Module 2: Setting Up Your LINE OA
From creating an OA to configuring the Messaging API webhook.
2.1 Create Your LINE OA
- Go to manager.line.biz and log in with your LINE account
- Click Create Official Account
- Choose a category that matches your business
- Fill in profile details: name, description, profile image, cover image
- Submit for approval (usually takes 1-3 business days)
🇪🇩 Thailand Tip
You'll need a Thai business registration or ID card for verification if you want a Verified Account (blue badge). For Premium ID (@yourname), you need at least the Basic plan.
2.2 LINE Developers Console
The LINE Developers Console is where you manage API access for your OA. You need to create a Messaging API channel linked to your OA.
- Go to developers.line.biz/console
- Create a new Provider (or use existing)
- Click Create a Messaging API channel
- Select your OA from the dropdown (or create a new one)
- Fill in channel details (name, description, app type, etc.)
- After creation, go to the Messaging API tab
Provider is a grouping concept. One provider can have multiple channels (e.g., one OA + one LINE Login channel). All channels under one provider share the same webhook endpoint.
2.3 Channel Credentials
In your channel settings, you'll find these critical values:
| Credential | Where to find | Used for |
|---|---|---|
| Channel Secret | Basic Settings tab | Signing webhook events, generating access tokens |
| Channel Access Token | Messaging API tab (issue button) | Authenticating all API requests |
| Your User ID | Basic Settings tab | Your own LINE user ID for testing |
| Bot Basic ID | Messaging API tab | @xxx ID for users to add your OA |
⚠ Security: Never commit your Channel Secret or Access Token to version control. Use environment variables. If leaked, revoke the token immediately from the console.
2.4 Webhook Configuration
The webhook is how LINE tells your server about user actions (messages sent, followed, etc.).
- In the Messaging API tab, set Webhook URL to your server endpoint, e.g.
https://yourdomain.com/webhook - Toggle Use webhook ON
- Click Verify — LINE will send a test ping to your endpoint
- Toggle Auto-reply messages (bot) OFF if you want full control via API
Webhook Verification (Node.js Example)
const express = require('express');
const crypto = require('crypto');
const app = express();
app.post('/webhook', express.json(), (req, res) => {
// Verify signature (REQUIRED for production)
const signature = req.headers['x-line-signature'];
const body = JSON.stringify(req.body);
const expected = crypto
.createHmac('SHA256', process.env.CHANNEL_SECRET)
.update(body)
.digest('base64');
if (signature !== expected) {
return res.status(401).send('Invalid signature');
}
// Process events
req.body.events.forEach(event => {
console.log('Event:', event.type, event);
});
res.status(200).send('OK');
});
app.listen(3000);
Webhook Verification (Python Example)
from flask import Flask, request, abort
import hashlib, hmac, json
app = Flask(__name__)
CHANNEL_SECRET = 'your-channel-secret'
@app.route('/webhook', methods=['POST'])
def webhook():
signature = request.headers.get('X-Line-Signature')
body = request.get_data(as_text=True)
hash = hmac.new(
CHANNEL_SECRET.encode('utf-8'),
body.encode('utf-8'),
hashlib.sha256
).digest()
if signature != hmac.new(
CHANNEL_SECRET.encode('utf-8'),
body.encode('utf-8'),
hashlib.sha256
).hexdigest().encode('utf-8'):
# Use the proper comparison in production:
expected = base64.b64encode(hash).decode()
if signature != expected:
abort(401)
events = request.json['events']
for event in events:
print(f"Event: {event['type']}", event)
return 'OK'
if __name__ == '__main__':
app.run(port=3000)
2.5 Channel Access Token (Short-lived vs Long-lived)
You need a Channel Access Token to call LINE APIs. Two types:
| Type | Validity | Issuance | Use case |
|---|---|---|---|
| Short-lived (v2.1) | 30 days | API with Channel Secret | Production — auto-refresh |
| Long-lived | No expiry | LINE Developers Console | Development, testing |
For production, use the short-lived token and refresh it automatically:
// Issue a short-lived token
POST https://api.line.me/v2/oauth/accessToken
Body (x-www-form-urlencoded):
grant_type=client_credentials
client_id={YOUR_CHANNEL_ID}
client_secret={YOUR_CHANNEL_SECRET}
Response:
{
"access_token": "...",
"expires_in": 2592000, // 30 days in seconds
"token_type": "Bearer"
}
2.6 Disable Auto-reply in OA Manager
When using the Messaging API, you should disable the OA Manager's built-in auto-reply to avoid double responses:
- Go to manager.line.biz → Your OA
- Go to Settings → Bot settings
- Set Auto-reply messages to OFF
- Set Greeting message as desired (can be done via API too)
The Greeting message (sent when someone adds your OA) CAN be set in OA Manager even while using the Messaging API. Or you can send it yourself via the API when you receive a
follow webhook event.
2.7 First API Call — Verify Your Setup
Test your setup by calling the bot info endpoint:
curl -H "Authorization: Bearer {CHANNEL_ACCESS_TOKEN}" \
https://api.line.me/v2/bot/info
Expected response:
{
"userId": "U...",
"basicId": "@...",
"premiumId": "@...",
"displayName": "Your OA Name",
"pictureUrl": "https://...",
"chatMode": "chat",
"markAsReadMode": "auto"
}
If you get a response, your token and channel are correctly configured.
2.8 Quick Setup Checklist
- ☑ LINE OA created and approved
- ☑ Messaging API channel created in Developers Console
- ☑ Webhook URL configured and verified
- ☑ Channel Access Token issued (short-lived for production)
- ☑ Channel Secret stored as environment variable
- ☑ Auto-reply disabled in OA Manager
- ☑ Server code running and responding to webhooks
- ☑ Bot info API call returns successfully