[simon balfe]

How a LinkedIn Connection Request Actually Gets Automated

May 23, 2026 · simon balfe

If you sell for a living, you have probably used a LinkedIn automation tool. Expandi, Heyreach, Linked Helper, Dripify.

They all send connection requests on your behalf. Almost none of them explain what’s actually happening when they do it.

This post follows a single connection request from the Connect button all the way down to the one thing LinkedIn actually receives.

The human version

What you do yourself:

  • Open the prospect’s LinkedIn profile.
  • Click the blue Connect button.
  • A box pops up asking if you want to add a note.
  • Type a short message and hit Send.
  • They get a notification. If they accept, you’re connected.

That’s the visible part. The invisible part is what automation has to copy.

What’s actually going on when you click Send

Pressing Send doesn’t really “click” anything. Your browser quietly sends a short, structured message to LinkedIn’s computers. The technical name for that message is an HTTP request, the standard way browsers and servers talk.

The message says, in effect:

“Create a new invitation from me to this person, with this note.”

Three things travel with it every time:

  • An address. A specific spot inside LinkedIn that handles invitations. It sits inside LinkedIn’s behind-the-scenes API (called Voyager, the same one their mobile app uses). The exact URL is voyagerRelationshipsDashMemberRelationships?action=verifyQuotaAndCreateV2. One front door, every invite goes through it.
  • A small package of info. Who the invite is for, and what note to include. The prospect isn’t identified by the URL you see in your browser. They have an internal ID called a URN that looks like urn:li:fsd_profile:ACoAAB1234.... The tool has to look this up first.
  • Proof it’s really you. Your browser carries a login token called the li_at cookie. Anyone holding a valid one can act as that account. It also carries an extra security code (a CSRF token) so random websites can’t trick your browser into firing invites for them, and a small stamp (x-li-page-instance) saying “I was on Jane’s profile when I clicked.”

If any of those three are missing or wrong, the invite fails.

What automation actually does

An automation tool does the same three things, without you clicking.

The recipe:

  • Grab a copy of your li_at from your browser, one time, by hand.
  • Look up the prospect’s URN inside LinkedIn.
  • Build the same HTTP request a browser would build: prospect URN, note, login proof.
  • Send it to that one URL.
  • Read the reply. If it worked, log it. If it didn’t, react.

That’s the whole trick. Build the same request your browser would build, then send it without the browser.

What LinkedIn says back

LinkedIn’s reply is just a number (an HTTP status code) and a short body. You never see it yourself. The tool sees it and reacts.

  • 200 — OK, done. Invite sent. Counter ticks up.
  • 429 — you’ve hit your weekly limit. LinkedIn caps invites somewhere around 100 to 200 per account per week. The cap moves around without warning.
  • 403 — you look like a bot. The account needs a cool-down before it can send more.
  • Error body saying “already connected” or “already invited”. Skip the prospect.

Those four cases cover almost every outcome. A good tool handles each one quietly so you don’t have to.

Why automation tools sometimes open a real browser anyway

If the recipe is so simple, why do some tools run a hidden Chrome in the background?

  • LinkedIn occasionally fires an anti-bot challenge on this endpoint. Solving it needs a real browser, because the challenge runs as code inside the page.
  • Faking the login proof by hand is fiddly. A real browser builds it all for you (cookies, CSRF token, page stamp), so the tool doesn’t have to maintain a perfect impersonation.

For the actual invite, though, no browser is strictly required, as long as the impersonation holds up.

The picture in three lines

  • A connection request is an HTTP request from your browser to one URL inside LinkedIn’s Voyager API.
  • Automation is software that builds the same request without you clicking.
  • Everything LinkedIn checks (login proof, prospect URN, note, weekly cap) gets checked at that one URL.

What this post deliberately skipped

This was just the endpoint, for a single account. In practice, even running one account safely wraps it in a few more layers, each worth its own post:

  • Proxies. The account needs its own home-looking internet connection. Cheap data-centre IPs get flagged on sight.
  • Fingerprints. The account has to pretend to be the same specific computer every time it appears. Same browser version, screen size, time zone.
  • Warming. A new account can’t just start firing invites. It needs a slow ramp of normal browsing first.
  • Impossible travel. If the account suddenly appears in London, Berlin, and São Paulo on the same day, it gets restricted.

If your automation tool is misbehaving and you’ve ruled out the endpoint-level basics, the cause is almost always one of those four.