Create a JSON web token for Experience Edge APIs
Experience Edge for XM provides the following APIs that help you administer your Edge tenant and provide access to your content:
- Delivery API - GraphQL API that provides access to your published content.
- Token API - REST API that enables you to manage the API keys used to access the Delivery API.
- Admin API - REST API that enables you to configure your Edge tenant.
You can also request a JWT for the Authoring and Management API or the Deploy API.
Authorizing your requests
To interact with the Experience Edge APIs, you must authorize your requests depending on the API you want to use.
Delivery API
To authorize your requests to the Delivery API, you must generate an Edge token and include it in every call to the API. You can generate an Edge token in any of the following ways:
- Using the Deploy app.
- Using the Deploy REST API. To do this, you must first request a JSON web token (JWT) for Experience Edge.
- Using the Token API. To do this, you must first request a JSON web token (JWT) for Experience Edge.
Token API and Admin API
To authorize your requests to the Token API or the Admin API:
- Create an Edge administration client for an environment. This generates a client ID and client secret.
- Request a JWT for Experience Edge using the client ID and client secret. This generates a JSON web token (JWT). You must include the JWT in the
Authorizationheader of every API request you make.
Request a JWT
Before you begin
- Create an Edge administration client for your environment in SitecoreAI Deploy. This generates a client ID and client secret.
You'll use the client ID and client secret when creating a JWT.
To request a JSON web token (JWT) for Experience Edge, make the following HTTP request using either a JSON or a URL-encoded format:
POST https://auth.sitecorecloud.io/oauth/token
You must provide the following required attributes in the request body:
| Attribute | Type | Description | Value |
|---|---|---|---|
| audience | string | The group of APIs the JWT is intended for. | https://api.sitecorecloud.io |
| grant_type | string | The method used to obtain the JWT. | client_credentials |
| client_id | string | The client ID of your Edge administration client.If you don't know this value, first create an Edge administration client. | Your client ID.Example: or27P5db... |
| client_secret | string | The client secret of your Edge administration client.If you don't know this value, first create an Edge administration client. | Your client secret.Example: ctrWEP7Rd3... |
JSON
URL-encoded
Here's an example response:
In the response:
access_tokencontains the JWT. You can use the JWT to:- Generate an Edge token using the Deploy REST API or the Token API. This lets you authorize your requests to the Delivery API.
- Authorize requests to the Token API or Admin API.
scopedefines the resources the JWT provides access to. The resources depend on the type of credentials you created.expires_indefines the validity of the JWT in seconds. Note that JWTs typically expire in 24 hours. After that time, the token is no longer valid and you must request a new token.token_typedefines the type of token created, such as Bearer.
Security considerations
JWTs issued by Sitecore are signed using RS256. Before using a JWT, use your JWT library to validate it against Sitecore's JSON Web Key Set (JWKS) URI:
https://auth.sitecorecloud.io/.well-known/jwks.json
The JWKS URI provides the public keys used to verify the signature. Configure your JWT library to check the expected issuer (https://auth.sitecorecloud.io/) and audience (https://api.sitecorecloud.io), and ensure expiry checking is not disabled. Consult your library's documentation to confirm which of these are validated automatically. Never use a JWT you did not obtain directly from your own credentials request.