Skip to main content

Request a JWT for Experience Edge XM using OAuth

Abstract

Create the access token that you need to call the protected APIs.

Sitecore Experience Edge for XM uses the OAuth authorization framework for security. OAuth allows one program to authorize another to make changes on behalf of an account holder or end-user.

To run any operation in any protected Experience Edges APIs other than the Delivery API, the caller must first obtain an authentication token (in JSON Web Token (JWT) format) and include it in every call to Edge. Following successful authentication, the calling application has access to an access token, which can be used to call the protected APIs.

OAuth endpoint

When requesting a JWT, you must make a POST request to the OAuth endpoint:

https://auth.sitecorecloud.io/oauth/token

Request headers

For the following cURL examples, the data is encoded as form data. Therefore the POST request must specify the Content-Type request header with the value application/x-www-form-urlencoded .

The endpoint accepts other content-type headers, such as application/json.

Request body

The body of the JWT request to the OAuth endpoint must include the following properties:

Name

Value

audience

https://auth.sitecorecloud.io

grant_type

client_credentials

client_id

The client ID for your tenant is provided by Sitecore.

client_secret

The client secret for your tenant, as provided by Sitecore.

To request a token:

  1. Request an access token for the Experience Edge APIs using a POST request.

    For example, request the JWT using the curl client:

    curl --request POST --url "https://auth.sitecorecloud.io/oauth/token" --header "content-type: application/x-www-form-urlencoded" --data audience=https://auth.sitecorecloud.io --data grant_type=client_credentials --data client_id=<your-client-id> --data client_secret=<your-client-secret> 

    You receive the access_token, token_type, and expires_in values.

  2. Pass the retrieved access token as a Bearer token in the Authorization header of your HTTP request.

Important

Pay attention to the expires_in property of the response because JWTs typically expire in 24 hours. After that time, the token is invalid, and you must request a new token.