Module 2: Setting Up Your LINE OA

From creating an OA to configuring the Messaging API webhook.

⏱ 20 min read 📖 Beginner

2.1 Create Your LINE OA

  1. Go to manager.line.biz and log in with your LINE account
  2. Click Create Official Account
  3. Choose a category that matches your business
  4. Fill in profile details: name, description, profile image, cover image
  5. Submit for approval (usually takes 1-3 business days)
🇪🇩 Thailand Tip
You'll need a Thai business registration or ID card for verification if you want a Verified Account (blue badge). For Premium ID (@yourname), you need at least the Basic plan.

2.2 LINE Developers Console

The LINE Developers Console is where you manage API access for your OA. You need to create a Messaging API channel linked to your OA.

  1. Go to developers.line.biz/console
  2. Create a new Provider (or use existing)
  3. Click Create a Messaging API channel
  4. Select your OA from the dropdown (or create a new one)
  5. Fill in channel details (name, description, app type, etc.)
  6. After creation, go to the Messaging API tab
Provider is a grouping concept. One provider can have multiple channels (e.g., one OA + one LINE Login channel). All channels under one provider share the same webhook endpoint.

2.3 Channel Credentials

In your channel settings, you'll find these critical values:

CredentialWhere to findUsed for
Channel SecretBasic Settings tabSigning webhook events, generating access tokens
Channel Access TokenMessaging API tab (issue button)Authenticating all API requests
Your User IDBasic Settings tabYour own LINE user ID for testing
Bot Basic IDMessaging API tab@xxx ID for users to add your OA
⚠ Security: Never commit your Channel Secret or Access Token to version control. Use environment variables. If leaked, revoke the token immediately from the console.

2.4 Webhook Configuration

The webhook is how LINE tells your server about user actions (messages sent, followed, etc.).

  1. In the Messaging API tab, set Webhook URL to your server endpoint, e.g. https://yourdomain.com/webhook
  2. Toggle Use webhook ON
  3. Click Verify — LINE will send a test ping to your endpoint
  4. Toggle Auto-reply messages (bot) OFF if you want full control via API

Webhook Verification (Node.js Example)

const express = require('express');
const crypto = require('crypto');
const app = express();

app.post('/webhook', express.json(), (req, res) => {
  // Verify signature (REQUIRED for production)
  const signature = req.headers['x-line-signature'];
  const body = JSON.stringify(req.body);
  const expected = crypto
    .createHmac('SHA256', process.env.CHANNEL_SECRET)
    .update(body)
    .digest('base64');

  if (signature !== expected) {
    return res.status(401).send('Invalid signature');
  }

  // Process events
  req.body.events.forEach(event => {
    console.log('Event:', event.type, event);
  });

  res.status(200).send('OK');
});

app.listen(3000);

Webhook Verification (Python Example)

from flask import Flask, request, abort
import hashlib, hmac, json

app = Flask(__name__)
CHANNEL_SECRET = 'your-channel-secret'

@app.route('/webhook', methods=['POST'])
def webhook():
    signature = request.headers.get('X-Line-Signature')
    body = request.get_data(as_text=True)

    hash = hmac.new(
        CHANNEL_SECRET.encode('utf-8'),
        body.encode('utf-8'),
        hashlib.sha256
    ).digest()

    if signature != hmac.new(
        CHANNEL_SECRET.encode('utf-8'),
        body.encode('utf-8'),
        hashlib.sha256
    ).hexdigest().encode('utf-8'):
        # Use the proper comparison in production:
        expected = base64.b64encode(hash).decode()
        if signature != expected:
            abort(401)

    events = request.json['events']
    for event in events:
        print(f"Event: {event['type']}", event)

    return 'OK'

if __name__ == '__main__':
    app.run(port=3000)

2.5 Channel Access Token (Short-lived vs Long-lived)

You need a Channel Access Token to call LINE APIs. Two types:

TypeValidityIssuanceUse case
Short-lived (v2.1)30 daysAPI with Channel SecretProduction — auto-refresh
Long-livedNo expiryLINE Developers ConsoleDevelopment, testing

For production, use the short-lived token and refresh it automatically:

// Issue a short-lived token
POST https://api.line.me/v2/oauth/accessToken

Body (x-www-form-urlencoded):
  grant_type=client_credentials
  client_id={YOUR_CHANNEL_ID}
  client_secret={YOUR_CHANNEL_SECRET}

Response:
{
  "access_token": "...",
  "expires_in": 2592000,  // 30 days in seconds
  "token_type": "Bearer"
}

2.6 Disable Auto-reply in OA Manager

When using the Messaging API, you should disable the OA Manager's built-in auto-reply to avoid double responses:

  1. Go to manager.line.biz → Your OA
  2. Go to SettingsBot settings
  3. Set Auto-reply messages to OFF
  4. Set Greeting message as desired (can be done via API too)
The Greeting message (sent when someone adds your OA) CAN be set in OA Manager even while using the Messaging API. Or you can send it yourself via the API when you receive a follow webhook event.

2.7 First API Call — Verify Your Setup

Test your setup by calling the bot info endpoint:

curl -H "Authorization: Bearer {CHANNEL_ACCESS_TOKEN}" \
  https://api.line.me/v2/bot/info

Expected response:

{
  "userId": "U...",
  "basicId": "@...",
  "premiumId": "@...",
  "displayName": "Your OA Name",
  "pictureUrl": "https://...",
  "chatMode": "chat",
  "markAsReadMode": "auto"
}

If you get a response, your token and channel are correctly configured.

2.8 Quick Setup Checklist

  • ☑ LINE OA created and approved
  • ☑ Messaging API channel created in Developers Console
  • ☑ Webhook URL configured and verified
  • ☑ Channel Access Token issued (short-lived for production)
  • ☑ Channel Secret stored as environment variable
  • ☑ Auto-reply disabled in OA Manager
  • ☑ Server code running and responding to webhooks
  • ☑ Bot info API call returns successfully