Request a JWT for the CM instance using OAuth

The XM Cloud CM instance API uses the OAuth authorization framework for security. OAuth allows one program to authorize another program to make changes on behalf of an account holder or end-user.

To run any operation in the XM Cloud CM instance API, the caller must first obtain an authentication token in JSON Web Token (JWT) format and include it in every call to the CM instance. Following successful authentication, the calling application has access to an access token, which can be used to call the CM instance APIs.

OAuth endpoint

When requesting a JWT, you must make a POST request to the OAuth endpoint:

https://auth.sitecorecloud.io/oauth/token

Request headers

For the following cURL example, the data is encoded as form data. Therefore the POST request must specify the Content-Type request header with the value application/x-www-form-urlencoded .

Request body

The body of the JWT request to the OAuth endpoint must include the following properties:

Request a token

To request an access token for the CM instance APIs, use a POST request.

For example, request the JWT using the curl client:

curl --request POST --url "https://auth.sitecorecloud.io/oauth/token" --header "content-type: application/x-www-form-urlencoded" --data audience=https://api.sitecorecloud.io --data grant_type=client_credentials --data client_id=<your-client-id> --data client_secret=<your-client-secret>

You receive the access_token, token_type, and expires_in values.

After you enable the GraphQL IDE, you can use the retrieved access token as the Bearer token to authorize the GraphQL IDE or to authorize HTTP requests.