Request a JWT for Experience Edge XM using OAuth
Sitecore Experience Edge for XM uses the OAuth authorization framework for security. OAuth allows one program to authorize another to make changes on behalf of an account holder or end-user.
To run any operation in any protected Experience Edge APIs other than the Delivery API, the caller must first obtain an authentication token (in JSON Web Token (JWT) format) and include it in every call made to Edge. Following successful authentication, the calling application has access to an access token, which can be used to call the protected APIs.
OAuth Endpoint
When requesting a JWT, you must make a POST request to the OAuth endpoint:
POST https://auth.sitecorecloud.io/oauth/token
Older tenants previously used https://one-sc-production.eu.auth0.com/oauth/token
.
All tenants should use the endpoint https://auth.sitecorecloud.io/oauth/token
.
Request headers
For the following cURL examples, the data is encoded as form data. Therefore the POST
request must specify the Content-Type
request header with the value application/x-www-form-urlencoded
.
The endpoint accepts other content-type headers, such as application/json
.
Request body
The body of the JWT request to the OAuth endpoint must include the following properties:
Name |
Value |
---|---|
|
New tenants: Old tenants: |
|
|
|
The client ID for your tenant as provided by Sitecore. |
|
The client secret for your tenant, as provided by Sitecore. |
To request a token:
-
Request an access token for the Experience Edge APIs using a
POST
request.For example, for new tenants, you can request the JWT using the curl client as follows:
RequestResponsecurl --request POST --url "https://auth.sitecorecloud.io/oauth/token" --header "content-type: application/x-www-form-urlencoded" --data audience=https://api.sitecorecloud.io --data grant_type=client_credentials --data client_id=<your-client-id> --data client_secret=<your-client-secret>
For old tenants:
RequestResponsecurl --request POST --url "https://auth.sitecorecloud.io/oauth/token" --header "content-type: application/x-www-form-urlencoded" --data audience=https://delivery.sitecore.cloud/<your-tenant-id> --data grant_type=client_credentials --data client_id=<clientid> --data client_secret=<clientsecret>
You receive the
access_token
,token_type
, andexpires_in
values. -
Pass the retrieved access token as a Bearer token in the Authorization header of your HTTP request.
Pay attention to the expires_in
property of the response because JWTs typically expire in 24 hours. After that time, the token is invalid, and you must request a new token.