Skip to main content

Request a JWT for the CM instance using OAuth


Create the access token that you need to call the protected APIs in the CM instance.

The XM Cloud CM instance API uses the OAuth authorization framework for security. OAuth allows one program to authorize another program to make changes on behalf of an account holder or end-user.

To run any operation in the XM Cloud CM instance API, the caller must first obtain an authentication token in JSON Web Token (JWT) format and include it in every call to the CM instance. Following successful authentication, the calling application has access to an access token, which can be used to call the CM instance APIs.

OAuth endpoint

When requesting a JWT, you must make a POST request to the OAuth endpoint:

Request headers

For the following cURL example, the data is encoded as form data. Therefore the POST request must specify the Content-Type request header with the value application/x-www-form-urlencoded .

Request body

The body of the JWT request to the OAuth endpoint must include the following properties:







The client ID for your tenant as provided by Sitecore.


The client secret for your tenant as provided by Sitecore.

Request a token

To request an access token for the CM instance APIs, use a POST request.

For example, request the JWT using the curl client:

curl --request POST --url "" --header "content-type: application/x-www-form-urlencoded" --data audience= --data grant_type=client_credentials --data client_id=<your-client-id> --data client_secret=<your-client-secret>

You receive the access_token, token_type, and expires_in values.

After you enable the GraphQL IDE, you can use the retrieved access token as the Bearer token to authorize the GraphQL IDE or to authorize HTTP requests.


Pay attention to the expires_in property of the response because JWTs typically expire in 24 hours. After that time, the token is invalid and you must request a new token.