Walkthrough: Enabling and authorizing requests to the Authoring and Management API
You can explore the Authoring and Management API with an interactive browser-based GraphQL IDE or through HTTP requests.
Querying the GraphQL Authoring and Management API programmatically or using the GraphQL IDE requires authorization.
This walkthrough describes how to:
-
Enable the GraphQL IDE.
-
Obtain an access token.
-
Obtain an additional access token (optional).
-
Authorize the GraphQL IDE.
-
Authorize HTTP requests.
Enable the GraphQL IDE
Using the IDE requires that you are at least in the sitecore\Sitecore Client Users role.
Before using the GraphQL IDE, you must enable it in your settings.
To enable the GraphQL IDE:
-
In XM Cloud Deploy, create an environment variable named
Sitecore_GraphQL_ExposePlayground
with atrue
value. If already present, update the environment variable value totrue
.ImportantWe recommend that you only enable the GraphQL IDE in nonproduction environments.
-
For the environment variable to take effect, redeploy your environment.
Obtain an access token
You must obtain an access token to authorize the GraphQL IDE or HTTP requests to perform operations against the Authoring and Management API endpoint.
To obtain an access token:
-
Log in to your XM Cloud environment by running the
dotnet sitecore cloud login
command and following the prompts. -
When logged in, the process stores an access token that you can use to set the necessary Authorization header for the GraphQL IDE and HTTP requests. From the
./sitecore/user.json
file, copy the value of theaccessToken
property and store it for later use,
If you do not require additional tokens or automation clients, continue to authorize the GraphQL IDE.
Obtain an additional access token (optional)
You can generate additional tokens if you require or prefer to use multiple tokens/automation clients, for example, one for HTTP requests and another for the GraphQL IDE.
To obtain an additional access token:
-
Create an automation client for your environment and use the client credentials flow by running the following command:
RequestResponsedotnet sitecore cloud login --client-credentials --client-id <your-client-id> --client-secret <your-client-secret> --allow-write true --xmcloudhost <your-xmcloud-host> --authority <authority-url> --audience <audience-url>
By default, the authority URL is
https://auth.sitecorecloud.io
, and the audience URL ishttps://api.sitecorecloud.io
. -
Request a Bearer token with the following command:
RequestResponsecurl --location --request POST '<authority-url>/oauth/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=<your-client-id>' --data-urlencode 'client_secret=<your-client-secret>' --data-urlencode 'audience=<audience-url>' --data-urlencode 'grant_type=client_credentials'
Replace the placeholders as follows:
-
<authority-url>
- with the value ofendpoints.xmCloud.authority
value from the.sitecore/user.json
file. -
<your-client-id>
- with the value ofendpoints.xmCloud.clientId
value from the.sitecore/user.json
file. -
<your-client-secret>
- with the value ofendpoints.xmCloud.clientSecret
value from the.sitecore/user.json
file. -
<audience-url>
- with the value ofendpoints.xmCloud.audience
value from the.sitecore/user.json
file.
If successful, the response is printed in the console.
RequestResponse{ "access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IkZXZ2VHTFpCWGZJcjhKZy1ieDgxRSJ9.eyJodHRwczovL2F1dGguc2l0ZWNvcmVjbG91ZC5pby9jbGFpbXMvdGVuYW50L2NkcF9jbGllbnRfa2V5IjoiMjhiMjNkZjYzZGIwMDdjMmRjYWJjMmI5NzI5YzI4YTgiLCJodHRwczovL2F1dGguc2l0ZWNvcmVjbG91ZC5pby9jbGFpbXMvb3JnX2lkIjoib3JnX0prOVJKYlFQYTBtOVBzdWwiLCJodHRwczovL2F1dGguc2l0ZWNvcmVjbG91ZC5pby9jbGFpbXMvb3JnX25hbWUiOiJ4bWNsb3VkLXRlc3Qtb3JnYW5pemF0aW9uIiwiaHR0cHM6Ly9hdXRoLnNpdGVjb3JlY2xvdWQuaW8vY2xhaW1zL29yZ19kaXNwbGF5X25hbWUiOiJYTUNsb3VkIFRlc3QgT3JnYW5pemF0aW9uIiwiaHR0cHM6Ly9hdXRoLnNpdGVjb3JlY2xvdWQuaW8vY2xhaW1zL2NsaWVudF9uYW1lIjoiYW5jYS1kb2MtZGV2IiwiaHR0cHM6Ly9hdXRoLnNpdGVjb3JlY2xvdWQuaW8vY2xhaW1zL3RlbmFudF9pZCI6IjIxNTMzOWRmLWZlODEtNGY4Yy0zNDIxLTA4ZGFjNjIzMDNiYyIsImh0dHBzOi8vYXV0aC5zaXRlY29yZWNsb3VkLmlvL2NsYWltcy90ZW5hbnRfbmFtZSI6InhtY2xvdWR0ZXN0Y2M0Yy1kb2NzYW5jYS1kZXYtcyIsImlzcyI6Imh0dHBzOi8vYXV0aC1zdGFnaW5nLTEuc2l0ZWNvcmUtc3RhZ2luZy5jbG91ZC8iLCJzdWIiOiJxQjFRc0ZxSGJqaWpVQkt3dVJKSWx4VlJFVlowcVZ6TUBjbGllbnRzIiwiYXVkIjoiaHR0cHM6Ly9hcGktc3RhZ2luZy5zaXRlY29yZS1zdGFnaW5nLmNsb3VkIiwiaWF0IjoxNjY4Nzg0NzU0LCJleHAiOjE2Njg3ODU2NTQsImF6cCI6InFCMVFzRnFIYmppalVCS3d1UkpJbHhWUkVWWjBxVnpNIiwic2NvcGUiOiJ4bWNsb3VkLmNtOmFkbWluIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.mbV5eXBfm8AskRT8_pmfvigMuNxAvwSF4A3R7Ku1Hr2JdRV0kJ_Uv3hVBG8Pcv1oeeFTQBqDGZVX42QUXQJX1IrDBxRvmTAoBoY9V0ORXuY9i6nbC-zqwVm-laUjxNHqoc09eHsQiRoyfCTk3RiVsAkY6mjGIwMgfepmx921MO49X9ueqd4_D05-SM-T_fJPfIKT2aMWXt9Uuvj5UYJ358a55mGP29wJnfs4S4NtTZqHEPc05IJNcI0kYJC5KgvIdRSSWTq-lq7bloRvPRWeUWqYvYSzAf_5Vu7uIZoYzupe-4Gah9NnAWemWQURW-mhDVkXFqFPT5zLRIFIVUgdMg", "scope":"xmcloud.cm:admin", "expires_in":900, "token_type":"Bearer" }
-
-
From the response, copy the
access_token
value without quotation marks and store the token for later use.
Pay attention to the expires_in
property of the response. It indicates the JWT token expiration period. After that time, the token is invalid, and you must request a new token.
Authorize the GraphQL IDE
Before performing queries and mutations in the GraphQL IDE, you must authorize the IDE to perform operations.
To set the correct headers for the GraphQL IDE:
-
Open the IDE in the browser at
https://<your-server>/sitecore/api/authoring/graphql/playground/
. -
In the IDE's lower-left pane, on the HTTP Headers tab, add the authorization header with the following format:
RequestResponse{ "Authorization": "Bearer <access-token>" }
Replace the
<access-token>
placeholder with the value you copied. -
In the IDE's endpoint field (to the right of the History tab), verify that the endpoint is
https://<your-instance>/sitecore/api/authoring/graphql/v1/
. -
Verify your setup by running a query. For example:
RequestResponsequery { sites { name } }
If the configuration is correct, the response contains a list of your websites. For example:
RequestResponse{ "data": { "sites": [ { "name": "Winter Wonderland" }, { "name": "website" } ] } }
Authorize HTTP requests
HTTP requests against the Authoring and Management API endpoint require authorization.
To authorize your HTTP requests:
-
Include the HTTP
Authorization
header with theBearer
authentication scheme. Replace the<access-token>
placeholder with the value of the access token. For example:RequestResponse{ headers: [ { "Authorization": "Bearer <access-token>" } ] }