Request a JWT for the Authoring and Management API or the Deploy API

To run any operation on the Sitecore Authoring and Management GraphQL API or the Deploy API, obtain an authentication token in JSON Web Token (JWT) format and include it in every call to the API.

For authorization, the Sitecore Authoring and Management API and the Deploy API use the OAuth authorization framework.

Note

You can also request a JWT for Experience Edge XM using OAuth.

Before you begin

Before you can request a JWT, you need to create client credentials consisting of a client ID and client secret. The type of credentials required depends on which API you want to access.

For the Authoring and Management API of a specific environment, you need to create an Environment automation client.
For the Deploy API, or for the Authoring and Management APIs of all environments in an organization, you need to create an Organization automation client.

Request a JWT

To request a JWT for the Deploy API or the Authoring and Management API:

Make a POST request to https://auth.sitecorecloud.io/oauth/token, and include the following properties:

Name	Value
`audience`	`https://api.sitecorecloud.io`
`grant_type`	`client_credentials`
`client_id`	The client ID of your automation client.
`client_secret`	The client secret of your automation client.

If your request is successful, you receive the access_token, scope, expires_in, and token_type values. The scope depends on the type of credentials you created.

Use the access token value to authorize requests to the Authoring and Management API or the Deploy API.

Important

Pay attention to the expires_in property of the response because JWTs typically expire in 24 hours. After that time, the token is invalid and you must request a new token.

Example

For the following cURL example, the data is encoded as form data. Therefore the POST request includes the Content-Type request header with the value application/x-www-form-urlencoded :

RequestResponse

curl --request POST --url "https://auth.sitecorecloud.io/oauth/token" --header "content-type: application/x-www-form-urlencoded" --data audience=https://api.sitecorecloud.io --data grant_type=client_credentials --data client_id=<your-client-id> --data client_secret=<your-client-secret>

The request returns the following response:

RequestResponse

{
    "access_token": "eyJhbGciOiJSUzI1NiI...",
    "scope": "xmclouddeploy.organizations:manage xmclouddeploy.projects:manage xmclouddeploy.environments:manage...",
    "expires_in": 86400,
    "token_type": "Bearer"
}

XM Cloud is now SitecoreAI

Some code examples, images, and UI labels may still use XM Cloud while engineering assets are being updated.

Do you have some feedback for us?

If you have suggestions for improving this article,