From 66f03a592668f3102c4af0630107c346ac044d58 Mon Sep 17 00:00:00 2001 From: theManikJindal Date: Thu, 4 Apr 2024 21:03:49 +0000 Subject: [PATCH] =?UTF-8?q?Deploying=20to=20gh-pages=20from=20@=20AdobeDoc?= =?UTF-8?q?s/adobe-dev-console@87bec66ceade613c9219053a1e563b8f58f260f0=20?= =?UTF-8?q?=F0=9F=9A=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- guides/apis-and-services/index.html | 2 +- guides/authentication/APIKeyAuthentication/index.html | 2 +- guides/authentication/APIKeyIntegration/index.html | 2 +- guides/authentication/IMS/index.html | 2 +- guides/authentication/JWT/FAQ/index.html | 2 +- guides/authentication/JWT/JWTCertificate/index.html | 2 +- guides/authentication/JWT/Scopes/index.html | 2 +- guides/authentication/JWT/index.html | 2 +- guides/authentication/JWT/samples/index.html | 2 +- guides/authentication/OAuth/Scopes/index.html | 2 +- guides/authentication/OAuth/index.html | 2 +- guides/authentication/OAuth/samples/index.html | 2 +- guides/authentication/OAuthIntegration/index.html | 2 +- .../ServerToServerAuthentication/IMS/index.html | 4 ++-- .../ServerToServerAuthentication/faqs/index.html | 2 +- .../implementation/index.html | 2 +- .../ServerToServerAuthentication/index.html | 2 +- .../ServerToServerAuthentication/migration/index.html | 2 +- .../authentication/ServiceAccountIntegration/index.html | 2 +- guides/authentication/Tools/OAuthPlayground/index.html | 2 +- guides/authentication/Tools/Postman/index.html | 2 +- guides/authentication/Tools/index.html | 2 +- guides/authentication/UserAuthentication/IMS/index.html | 2 +- .../UserAuthentication/implementation/index.html | 8 ++++---- guides/authentication/UserAuthentication/index.html | 8 ++++---- guides/authentication/index.html | 2 +- guides/credentials/index.html | 2 +- guides/email-alerts/cert-expiry/index.html | 2 +- guides/email-alerts/index.html | 2 +- guides/getting-started/index.html | 2 +- guides/index.html | 2 +- guides/insights/index.html | 2 +- guides/plugins/index.html | 2 +- guides/plugins/plugin-distribution/index.html | 2 +- guides/plugins/plugin-update/index.html | 2 +- guides/projects/approval/index.html | 2 +- guides/projects/beta-users/index.html | 2 +- guides/projects/index.html | 2 +- guides/projects/projects-empty/index.html | 2 +- guides/projects/projects-template/index.html | 2 +- guides/public-profile/index.html | 2 +- guides/quota/index.html | 2 +- guides/services/index.html | 2 +- guides/services/services-add-api-jwt/index.html | 2 +- guides/services/services-add-api-key/index.html | 2 +- guides/services/services-add-api-oauth/index.html | 2 +- guides/services/services-add-event/index.html | 2 +- guides/services/services-enable-runtime/index.html | 2 +- page-data/sq/d/1814815295.json | 2 +- 49 files changed, 56 insertions(+), 56 deletions(-) diff --git a/guides/apis-and-services/index.html b/guides/apis-and-services/index.html index a24b6841..0ffa0034 100644 --- a/guides/apis-and-services/index.html +++ b/guides/apis-and-services/index.html @@ -108,7 +108,7 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

APIs and services

Adobe Developer Console gives you access to a variety of APIs, Events, SDKs and other services for many of Adobe's most powerful and popular products and technologies. The APIs and services pages provides an easy way to browse all available services and create a project.

+ );right:0;width:var(--spectrum-global-dimension-size-300);background:-webkit-linear-gradient(0deg, rgba(255, 255, 255, 0), white);z-index:1;}}

Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

APIs and services

Adobe Developer Console gives you access to a variety of APIs, Events, SDKs and other services for many of Adobe's most powerful and popular products and technologies. The APIs and services pages provides an easy way to browse all available services and create a project.

diff --git a/guides/authentication/APIKeyAuthentication/index.html b/guides/authentication/APIKeyAuthentication/index.html index 2133cb1a..f4e1d7ce 100644 --- a/guides/authentication/APIKeyAuthentication/index.html +++ b/guides/authentication/APIKeyAuthentication/index.html @@ -108,7 +108,7 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}

Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

API key Authentication

If your application needs to integrate with an Adobe offering that supports unauthenticated workflows (does not require access tokens), you can do so by using the API key credential. The API key credential identifies your application to Adobe servers and can help accept/reject requests originating from certain domains that you configure during credential setup.

Understanding different uses of the API key credential

Embedding Adobe web experiences on your website

Some APIs allow you to generate API Key credentials to embed an Adobe web experience on your website. For example, Adobe Express Embed SDK and PDF Embed API are two such APIs. These APIs only need to identify your application using your application's API key.

To ensure that your API key is not misused, Adobe servers reject API calls that do not originate from your website's domains. During credential setup, you can configure your website's domains for your API key credential.

Calling APIs that do not require an access token

A small collection of Adobe services (e.g., API Mesh for App Builder, Adobe Stock) do not require an access token for API requests. These services can be called "anonymously" and typically provide consistent results regardless of the application or user that made the request. Such APIs can be called with an API Key credential.

You can create a project with the Adobe Stock API to try it out. Then use the API key to make an API request, as shown in the cURL command below.

Copied to your clipboard
curl 'https://stock.adobe.io/Rest/Media/1/Search/Files?locale=en_US%26search_parameters%5Bwords%5D=kittens '
  -H 'x-product:testapp'
  -H 'x-api-key:YOUR-API-KEY-HERE'

API Key credential

As the name suggests, the API Key credential only contains an API key and no secrets. It cannot be used to generate access tokens. An API key credential only allows Adobe servers to identify the application but cannot authenticate a user or the application.

Understanding Allowed Origins

Some Adobe APIs do not require an access token, only an API key, to be called. However, such an API may still need to prevent your API key from being copied by a malicious actor and misused.

To prevent bad actors from using your API key, Adobe servers only accept API requests originating from your website and reject any other API requests. Adobe servers determine whether the request originates from your website by relying on the Origin HTTP request header that a browser sends with each request.

To ensure that Adobe servers accept API requests from all the domains your application uses, you must add those domains as 'allow listed origins' during API Key credential setup.

You can configure up to 5 comma-separated domains, use wildcards to club together multiple subdomains and specify any non-privileged port numbers. You can edit these domains any time by visiting your project on the Adobe Developer Console.

Manik Jindal
Last updated 5/4/2023
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file diff --git a/guides/authentication/APIKeyIntegration/index.html b/guides/authentication/APIKeyIntegration/index.html index 5b792752..d2a96fbd 100644 --- a/guides/authentication/APIKeyIntegration/index.html +++ b/guides/authentication/APIKeyIntegration/index.html @@ -108,4 +108,4 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

API Key Connection

Stephan RingelManik Jindal
Last updated 5/1/2023
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file + );right:0;width:var(--spectrum-global-dimension-size-300);background:-webkit-linear-gradient(0deg, rgba(255, 255, 255, 0), white);z-index:1;}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

API Key Connection

Stephan RingelManik Jindal
Last updated 5/1/2023
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file diff --git a/guides/authentication/IMS/index.html b/guides/authentication/IMS/index.html index 103edcdd..3b2c48aa 100644 --- a/guides/authentication/IMS/index.html +++ b/guides/authentication/IMS/index.html @@ -108,4 +108,4 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Authentication API Reference

Stephan RingelManik Jindal
Last updated 5/1/2023
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file + );right:0;width:var(--spectrum-global-dimension-size-300);background:-webkit-linear-gradient(0deg, rgba(255, 255, 255, 0), white);z-index:1;}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Authentication API Reference

Stephan RingelManik Jindal
Last updated 5/1/2023
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file diff --git a/guides/authentication/JWT/FAQ/index.html b/guides/authentication/JWT/FAQ/index.html index 3c7e753b..d5f3251f 100644 --- a/guides/authentication/JWT/FAQ/index.html +++ b/guides/authentication/JWT/FAQ/index.html @@ -108,4 +108,4 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Frequently Asked Questions

Where can I find the sample code for Service Account (JWT) authentication?

Code Samples are available for the following languages -

  1. Java
  2. DotNet
  3. Python
  4. NodeJS
  5. PHP

How to use the private key for generating a JWT?

Please copy the full content of private key including -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- to generate a correct JWT token.

Manik Jindal
Last updated 5/2/2023
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file + );right:0;width:var(--spectrum-global-dimension-size-300);background:-webkit-linear-gradient(0deg, rgba(255, 255, 255, 0), white);z-index:1;}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Frequently Asked Questions

Where can I find the sample code for Service Account (JWT) authentication?

Code Samples are available for the following languages -

  1. Java
  2. DotNet
  3. Python
  4. NodeJS
  5. PHP

How to use the private key for generating a JWT?

Please copy the full content of private key including -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- to generate a correct JWT token.

Manik Jindal
Last updated 5/2/2023
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file diff --git a/guides/authentication/JWT/JWTCertificate/index.html b/guides/authentication/JWT/JWTCertificate/index.html index dfbd8204..d21a54e0 100644 --- a/guides/authentication/JWT/JWTCertificate/index.html +++ b/guides/authentication/JWT/JWTCertificate/index.html @@ -108,7 +108,7 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Create a Public Key Certificate

Create a private key and a public certificate. Make sure you store these securely.

MacOS and Linux:

Open a terminal and execute the following command:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate_pub.crt

+ );right:0;width:var(--spectrum-global-dimension-size-300);background:-webkit-linear-gradient(0deg, rgba(255, 255, 255, 0), white);z-index:1;}}

Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Create a Public Key Certificate

Create a private key and a public certificate. Make sure you store these securely.

MacOS and Linux:

Open a terminal and execute the following command:

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate_pub.crt

diff --git a/guides/authentication/JWT/Scopes/index.html b/guides/authentication/JWT/Scopes/index.html index 7c50f3f2..f6be4b15 100644 --- a/guides/authentication/JWT/Scopes/index.html +++ b/guides/authentication/JWT/Scopes/index.html @@ -108,4 +108,4 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}

Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

JWT Metascopes

JSON Web Token (JWT) metascopes govern the access and privileges for service accounts. As an application developer, you will choose the set of scopes to access certain resources by specifying the scopes as part of the encoding claims for your JWTs.

Adobe I/O

Metascopes for Adobe I/O Service Account APIs

APIsMetascopes
I/O Events
https://ims-na1.adobelogin.com/s/event_receiver_api
I/O Management
https://ims-na1.adobelogin.com/s/ent_adobeio_sdk

Creative Cloud

Metacopes for Creative Cloud Service Account APIs

APIsMetascopes
Adobe Stock
https://ims-na1.adobelogin.com/s/ent_stocksearch_sdk
Dimension (default)
https://ims-na1.adobelogin.com/s/ent_default_sdk
Dimension (CCE-AS version)
https://ims-na1.adobelogin.com/s/ent_ccas_sdk
Photoshop (default)
https://ims-na1.adobelogin.com/s/ent_default_sdk
Photoshop (CCE-AS version)
https://ims-na1.adobelogin.com/s/ent_ccas_sdk
Lightroom (default)
https://ims-na1.adobelogin.com/s/ent_default_sdk
Lightroom (CCE-AS version)
https://ims-na1.adobelogin.com/s/ent_ccas_sdk

Document Cloud

Metascopes for Document Cloud Service Account APIs

APIsMetascopes
PDF Services
https://ims-na1.adobelogin.com/s/ent_documentcloud_sdk

Experience Cloud

Metascopes for Experience Cloud Service Account APIs

APIsMetascopes
Adobe Analytics
https://ims-na1.adobelogin.com/s/ent_analytics_bulk_ingest_sdk
Experience Platform
https://ims-na1.adobelogin.com/s/ent_dataservices_sdk
Campaign
https://ims-na1.adobelogin.com/s/ent_campaign_sdk
Target
https://ims-na1.adobelogin.com/s/ent_marketing_sdk
Experience Platform Launch (Admin)
https://ims-na1.adobelogin.com/s/ent_reactor_sdk

GDPR

Metascopes for GDPR Service Account APIs

APIsMetascopes
GDPR
https://ims-na1.adobelogin.com/s/ent_gdpr_sdk

Sensei

Metascopes for Sensei Service Account APIs

APIsMetascopes
Smart Content
https://ims-na1.adobelogin.com/s/ent_smartcontent_sdk
Auto Crop, Auto Tag
https://ims-na1.adobelogin.com/s/ent_sensei_image_sdk

User Management

Metascopes for User management Service Account APIs

APIsMetascopes
User Management
https://ims-na1.adobelogin.com/s/ent_user_sdk

Other

Metascopes for miscellaneous Service Account APIs

APIsMetascopes
AEM Brand portal
https://ims-na1.adobelogin.com/s/ent_brand_portal_sdk
Places
https://ims-na1.adobelogin.com/s/ent_places_sdk
Cloud Manager
https://ims-na1.adobelogin.com/s/ent_cloudmgr_sdk
Stephan RingelKevin WilsonManik Jindal
Last updated 5/4/2023
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file + );right:0;width:var(--spectrum-global-dimension-size-300);background:-webkit-linear-gradient(0deg, rgba(255, 255, 255, 0), white);z-index:1;}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

JWT Metascopes

JSON Web Token (JWT) metascopes govern the access and privileges for service accounts. As an application developer, you will choose the set of scopes to access certain resources by specifying the scopes as part of the encoding claims for your JWTs.

Adobe I/O

Metascopes for Adobe I/O Service Account APIs

APIsMetascopes
I/O Events
https://ims-na1.adobelogin.com/s/event_receiver_api
I/O Management
https://ims-na1.adobelogin.com/s/ent_adobeio_sdk

Creative Cloud

Metacopes for Creative Cloud Service Account APIs

APIsMetascopes
Adobe Stock
https://ims-na1.adobelogin.com/s/ent_stocksearch_sdk
Dimension (default)
https://ims-na1.adobelogin.com/s/ent_default_sdk
Dimension (CCE-AS version)
https://ims-na1.adobelogin.com/s/ent_ccas_sdk
Photoshop (default)
https://ims-na1.adobelogin.com/s/ent_default_sdk
Photoshop (CCE-AS version)
https://ims-na1.adobelogin.com/s/ent_ccas_sdk
Lightroom (default)
https://ims-na1.adobelogin.com/s/ent_default_sdk
Lightroom (CCE-AS version)
https://ims-na1.adobelogin.com/s/ent_ccas_sdk

Document Cloud

Metascopes for Document Cloud Service Account APIs

APIsMetascopes
PDF Services
https://ims-na1.adobelogin.com/s/ent_documentcloud_sdk

Experience Cloud

Metascopes for Experience Cloud Service Account APIs

APIsMetascopes
Adobe Analytics
https://ims-na1.adobelogin.com/s/ent_analytics_bulk_ingest_sdk
Experience Platform
https://ims-na1.adobelogin.com/s/ent_dataservices_sdk
Campaign
https://ims-na1.adobelogin.com/s/ent_campaign_sdk
Target
https://ims-na1.adobelogin.com/s/ent_marketing_sdk
Experience Platform Launch (Admin)
https://ims-na1.adobelogin.com/s/ent_reactor_sdk

GDPR

Metascopes for GDPR Service Account APIs

APIsMetascopes
GDPR
https://ims-na1.adobelogin.com/s/ent_gdpr_sdk

Sensei

Metascopes for Sensei Service Account APIs

APIsMetascopes
Smart Content
https://ims-na1.adobelogin.com/s/ent_smartcontent_sdk
Auto Crop, Auto Tag
https://ims-na1.adobelogin.com/s/ent_sensei_image_sdk

User Management

Metascopes for User management Service Account APIs

APIsMetascopes
User Management
https://ims-na1.adobelogin.com/s/ent_user_sdk

Other

Metascopes for miscellaneous Service Account APIs

APIsMetascopes
AEM Brand portal
https://ims-na1.adobelogin.com/s/ent_brand_portal_sdk
Places
https://ims-na1.adobelogin.com/s/ent_places_sdk
Cloud Manager
https://ims-na1.adobelogin.com/s/ent_cloudmgr_sdk
Stephan RingelKevin WilsonManik Jindal
Last updated 5/4/2023
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file diff --git a/guides/authentication/JWT/index.html b/guides/authentication/JWT/index.html index a775b801..03584e0a 100644 --- a/guides/authentication/JWT/index.html +++ b/guides/authentication/JWT/index.html @@ -108,7 +108,7 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Service Account (JWT) Authentication

To establish a secure service-to-service Adobe I/O API session, you must create a JSON Web Token (JWT) that encapsulates the identity of your integration, and then exchange it for an access token. Every request to an Adobe service must include the access token in the Authorization header, along with the API Key (Client ID) that was generated when you created the Service Account Integration in the Adobe Developer Console.

Authentication Workflow

Creating a JSON Web Token

A JSON Web Token for Service Account authentication requires a particular set of claims, and must be signed using a valid digital signing certificate. We recommend that you use one of the publicly available libraries or tools for building your JWT. Examples are provided for some popular languages.

Required Claims for a Service Account JWT

Your JWT must contain the following claims:

ClaimDescription
exp
Required. The expiration parameter is a required parameter measuring the absolute time since 01/01/1970 GMT. You must ensure that the expiration time is later than the time of issue. After this time, the JWT is no longer valid. Recommendation: Have a very short lived token (a few minutes) - such that it expires soon after it has been exchanged for an IMS access token. Every time a new access token is required, one such JWT is signed and exchanged. This is secure approach. Longer lived tokens that are re-used to obtain access tokens as needed are not recommended.
iss
Required. The issuer, your Organization ID from the Adobe Developer Console integration, in the format org_ident@AdobeOrg. Identifies your organization that has been configured for access to the Adobe I/O API.
sub
Required. The subject, your Technical Account ID from the Adobe Developer Console integration, in the format: id@techacct.adobe.com.
aud
Required. The audience for the token, your API Key from the Adobe Developer Console integration, in the format: https://ims-na1.adobelogin.com/c/api_key.
Metascopes
Required. The API-access claim configured for your organization: JWT Metascopes, in the format: "https://ims-na1.adobelogin.com/s/meta_scope": true

The following is a sample payload to be signed and encoded.

Copied to your clipboard
curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&grant_type=client_credentials&scope={SCOPE}'

Sample Response

Copied to your clipboard
{
  "expires_at": "PERMANENT",
  "expires_at_str": "PERMANENT",
  "client_secret": "XXXXXXXXXXXXX",
  "created_at": "1683005777000",
  "created_at_str": "Tue, May 2 2023 05:36:17.000 UTC",
  "uuid": "11ede8ab42f138f3abe335d886a407fb",
  "secret_usages": null
}

Note: the created_at and last_used_at values are in milliseconds since UNIX epoch.

Remove client secret from credential

Pre-requisite: You need to add I/O Management API to your project for removing client secret from the credential. See Add API to a Project

Note: you need the secret uuid to delete a secret. You cannot use the plain text client_secret value to identify which secret to delete.

Parameters

ParameterWhereMandatoryDescription
org_id
URL
Yes
For instructions on where to find the org_id, see step 2 and 3 on our guide to rotate secrets programmatically
credential_id
URL
Yes
For instructions on where to find the credential_id, see step 2 and 3 on our guide to rotate secrets programmatically
uuid
URL
Yes
The uuid of the secret you wish to delete. See the list all secrets API to get the secret's uuid.
client_id
Headers
Yes
The Client ID obtained from the Adobe Developer Console
access_token
Headers
Yes
For instructions on how to generate an access token, see step 5 on our guide to rotate secrets programmatically

Request for OAuth Server-to-Server credential

Copied to your clipboard
curl -X DELETE 'https://api.adobe.io/console/organizations/{org_id}/credentials/{credential_id}/secrets/{uuid}' \
     -H 'Authorization: Bearer {access_token}' \
     -H 'x-api-key: {client_id}'

Sample Response

204 No Content

Sahil GeraChristophe JelgerPratyush BanerjeeManik Jindal
Last updated 2/28/2024
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file +Copied to your clipboard
curl -X DELETE 'https://api.adobe.io/console/organizations/{org_id}/credentials/{credential_id}/secrets/{uuid}' \
     -H 'Authorization: Bearer {access_token}' \
     -H 'x-api-key: {client_id}'

Sample Response

204 No Content

Sahil GeraChristophe JelgerPratyush BanerjeeManik Jindal
Last updated 2/28/2024
Was this helpful?
\ No newline at end of file diff --git a/guides/authentication/ServerToServerAuthentication/faqs/index.html b/guides/authentication/ServerToServerAuthentication/faqs/index.html index 1c807866..e704dd27 100644 --- a/guides/authentication/ServerToServerAuthentication/faqs/index.html +++ b/guides/authentication/ServerToServerAuthentication/faqs/index.html @@ -108,7 +108,7 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Deprecation of Service Account (JWT) credentials FAQs

Table of contents

General FAQs

What's happening?

In May 2023, Adobe announced the deprecation and end of life of Service Account (JWT) credentials. This means that any of your integrations or custom applications using a Service Account (JWT) credential will need to migrate to the new OAuth Server-to-Server credential before January 27, 2025.

What is a credential?

While building an integration, developers need to call Adobe APIs from their application. To call Adobe APIs, their integration must uniquely identify itself to Adobe. This ensures that only your application can retrieve your data from us.

A credential is used to uniquely identify your integration to Adobe. To use an API in an integration, a developer first generates a credential for the API on the Developer Console. She then embeds the credential within her application to generate access tokens. And then finally uses those access tokens to make API calls to Adobe.

+ );right:0;width:var(--spectrum-global-dimension-size-300);background:-webkit-linear-gradient(0deg, rgba(255, 255, 255, 0), white);z-index:1;}}

Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Deprecation of Service Account (JWT) credentials FAQs

Table of contents

General FAQs

What's happening?

In May 2023, Adobe announced the deprecation and end of life of Service Account (JWT) credentials. This means that any of your integrations or custom applications using a Service Account (JWT) credential will need to migrate to the new OAuth Server-to-Server credential before January 27, 2025.

What is a credential?

While building an integration, developers need to call Adobe APIs from their application. To call Adobe APIs, their integration must uniquely identify itself to Adobe. This ensures that only your application can retrieve your data from us.

A credential is used to uniquely identify your integration to Adobe. To use an API in an integration, a developer first generates a credential for the API on the Developer Console. She then embeds the credential within her application to generate access tokens. And then finally uses those access tokens to make API calls to Adobe.

diff --git a/guides/authentication/ServerToServerAuthentication/implementation/index.html b/guides/authentication/ServerToServerAuthentication/implementation/index.html index 3693c961..444abee8 100644 --- a/guides/authentication/ServerToServerAuthentication/implementation/index.html +++ b/guides/authentication/ServerToServerAuthentication/implementation/index.html @@ -108,7 +108,7 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}

Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

OAuth Server-to-Server credential implementation guide

The following guide goes over finer implementation details for OAuth Server-to-Server credentials. At the end of the guide is a list of recommended industry-standard OAuth2 libraries. Before you proceed, we recommend you become familiar with the server to server authentication credentials in our server to server authentication guide.

On this page:

Setting up the OAuth Server-to-Server credential

Depending on the API or an Event to your project on the Adobe Developer Console, you can select the OAuth Server-to-Server credential. The OAuth Server-to-Server credential is available for all APIs and Events supporting the Service Account (JWT) credential (deprecated).

Credential Name

An admin in your organization can manage all OAuth Server-to-Server credentials by visiting the Adobe Admin Console > Users > API credentials. To find the correct API credential easily on the Admin Console, you can provide your OAuth Server-to-Server credential a name during credential setup.

+ );right:0;width:var(--spectrum-global-dimension-size-300);background:-webkit-linear-gradient(0deg, rgba(255, 255, 255, 0), white);z-index:1;}}

Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

OAuth Server-to-Server credential implementation guide

The following guide goes over finer implementation details for OAuth Server-to-Server credentials. At the end of the guide is a list of recommended industry-standard OAuth2 libraries. Before you proceed, we recommend you become familiar with the server to server authentication credentials in our server to server authentication guide.

On this page:

Setting up the OAuth Server-to-Server credential

Depending on the API or an Event to your project on the Adobe Developer Console, you can select the OAuth Server-to-Server credential. The OAuth Server-to-Server credential is available for all APIs and Events supporting the Service Account (JWT) credential (deprecated).

Credential Name

An admin in your organization can manage all OAuth Server-to-Server credentials by visiting the Adobe Admin Console > Users > API credentials. To find the correct API credential easily on the Admin Console, you can provide your OAuth Server-to-Server credential a name during credential setup.

diff --git a/guides/authentication/ServerToServerAuthentication/index.html b/guides/authentication/ServerToServerAuthentication/index.html index 759f9f11..b0988fe5 100644 --- a/guides/authentication/ServerToServerAuthentication/index.html +++ b/guides/authentication/ServerToServerAuthentication/index.html @@ -108,4 +108,4 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}

Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Server to Server authentication

Server to server authentication credentials allow your application's server to generate access tokens and make API calls on behalf of your application itself.

In the OAuth 2.0 framework, server to server authentication is called 2-legged OAuth. It is called so because, unlike 3-legged OAuth, it involves only two parties - Adobe and your application.

For your application to generate an access token, an end-user does not need to sign in or provide consent to your application. Instead, your application can use its credentials (client id and secrets) to authenticate itself and generate access tokens. Your application can then use the generated access token to call Adobe APIs and services on its behalf.

Whose data can you access with a server to server credential?

The token generation process for a server to server credential only authenticates your application. Therefore, the generated access token can only be used to read and modify data owned by your application.

For example, you can use the PDF Services API to generate a PDF from an invoice template and a JSON object containing the data you pass to the API. In this case, no user's data was accessed, and the application is manipulating data it already owns or has access to.

Apart from the data owned by the application, a server to server credential can also read and modify data owned by your organization.

For example, the Adobe Analytics API allows you to pull reporting data for your website using the server to server credential.

When you create a server to server credential on the Adobe Developer Console, only your organization can access its client id and secret. Therefore, when your application generates an access token using those credentials - it can only do so because your organization has supplied the client_id and client_secret to the application. In other words, your application is developed and trusted by your organization; therefore, the application can access your organization's data.

However, no access to data is given out by default. Instead, when you create a server to server credential, you must configure the set of product profiles to be assigned to this credential. These product profiles then govern what data the application can access in your organization.

You can also modify the set of product profiles by returning to your project on the Adobe Developer Console. As an admin, you can manage the product profiles assigned to different applications by visiting the Adobe Admin Console > Users > API credentials tab.

Server to server credential types

Adobe supports two server to server authentication credentials. These credentials only differ in the way your application generates the access token, the rest of their functioning is similar.

  1. OAuth Server-to-Server credential
  2. Service Account (JWT) credential (deprecated)

OAuth Server-to-Server credential

The OAuth Server-to-Server credential relies on the OAuth 2.0 client_credentials grant type to generate access tokens. To generate an access token, your application can make a single HTTP request with your client_id and client_secret and scopes.

As the token generation logic uses your client_secret, this logic must be implemented on a secure backend server to prevent malicious actors from accessing your secrets. We recommend using standard OAuth libraries to implement access token generation.

Read our OAuth Server-to-server credential implementation guide -

  1. Generating access tokens using cURL
  2. Generating access tokens programmatically using standard OAuth2 libraries
  3. Migrating from Service Account (JWT) credentials to OAuth Server-to-Server credentials
  4. API reference

Service Account (JWT) credential (deprecated)

Service Account (JWT) credentials rely on the JWT token exchange mechanism to generate access tokens. This credential's details include two secrets a client_secret and a private.key (part of a public certificate private key pair).

The token generation logic first requires your application to construct a JWT token signed by your private.key. This token is then exchanged for an access token by making an HTTP Request to Adobe Identity Management Services (IMS).

As the token generation logic uses your client_secret, this logic must be implemented on a secure backend server to prevent malicious actors from accessing your secrets.

Read our Service Account (JWT) credential implementation guide -

  1. Generating access tokens programmatically
  2. Migrating from Service Account (JWT) credentials to OAuth Server-to-Server credentials
Manik JindalDan Card
Last updated 11/4/2023
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file + );right:0;width:var(--spectrum-global-dimension-size-300);background:-webkit-linear-gradient(0deg, rgba(255, 255, 255, 0), white);z-index:1;}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Server to Server authentication

Server to server authentication credentials allow your application's server to generate access tokens and make API calls on behalf of your application itself.

In the OAuth 2.0 framework, server to server authentication is called 2-legged OAuth. It is called so because, unlike 3-legged OAuth, it involves only two parties - Adobe and your application.

For your application to generate an access token, an end-user does not need to sign in or provide consent to your application. Instead, your application can use its credentials (client id and secrets) to authenticate itself and generate access tokens. Your application can then use the generated access token to call Adobe APIs and services on its behalf.

Whose data can you access with a server to server credential?

The token generation process for a server to server credential only authenticates your application. Therefore, the generated access token can only be used to read and modify data owned by your application.

For example, you can use the PDF Services API to generate a PDF from an invoice template and a JSON object containing the data you pass to the API. In this case, no user's data was accessed, and the application is manipulating data it already owns or has access to.

Apart from the data owned by the application, a server to server credential can also read and modify data owned by your organization.

For example, the Adobe Analytics API allows you to pull reporting data for your website using the server to server credential.

When you create a server to server credential on the Adobe Developer Console, only your organization can access its client id and secret. Therefore, when your application generates an access token using those credentials - it can only do so because your organization has supplied the client_id and client_secret to the application. In other words, your application is developed and trusted by your organization; therefore, the application can access your organization's data.

However, no access to data is given out by default. Instead, when you create a server to server credential, you must configure the set of product profiles to be assigned to this credential. These product profiles then govern what data the application can access in your organization.

You can also modify the set of product profiles by returning to your project on the Adobe Developer Console. As an admin, you can manage the product profiles assigned to different applications by visiting the Adobe Admin Console > Users > API credentials tab.

Server to server credential types

Adobe supports two server to server authentication credentials. These credentials only differ in the way your application generates the access token, the rest of their functioning is similar.

  1. OAuth Server-to-Server credential
  2. Service Account (JWT) credential (deprecated)

OAuth Server-to-Server credential

The OAuth Server-to-Server credential relies on the OAuth 2.0 client_credentials grant type to generate access tokens. To generate an access token, your application can make a single HTTP request with your client_id and client_secret and scopes.

As the token generation logic uses your client_secret, this logic must be implemented on a secure backend server to prevent malicious actors from accessing your secrets. We recommend using standard OAuth libraries to implement access token generation.

Read our OAuth Server-to-server credential implementation guide -

  1. Generating access tokens using cURL
  2. Generating access tokens programmatically using standard OAuth2 libraries
  3. Migrating from Service Account (JWT) credentials to OAuth Server-to-Server credentials
  4. API reference

Service Account (JWT) credential (deprecated)

Service Account (JWT) credentials rely on the JWT token exchange mechanism to generate access tokens. This credential's details include two secrets a client_secret and a private.key (part of a public certificate private key pair).

The token generation logic first requires your application to construct a JWT token signed by your private.key. This token is then exchanged for an access token by making an HTTP Request to Adobe Identity Management Services (IMS).

As the token generation logic uses your client_secret, this logic must be implemented on a secure backend server to prevent malicious actors from accessing your secrets.

Read our Service Account (JWT) credential implementation guide -

  1. Generating access tokens programmatically
  2. Migrating from Service Account (JWT) credentials to OAuth Server-to-Server credentials
Manik JindalDan Card
Last updated 11/4/2023
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file diff --git a/guides/authentication/ServerToServerAuthentication/migration/index.html b/guides/authentication/ServerToServerAuthentication/migration/index.html index 1ab1dfa1..dd9addcb 100644 --- a/guides/authentication/ServerToServerAuthentication/migration/index.html +++ b/guides/authentication/ServerToServerAuthentication/migration/index.html @@ -108,4 +108,4 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Migrating from Service Account (JWT) credential to OAuth Server-to-Server credential

The Service Account (JWT) credentials have been deprecated in favor of the new OAuth Server-to-Server credentials.

The new OAuth Server-to-Server credentials simplify all aspects of application development - experimentation, implementation, and maintenance. See the section on Why OAuth Server-to-Server credentials? below to learn more.

While the Service Account (JWT) credentials have been marked as deprecated, they will continue to work until Jan 27, 2025. Therefore you must migrate your application or integration to use the new OAuth Server-to-Server credential before Jan 27, 2025. See the section on deprecation timelines below to learn more.

Migrating your applications to the OAuth Server-to-Server credential is a simple two-step process that enables a zero downtime migration for your applications and integrations. Please read our migration guide below to familiarize yourself with the migration process.

If you have more questions, check out our frequently asked questions or visit the Adobe Developer Console forums.

Why OAuth Server-to-Server credentials?

The new OAuth Server-to-Server credentials rely on the OAuth 2.0 client credentials grant. Therefore, you can use industry-standard OAuth 2.0 libraries to implement access token generation in your application.

Unlike the Service Account (JWT) credential, the new credential does not use a public certificate and private key pair to generate access tokens. As an application developer, you do not have to periodically rotate the public certificates and private key pairs when they expire. Also, the credential setup process is greatly simplified, and you do not have to download and save the private key on your machine.

Lastly, while the new OAuth Server-to-Server credentials do not use expiring certificates, they still allow client secret rotation through the UI and API. Read more about rotating secrets programmatically in our guide on rotating client secrets.

OAuth Server-to-Server credentialService Account (JWT) credential
Do expiring certificates need to be replaced every year?
This credential does not use public certificates or private key pairs. You are not forced to rotate certificates every year.
You need to rotate the public certificate and private key pair every year.
Generating access tokens for experimentation
You can generate an access token for quick experimentation with a one-click button on the Developer Console.
Generating access tokens is a 3-step process spanning the Developer Console UI and your command-line terminal.
Generating access tokens in your application
You can use standard OAuth 2.0 libraries to generate access tokens in your application programmatically.
You can implement access token generation programmatically by reading our documentation.
Rotating client secrets programmatically
You can rotate client secrets on-demand through the Dev Console UI and API. Learn more.
You can rotate the public certificate and private key pair manually through the UI.

Deperecation Timelines

May 1, 2023 - Apr 30, 2024May 1, 2024 - Dec 31, 2024Jan 27, 2025 (end of life)
Existing applications using a Service Account (JWT) credential
Existing applications using the Service Account (JWT) credential will continue to work.
Existing applications using the Service Account (JWT) credential will continue to work.
Existing applications cannot refresh expiring certificates after Jan 27, 2025, and will stop working.
New applications creating a Service Account (JWT) credential
A new Service Account (JWT) credential can be added to the project.
A new Service Account (JWT) credential cannot be created or added to the project.
A new Service Account (JWT) credential cannot be created or added to the project.

Migration Overview

The migration to the OAuth Server-to-Server credential is a simple process that enables a zero downtime migration for your application. You can follow the steps below to migrate your application.

Preparation: Find out which applications are using the Service Account (JWT) credentials

To find out which of your Adobe applications and integrations are using the Service Account (JWT) credential

  1. Log in to the Adobe Developer Console and open the Projects Tab.

  2. On the filtering menu on the left side, select the filter Attention Required > Has Service Account (JWT) credential. This will show you all projects with a Service Account (JWT) credential.

  3. Check out the project descriptions set by your team members to understand which application is using a given project. To identify project maintainers in your organization, you can check who created or last modified that project or the project's activity logs.

Perform the steps below for each application/project you have identified. If a project is not in use, we recommend deleting the project or the Service Account (JWT) credential in the project.

Note: you do not have to worry about auto-generated projects. Adobe will automatically migrate those during the migration window.

Step 1: Add the new credential to your project

Once you have identified the application that needs to be updated and its related project on the Developer Console, the first step is to add the new credential to your project to begin using the new credential to generate access tokens and update your application.

  1. Log in to the Developer Console and open your project. Open the Service Account (JWT) credential tab from the left side nav and view the migration card.

  2. On the migration card, click the button to add an equivalent OAuth Server-to-Server credential. Adding an OAuth Server-to-Server credential to your project will start the migration. Note: during the migration, you cannot add any API or service to your project. Some finer points about the added credential -

    • The new OAuth Server-to-Server credential has the same client id, technical account, connected APIs and services, scopes, and product profiles as the old Service Account (JWT) credential.

    • A token generated by the new credential will be identical to one generated by the old credential and have identical access.

    • The difference between the two credentials is in the token generation mechanism and the use of public certificates and private key pairs.

    • At this point, you can use either credential to generate access tokens. This ensures that your running application can continue generating access tokens using the Service Account (JWT).

    • Meanwhile, you can test the new credential by generating access tokens using the Developer Console UI or a cURL command. We also recommend reading our implementation guide that points to several standard OAuth 2.0 libraries to generate access tokens programmatically.

Step 2: Update your application and delete old credential

Update your application

  1. Update your application code to use the new credential to generate access tokens.

    • At this point, you can make code changes to your application and deploy it. Because both your credentials work and you can use either to generate access tokens, you can deploy your updated application to test, staging, and even production environments.

Test if the new credential is working

  1. Once you have updated your application and deployed it to production, the next step is to review whether your application has stopped using the old credential completely. And if so, delete the old credential to complete the migration.

  2. Log in to the Developer Console and navigate to your project. Open the Service Account (JWT) credential tab from the left side nav and view the migration card.

  3. On the migration card, click the button to review timestamps and delete the old credential. This will launch a dialog that walks you through your application's timestamp and credential usage. Based on the status of the two checks (listed below), the UI displays will prompt you to the recommended action.

    • Did your application generate access tokens using the new credential more recently than the old credential?

    • Has it been at least 24 hours since the last time an access token was generated using your old credential?

  4. If all is well, you can proceed to the final action of deleting the old credential.

Delete the old credential

  1. Once you are sure that you have replaced the old credential successfully, the dialog will take you to the last step of deleting the old credential.

    • To confirm this step, you must type in the project name to confirm your intentions.

    • Note: once the old credential is deleted, the step cannot be rolled back. We recommend that developers pay attention to the prompts on the UI and exercise care when performing this step.

Cancelling Migration

During the migration, you cannot add any APIs or other services to the project. Furthermore, during migration, you cannot rotate client secrets for the OAuth Server-to-Server credential.

If you need to add other services or disable the OAuth Server to Server credential in case of a client secret leak - you can cancel the migration.

Canceling the migration will delete the OAuth Server-to-Server credential from your project. If your application already uses the new credential, it will stop working once you cancel the migration.

Manik Jindal
Last updated 2/28/2024
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file + );right:0;width:var(--spectrum-global-dimension-size-300);background:-webkit-linear-gradient(0deg, rgba(255, 255, 255, 0), white);z-index:1;}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Migrating from Service Account (JWT) credential to OAuth Server-to-Server credential

The Service Account (JWT) credentials have been deprecated in favor of the new OAuth Server-to-Server credentials.

The new OAuth Server-to-Server credentials simplify all aspects of application development - experimentation, implementation, and maintenance. See the section on Why OAuth Server-to-Server credentials? below to learn more.

While the Service Account (JWT) credentials have been marked as deprecated, they will continue to work until Jan 27, 2025. Therefore you must migrate your application or integration to use the new OAuth Server-to-Server credential before Jan 27, 2025. See the section on deprecation timelines below to learn more.

Migrating your applications to the OAuth Server-to-Server credential is a simple two-step process that enables a zero downtime migration for your applications and integrations. Please read our migration guide below to familiarize yourself with the migration process.

If you have more questions, check out our frequently asked questions or visit the Adobe Developer Console forums.

Why OAuth Server-to-Server credentials?

The new OAuth Server-to-Server credentials rely on the OAuth 2.0 client credentials grant. Therefore, you can use industry-standard OAuth 2.0 libraries to implement access token generation in your application.

Unlike the Service Account (JWT) credential, the new credential does not use a public certificate and private key pair to generate access tokens. As an application developer, you do not have to periodically rotate the public certificates and private key pairs when they expire. Also, the credential setup process is greatly simplified, and you do not have to download and save the private key on your machine.

Lastly, while the new OAuth Server-to-Server credentials do not use expiring certificates, they still allow client secret rotation through the UI and API. Read more about rotating secrets programmatically in our guide on rotating client secrets.

OAuth Server-to-Server credentialService Account (JWT) credential
Do expiring certificates need to be replaced every year?
This credential does not use public certificates or private key pairs. You are not forced to rotate certificates every year.
You need to rotate the public certificate and private key pair every year.
Generating access tokens for experimentation
You can generate an access token for quick experimentation with a one-click button on the Developer Console.
Generating access tokens is a 3-step process spanning the Developer Console UI and your command-line terminal.
Generating access tokens in your application
You can use standard OAuth 2.0 libraries to generate access tokens in your application programmatically.
You can implement access token generation programmatically by reading our documentation.
Rotating client secrets programmatically
You can rotate client secrets on-demand through the Dev Console UI and API. Learn more.
You can rotate the public certificate and private key pair manually through the UI.

Deperecation Timelines

May 1, 2023 - Apr 30, 2024May 1, 2024 - Dec 31, 2024Jan 27, 2025 (end of life)
Existing applications using a Service Account (JWT) credential
Existing applications using the Service Account (JWT) credential will continue to work.
Existing applications using the Service Account (JWT) credential will continue to work.
Existing applications cannot refresh expiring certificates after Jan 27, 2025, and will stop working.
New applications creating a Service Account (JWT) credential
A new Service Account (JWT) credential can be added to the project.
A new Service Account (JWT) credential cannot be created or added to the project.
A new Service Account (JWT) credential cannot be created or added to the project.

Migration Overview

The migration to the OAuth Server-to-Server credential is a simple process that enables a zero downtime migration for your application. You can follow the steps below to migrate your application.

Preparation: Find out which applications are using the Service Account (JWT) credentials

To find out which of your Adobe applications and integrations are using the Service Account (JWT) credential

  1. Log in to the Adobe Developer Console and open the Projects Tab.

  2. On the filtering menu on the left side, select the filter Attention Required > Has Service Account (JWT) credential. This will show you all projects with a Service Account (JWT) credential.

  3. Check out the project descriptions set by your team members to understand which application is using a given project. To identify project maintainers in your organization, you can check who created or last modified that project or the project's activity logs.

Perform the steps below for each application/project you have identified. If a project is not in use, we recommend deleting the project or the Service Account (JWT) credential in the project.

Note: you do not have to worry about auto-generated projects. Adobe will automatically migrate those during the migration window.

Step 1: Add the new credential to your project

Once you have identified the application that needs to be updated and its related project on the Developer Console, the first step is to add the new credential to your project to begin using the new credential to generate access tokens and update your application.

  1. Log in to the Developer Console and open your project. Open the Service Account (JWT) credential tab from the left side nav and view the migration card.

  2. On the migration card, click the button to add an equivalent OAuth Server-to-Server credential. Adding an OAuth Server-to-Server credential to your project will start the migration. Note: during the migration, you cannot add any API or service to your project. Some finer points about the added credential -

    • The new OAuth Server-to-Server credential has the same client id, technical account, connected APIs and services, scopes, and product profiles as the old Service Account (JWT) credential.

    • A token generated by the new credential will be identical to one generated by the old credential and have identical access.

    • The difference between the two credentials is in the token generation mechanism and the use of public certificates and private key pairs.

    • At this point, you can use either credential to generate access tokens. This ensures that your running application can continue generating access tokens using the Service Account (JWT).

    • Meanwhile, you can test the new credential by generating access tokens using the Developer Console UI or a cURL command. We also recommend reading our implementation guide that points to several standard OAuth 2.0 libraries to generate access tokens programmatically.

Step 2: Update your application and delete old credential

Update your application

  1. Update your application code to use the new credential to generate access tokens.

    • At this point, you can make code changes to your application and deploy it. Because both your credentials work and you can use either to generate access tokens, you can deploy your updated application to test, staging, and even production environments.

Test if the new credential is working

  1. Once you have updated your application and deployed it to production, the next step is to review whether your application has stopped using the old credential completely. And if so, delete the old credential to complete the migration.

  2. Log in to the Developer Console and navigate to your project. Open the Service Account (JWT) credential tab from the left side nav and view the migration card.

  3. On the migration card, click the button to review timestamps and delete the old credential. This will launch a dialog that walks you through your application's timestamp and credential usage. Based on the status of the two checks (listed below), the UI displays will prompt you to the recommended action.

    • Did your application generate access tokens using the new credential more recently than the old credential?

    • Has it been at least 24 hours since the last time an access token was generated using your old credential?

  4. If all is well, you can proceed to the final action of deleting the old credential.

Delete the old credential

  1. Once you are sure that you have replaced the old credential successfully, the dialog will take you to the last step of deleting the old credential.

    • To confirm this step, you must type in the project name to confirm your intentions.

    • Note: once the old credential is deleted, the step cannot be rolled back. We recommend that developers pay attention to the prompts on the UI and exercise care when performing this step.

Cancelling Migration

During the migration, you cannot add any APIs or other services to the project. Furthermore, during migration, you cannot rotate client secrets for the OAuth Server-to-Server credential.

If you need to add other services or disable the OAuth Server to Server credential in case of a client secret leak - you can cancel the migration.

Canceling the migration will delete the OAuth Server-to-Server credential from your project. If your application already uses the new credential, it will stop working once you cancel the migration.

Manik Jindal
Last updated 2/28/2024
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file diff --git a/guides/authentication/ServiceAccountIntegration/index.html b/guides/authentication/ServiceAccountIntegration/index.html index b3b13af7..473b04ea 100644 --- a/guides/authentication/ServiceAccountIntegration/index.html +++ b/guides/authentication/ServiceAccountIntegration/index.html @@ -108,7 +108,7 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Service Account Connection

A Service Account connection allows your application to call Adobe services on behalf of the application itself or on behalf of an enterprise organization.

For this type of connection, you will create a JSON Web Token (JWT) that encapsulates your credentials and begin each API session by exchanging the JWT for an access token.

The JWT encodes all of the identity and security information required to obtain an access token and must be signed with the private key that is associated with a public key certificate specified on your integration.

This article walks you through the steps to set up a Service Account connection.

Service Account connection workflow

Step 1: Create a project in Adobe Developer Console

Integrations are now created as part of a "project" within Adobe Developer Console. For complete steps to creating a project in Console, begin by reading the Adobe Developer Console getting started guide and projects overview.

Once you have created a project, you will be able to add services including APIs, Adobe I/O Events registrations, and Adobe I/O Runtime.

Step 2: Add an API to your project using Service Account authentication

To add an API that uses Service Account (JWT) authentication, follow the steps outlined in the guide for adding an API to a project using Service Account authentication.

During the API configuration process, you will be able to generate a key pair and download the private key.

When the API has been successfully connected, you will be able to access the newly generated credentials including Client ID and Client Secret, as well as generate an access token using the private key that you generated during configuration.

Step 3: Try It

In order to try out the connection, follow the steps in the Adobe Developer Console credentials guide for generating a JWT token and copy the Sample cURL command provided.

Next, open Postman and select Import > Paste Raw Text and paste the copied curl command. Select Import to continue.

+ );right:0;width:var(--spectrum-global-dimension-size-300);background:-webkit-linear-gradient(0deg, rgba(255, 255, 255, 0), white);z-index:1;}}

Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Service Account Connection

A Service Account connection allows your application to call Adobe services on behalf of the application itself or on behalf of an enterprise organization.

For this type of connection, you will create a JSON Web Token (JWT) that encapsulates your credentials and begin each API session by exchanging the JWT for an access token.

The JWT encodes all of the identity and security information required to obtain an access token and must be signed with the private key that is associated with a public key certificate specified on your integration.

This article walks you through the steps to set up a Service Account connection.

Service Account connection workflow

Step 1: Create a project in Adobe Developer Console

Integrations are now created as part of a "project" within Adobe Developer Console. For complete steps to creating a project in Console, begin by reading the Adobe Developer Console getting started guide and projects overview.

Once you have created a project, you will be able to add services including APIs, Adobe I/O Events registrations, and Adobe I/O Runtime.

Step 2: Add an API to your project using Service Account authentication

To add an API that uses Service Account (JWT) authentication, follow the steps outlined in the guide for adding an API to a project using Service Account authentication.

During the API configuration process, you will be able to generate a key pair and download the private key.

When the API has been successfully connected, you will be able to access the newly generated credentials including Client ID and Client Secret, as well as generate an access token using the private key that you generated during configuration.

Step 3: Try It

In order to try out the connection, follow the steps in the Adobe Developer Console credentials guide for generating a JWT token and copy the Sample cURL command provided.

Next, open Postman and select Import > Paste Raw Text and paste the copied curl command. Select Import to continue.

diff --git a/guides/authentication/Tools/OAuthPlayground/index.html b/guides/authentication/Tools/OAuthPlayground/index.html index e5d76469..78473718 100644 --- a/guides/authentication/Tools/OAuthPlayground/index.html +++ b/guides/authentication/Tools/OAuthPlayground/index.html @@ -108,7 +108,7 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}

Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

OAuth 2.0 Playground

The OAuth 2.0 Playground is an Adobe internet utility that enables developers to easily obtain an OAuth 2.0 access token for use in building and testing their integrations. Before you use the OAuth 2.0 Playground, you should already have created an integration you want to use for this purpose. The OAuth 2.0 Playground source code is also available for you to view and experiment with.

Steps to obtain a token:

  1. Go to OAuth 2.0 Playground

    + );right:0;width:var(--spectrum-global-dimension-size-300);background:-webkit-linear-gradient(0deg, rgba(255, 255, 255, 0), white);z-index:1;}}

    Products
    Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

OAuth 2.0 Playground

The OAuth 2.0 Playground is an Adobe internet utility that enables developers to easily obtain an OAuth 2.0 access token for use in building and testing their integrations. Before you use the OAuth 2.0 Playground, you should already have created an integration you want to use for this purpose. The OAuth 2.0 Playground source code is also available for you to view and experiment with.

Steps to obtain a token:

  1. Go to OAuth 2.0 Playground

    diff --git a/guides/authentication/Tools/Postman/index.html b/guides/authentication/Tools/Postman/index.html index 0f48e516..576a48b0 100644 --- a/guides/authentication/Tools/Postman/index.html +++ b/guides/authentication/Tools/Postman/index.html @@ -108,7 +108,7 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}

    Products
    Developer Console Authentication Guide Documentation Support
    Console
Edit in GitHubLog an issue

Postman

OAuth Access Token

Steps

  1. Install Postman

  2. Open Postman

  3. Create a new request.

+ );right:0;width:var(--spectrum-global-dimension-size-300);background:-webkit-linear-gradient(0deg, rgba(255, 255, 255, 0), white);z-index:1;}}

Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Postman

OAuth Access Token

Steps

  1. Install Postman

  2. Open Postman

  3. Create a new request.

diff --git a/guides/authentication/Tools/index.html b/guides/authentication/Tools/index.html index dc65e0c6..36f54963 100644 --- a/guides/authentication/Tools/index.html +++ b/guides/authentication/Tools/index.html @@ -108,4 +108,4 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}

Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Tools Overview

OAuth 2.0 Playground

Do you have an OAuth integration created?

Try the OAuth 2.0 Playground tool to generate an access token.

Postman

Try Postman for generating an access token for both OAuth and Service Account Integration.

Stephan RingelManik Jindal
Last updated 2/16/2022
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file + );right:0;width:var(--spectrum-global-dimension-size-300);background:-webkit-linear-gradient(0deg, rgba(255, 255, 255, 0), white);z-index:1;}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

Tools Overview

OAuth 2.0 Playground

Do you have an OAuth integration created?

Try the OAuth 2.0 Playground tool to generate an access token.

Postman

Try Postman for generating an access token for both OAuth and Service Account Integration.

Stephan RingelManik Jindal
Last updated 2/16/2022
Was this helpful?

Community

Support

Adobe Developer

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.
\ No newline at end of file diff --git a/guides/authentication/UserAuthentication/IMS/index.html b/guides/authentication/UserAuthentication/IMS/index.html index e19e6bf6..aae12b99 100644 --- a/guides/authentication/UserAuthentication/IMS/index.html +++ b/guides/authentication/UserAuthentication/IMS/index.html @@ -108,7 +108,7 @@ );height:var(--spectrum-global-dimension-size-600);left:0;right:0;margin-left:0;margin-right:0;background-color:var(--spectrum-global-color-gray-50);border-bottom:var(--spectrum-global-dimension-size-10) solid var(--spectrum-global-color-gray-200);}}
Products
Developer Console Authentication Guide Documentation Support
Console
Edit in GitHubLog an issue

User Authentication Credentials API Reference

Following is an API reference for Adobe Identity Management Services (IMS) APIs.

On this page:

OpenID Configuration

This API allows you to view information about Adobe's OpenID configuration.

Request

Copied to your clipboard
curl -X GET 'https://ims-na1.adobelogin.com/ims/.well-known/openid-configuration'

Sample Response