Request a JWT for Experience Edge XM using OAuth

Current version: 20.x

Sitecore Experience Edge for XM uses the OAuth authorization framework for security. OAuth allows one program to authorize another to make changes on behalf of an account holder or end-user.

To run any operation in any protected Experience Edge APIs other than the Delivery API, the caller must first obtain an authentication token (in JSON Web Token (JWT) format) and include it in every call made to Edge. Following successful authentication, the calling application has access to an access token, which can be used to call the protected APIs.

OAuth Endpoint

When requesting a JWT, you must make a POST request to the OAuth endpoint:


Older tenants previously used

All tenants should use the endpoint

Request headers

For the following cURL examples, the data is encoded as form data. Therefore the POST request must specify the Content-Type request header with the value application/x-www-form-urlencoded .

The endpoint accepts other content-type headers, such as application/json.

Request body

The body of the JWT request to the OAuth endpoint must include the following properties:




New tenants:

Old tenants:<your-tenant-id>




The client ID for your tenant as provided by Sitecore.


The client secret for your tenant, as provided by Sitecore.

To request a token:

  1. Request an access token for the Experience Edge APIs using a POST request.

    For example, for new tenants, you can request the JWT using the curl client as follows:

    curl --request POST --url "" --header "content-type: application/x-www-form-urlencoded" --data audience= --data grant_type=client_credentials --data client_id=<your-client-id> --data client_secret=<your-client-secret> 

    For old tenants:

    curl --request POST --url "" --header "content-type: application/x-www-form-urlencoded" --data audience=<your-tenant-id> --data grant_type=client_credentials --data client_id=<clientid> --data client_secret=<clientsecret> 

    You receive the access_token, token_type, and expires_in values.

  2. Pass the retrieved access token as a Bearer token in the Authorization header of your HTTP request.


Pay attention to the expires_in property of the response because JWTs typically expire in 24 hours. After that time, the token is invalid, and you must request a new token.

Do you have some feedback for us?

If you have suggestions for improving this article,