE, token management, ID token JWT verification, user profiles, bot linking, and login button design. This skill should be used when the user asks to "implement LINE Login", "add Log in with LINE", "set up OAuth authorization flow", "verify an ID token", "refresh an access token", "link a bot to login", "design a login button", or mentions LINE Login, OAuth 2.1, PKCE, authorization code flow, ID token JWT verification, token refresh/revocation, user profile retrieval, bot linking, SSO login, LIFF authentication, or LINE MINI App authentication. Always use this skill whenever the user mentions LINE authentication, social login with LINE, or OAuth flows involving LINE, even if they don't explicitly say "LINE Login".
development
Updated Mar 26, 2026
$ install --global
skillsauthnpx skillsauth add abgne/line-dev line-loginInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
70%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 7, 2026, 1:56 PM211.7s1 file scanned
SKILL.md
- name:
- line-login
- description:
- Comprehensive reference for LINE Login (OAuth 2.1) — authorization code flow, PKCE, token management, ID token JWT verification, user profiles, bot linking, and login button design. This skill should be used when the user asks to "implement LINE Login", "add Log in with LINE", "set up OAuth authorization flow", "verify an ID token", "refresh an access token", "link a bot to login", "design a login button", or mentions LINE Login, OAuth 2.1, PKCE, authorization code flow, ID token JWT verification, token refresh/revocation, user profile retrieval, bot linking, SSO login, LIFF authentication, or LINE MINI App authentication. Always use this skill whenever the user mentions LINE authentication, social login with LINE, or OAuth flows involving LINE, even if they don't explicitly say "LINE Login".
LINE Login
Do not answer LINE Login questions from memory — LINE updates APIs frequently and training data is unreliable. Always consult the references below.
LINE Login v2.1 is built on OAuth 2.0 and OpenID Connect. It provides user authentication, profile access, and bot linking for web apps, native apps (iOS/Android), Unity, and Flutter.
Workflow
Build
- Read references/api-common.md (forward compatibility, rate limits, client_secret rules)
- Read references/security.md (security checklist, development guidelines)
- Load the relevant reference for the feature being implemented
- Write code following specs and constraints from references
Review / Debug
- Read references/api-common.md (status codes, error responses, forward compatibility)
- Read references/security.md (security checklist, common pitfalls)
- Load relevant references for the code being reviewed
- Cross-check code against specs (parameter requirements, token expiry, signing algorithms, required validations)
- Report violations with reference to specific constraints
Environment Variables
LINE_LOGIN_CHANNEL_ID=LINE Login Channel ID
LINE_LOGIN_CHANNEL_SECRET=Channel secret (ID token verification, token exchange)
LINE_LOGIN_REDIRECT_URI=Registered callback URL
Common Specifications
Read references/api-common.md before writing any LINE Login code. Contains rules that affect all API interactions: forward compatibility (don't use strict schemas — LINE adds fields without notice), rate limits, client_secret conditional requirement by App types, error responses, and logging recommendations.
OAuth 2.1 Authorization Code Flow
User → authorize endpoint → LINE Login screen → callback with code → token exchange → access_token + id_token
Minimal Flow (pseudocode)
# 1. Redirect user to authorize
state = random_token()
session.save(state)
redirect to:
https://access.line.me/oauth2/v2.1/authorize?
response_type=code
&client_id={channel_id}
&redirect_uri={callback_url}
&state={state}
&scope=profile%20openid%20email
# 2. Callback — exchange code for token
if params.state != session.state:
return 403 # CSRF check failed
POST https://api.line.me/oauth2/v2.1/token
grant_type=authorization_code
&code={params.code}
&redirect_uri={callback_url}
&client_id={channel_id}
&client_secret={channel_secret}
# 3. Response
{ access_token, token_type, refresh_token, expires_in, id_token, scope }
| Step | Endpoint |
|------|----------|
| Authorize | GET https://access.line.me/oauth2/v2.1/authorize |
| Token Exchange | POST https://api.line.me/oauth2/v2.1/token |
- Scopes:
profile,openid,email(space-separated) - Authorization code: valid 10 minutes, one-time use
- PKCE: recommended for public clients (SPA/Mobile), only
S256supported
Full authorize parameters, PKCE, scope combinations, error codes → references/oauth-flow.md
Token Management
| Operation | Endpoint |
|-----------|----------|
| Verify Access Token | GET https://api.line.me/oauth2/v2.1/verify?access_token={token} |
| Refresh Token | POST https://api.line.me/oauth2/v2.1/token (grant_type=refresh_token) |
| Revoke Token | POST https://api.line.me/oauth2/v2.1/revoke |
| Verify ID Token | POST https://api.line.me/oauth2/v2.1/verify (id_token + client_id) |
| Token | Validity | |-------|----------| | Access Token | 30 days | | Refresh Token | 90 days |
ID Token signing: HS256 (web login) / ES256 (native app, SDK, LIFF)
Full token APIs, ID Token claims, signing verification → references/token-management.md
User & Bot Linking
| Operation | Endpoint |
|-----------|----------|
| Get User Profile | GET https://api.line.me/v2/profile |
| Check Friendship | GET https://api.line.me/friendship/v1/status |
| Deauthorize | POST https://api.line.me/user/v1/deauthorize |
bot_promptparameter:normal(on consent screen) /aggressive(separate screen after consent)friendship_status_changed: included in token response when bot linking is configured
Full user profile, bot linking logic → references/user-profile.md
Security
- state: must be cryptographically random, always validate on callback
- PKCE: use for public clients (SPA, mobile apps)
- Channel Secret: server-side only, never expose to client
- redirect_uri: must be HTTPS
- ID Token: always verify signature before trusting claims
Full security checklist, development guidelines, auto login failure handling → references/security.md
Reference Index
| File | Topic | |------|-------| | references/api-common.md | Read first. Rate limits, status codes, forward compatibility, client_secret rules, logging | | references/oauth-flow.md | Authorization flow, PKCE, scopes, auth methods, error codes | | references/token-management.md | Token exchange/refresh/revoke/verify, ID Token claims and signing | | references/security.md | Security checklist, development guidelines, auto login failure, login button design | | references/user-profile.md | User profile API, Link a Bot, friendship status | | references/experts.md | LINE Login domain experts for architecture guidance |
SDK
Native SDKs: iOS (Swift) | Android | Unity | Flutter
For web apps, use the OAuth 2.1 flow directly (no SDK required).
Related Skills
abgne/messaging-api
development
VerifiedTrustedCommunity
Comprehensive reference for LINE Messaging API — webhook setup, message sending, Flex Message design, Rich Menu management, audience targeting, insights, coupons, and channel access tokens. This skill should be used when the user asks to "build a LINE Bot", "set up a webhook", "send a push message", "design a Flex Message", "create a Rich Menu", "manage audience targeting", "get messaging insights", "create a coupon campaign", "debug webhook signature verification", or mentions LINE Messaging API, LINE OA chatbot, reply/push/multicast/narrowcast/broadcast, Flex Message JSON, Rich Menu, group chat bot, channel access token, or URL schemes. Always use this skill whenever the user mentions LINE bots, chatbots, LINE OA, or any messaging-related LINE integration, even if they don't explicitly say "Messaging API".
SKILL.mdUpdated Mar 26, 2026
abgne/line-notification-message
development
VerifiedTrustedCommunity
Reference for LINE Notification Messages — phone-number-based messaging to non-friends, template type (premade layouts) and flexible type (custom Flex Message), delivery completion webhooks, user consent flow, SMS authentication, and billing. Use when the user asks to "send a notification message via phone number", "hash a phone number for PNP", "handle delivery completion webhook", "set up template or flexible notification", "check notification message count", "integrate LON", or mentions LINE notification messages, LINE Official Notification (LON), PNP push, phone-number-based delivery, hashed phone number, notification template, delivery completion event, consent states, or SMS authentication for notifications. Always use this skill whenever the user mentions LINE notification messages, PNP, LON, LINE Official Notification, LINE 通知型訊息, or phone-based LINE messaging to non-friends, even if they don't explicitly say "notification message".
SKILL.mdUpdated Mar 26, 2026
abgne/line-mini-app
development
VerifiedTrustedCommunity
Comprehensive reference for LINE MINI App — Service Messages, Common Profile Quick Fill, In-App Purchase, Console setup (3 internal channels), submission review, and performance guidelines for web apps running inside LINE as an enhanced LIFF platform. This skill should be used when the user asks to "build a LINE MINI App", "send a service message", "set up Common Profile Quick Fill", "implement in-app purchase", "configure MINI App Console", "submit MINI App for review", or mentions LINE MINI App, Service Messages, notification token, Common Profile, IAP purchase flow, 3 internal channels, consent simplification, Custom Path, custom share messages, or verified vs unverified MINI App. Always use this skill whenever the user mentions LINE MINI App, mini apps in LINE, or enhanced LIFF features like service messages or in-app purchase, even if they don't explicitly say "MINI App".
SKILL.mdUpdated Mar 26, 2026
abgne/line-liff
tools
VerifiedTrustedCommunity
Comprehensive reference for LINE Front-end Framework (LIFF) SDK — building web apps inside LINE with authentication, messaging, QR scanning, permanent links, pluggable SDK, and LIFF plugin development. This skill should be used when the user asks to "build a LIFF app", "initialize liff.init()", "send messages from LIFF", "use Share Target Picker", "scan a QR code in LIFF", "create a permanent link", "develop a LIFF plugin", or mentions LIFF SDK, LINE Front-end Framework, CDN/npm integration, pluggable SDK tree-shaking, LIFF-to-LIFF transitions, LIFF browser vs external browser, Endpoint URL configuration, or server-side ID token verification from LIFF. Always use this skill whenever the user mentions LIFF, web apps inside LINE, or LINE Front-end Framework, even if they don't explicitly say "LIFF SDK".
SKILL.mdUpdated Mar 26, 2026