Request a JWT for Experience Edge XM using OAuth

Sitecore Experience Edge for XM uses the OAuth authorization framework for security. OAuth allows one program to authorize another to make changes on behalf of an account holder or end-user.

To run any operation in any protected Experience Edges APIs other than the Delivery API, the caller must first obtain an authentication token (in JSON Web Token (JWT) format) and include it in every call to Edge. Following successful authentication, the calling application has access to an access token, which can be used to call the protected APIs.

OAuth endpoint

When requesting a JWT, you must make a POST request to the OAuth endpoint:


Request headers

For the following cURL examples, the data is encoded as form data. Therefore the POST request must specify the Content-Type request header with the value application/x-www-form-urlencoded .

The endpoint accepts other content-type headers, such as application/json.

Request body

The body of the JWT request to the OAuth endpoint must include the following properties:







The client ID for your tenant, as provided by Sitecore.


The client secret for your tenant, as provided by Sitecore.

To request a token:

  1. Request an access token for the Experience Edge APIs using a POST request.

    For example, request the JWT using the curl client:

    curl --request POST --url "" --header "content-type: application/x-www-form-urlencoded" --data audience= --data grant_type=client_credentials --data client_id=<your-client-id> --data client_secret=<your-client-secret> 

    You receive the access_token, token_type, and expires_in values.

  2. Pass the retrieved access token as a Bearer token in the Authorization header of your HTTP request.


Pay attention to the expires_in property of the response because JWTs typically expire in 24 hours. After that time, the token is invalid, and you must request a new token.

Do you have some feedback for us?

If you have suggestions for improving this article,