Generate a JSON Web Token (JWT)

Sitecore Experience Edge uses the OAuth authorization framework for security. OAuth allows one program to authorize another program to make changes on behalf of an account holder or end-user.

To execute an operation in the Experience Edge APIs, the calling system must first obtain an authentication token (in JWT format) and include it in every request. Following successful authentication, the calling application has access to an access token used to call the protected APIs.


To request an access token, you use a POST request. Using curl, the access-token request has the following form:

curl --request POST --url "<auth_url>/oauth/token" --header "content-type: application/x-www-form-urlencoded" --data grant_type=client_credentials --data client_id=<client_id> --data client_secret=<client_secret> --data audience=https://<audience_domain>/<tenant_id>curl --request POST --url " auth_url /oauth/token" --header "content-type: application/x-www-form-urlencoded" --data grant_type=client_credentials --data client_id= client_id --data client_secret= client_secret --data audience=https:// audience_domain / tenant_id 

The authority URL, auth_url, can have one of two values:

  • For sandbox and preproduction instances:

  • For all other instances:

The audience domain, audience_domain, can have one of two values:

  • For sandbox and preproduction:

  • For production:

Additional parameters are described in the following table.




Set this to client_credentials.


The client ID for your tenant.


The client secret for your tenant.


The audience for your tenant, in the form https://<audience_domain>/<tenant_id>, where audience_domain is described above and tenant_id is your tenant ID.

Access the client ID and client secret

To access the client ID and client secret:

  1. On the menu bar, click Manage .

  2. On the Manage page, click OAuth clients.

  3. On the OAuth clients page, click the Delivery client name to open the View details dialog box where the client ID and client secret are displayed.

Access tenant ID

To access the tenant ID, go to /api/status/license on your Content Hub instance. The tenant ID will be in details.tenant.


Your tenant ID is typically the name of your Content Hub instance.


In response to the request, you receive the access_token, token_type, and expires_in values. You can pass the retrieved access token as a Bearer token in the authorization header of your HTTP requests.


The period after which JWTs expire is defined by the expires_in property. This is typically set to 24 hours. When one of these tokens expires, it is no longer valid and a new one must be requested.

Do you have some feedback for us?

If you have suggestions for improving this article,