Generate JWT access token in App Builder action

Last update: 2024-02-29
  • Created for:
  • Intermediate

App Builder actions may need to interact with Adobe APIs associated with Adobe Developer Console projects the App Builder app is deployed too.

This may require the App Builder action to generate its own JWT access token associated with the desired Adobe Developer Console project.


Review App Builder security documentation to understand when it is appropriate to generate access tokens versus using provided access tokens.

The custom action may need to provide its own security checks to ensure that only allowed consumers can access the App Builder action, and the Adobe services behind it.

.env file

In the App Builder project’s .env file, append custom keys for each of Adobe Developer Console project’s JWT credentials. The JWT credential values can be obtained from the Adobe Developer Console project’s Credentials > Service Account (JWT) for a given workspace.

Adobe Developer Console JWT Service Credentials


The values for JWT_CLIENT_ID, JWT_CLIENT_SECRET, JWT_TECHNICAL_ACCOUNT_ID, JWT_IMS_ORG can be directly copied from the Adobe Developer Console project’s JWT Credentials screen.


Determine the Adobe APIs and their metascopes the App Builder action interacts with. List metascopes with comma delimiters in the JWT_METASCOPES key. Valid metascopes are listed in Adobe’s JWT Metascope documentation.

For example, the following value might be added to the JWT_METASCOPES key in the .env:


Private key

The JWT_PRIVATE_KEY must be specially formatted as it is natively a multi-line value, which is not supported in .env files. The easiest way is to base64 encode the private key. Base64 encoding the private key (-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----) can be done using native tools provided by your operating system.

  1. Open Terminal

  2. Run the command base64 -i /path/to/private.key | pbcopy

  3. The base64 output is automatically copied the clipboard

  4. Paste into .env as value to corresponding key

  1. Open Command Prompt

  2. Run the command certutil -encode C:\path\to\private.key C:\path\to\encoded-private.key

  3. Run the command findstr /v CERTIFICATE C:\path\to\encoded-private.key

  4. Copy the base64 output to the clipboard

  5. Paste into .env as value to corresponding key

  1. Open terminal

  2. Run the command base64 private.key

  3. Copy the base64 output to the clipboard

  4. Paste into .env as value to corresponding key

For example, the following base64-encoded private key might be added to the JWT_PRIVATE_KEY key in the .env:


Inputs mapping

With the JWT credential value set in the .env file, they must be mapped to AppBuilder action inputs to they can be read in the action itself. To do this, add entries for each variable in the ext.config.yaml action inputs in the format: PARAMS_INPUT_NAME: $ENV_KEY.

For example:

    - type: web
      impl: index.html
actions: actions
      license: Apache-2.0
          function: actions/generic/index.js
          web: 'yes'
          runtime: nodejs:16
            LOG_LEVEL: debug
            JWT_IMS_ORG: $JWT_IMS_ORG
            require-adobe-auth: false
            final: true

The keys defined under inputs are available on the params object provided to the App Builder action.

JWT credentials to access token

In the App Builder action, the JWT credentials are available in the params object, and useable by @adobe/jwt-auth to generate an access token, which in turn can access other Adobe APIs and services.

const fetch = require("node-fetch");
const { Core } = require("@adobe/aio-sdk");
const { errorResponse, stringParameters, checkMissingRequestInputs } = require("../utils");
const auth = require("@adobe/jwt-auth");

async function main(params) {
  const logger = Core.Logger("main", { level: params.LOG_LEVEL || "info" });

  try {
    // Perform any necessary input error checking
    const systemErrorMessage = checkMissingRequestInputs(params, [

    // Split the metascopes into an array (they are comma delimited in the .env file)
    const metascopes = params.JWT_METASCOPES?.split(',') || [];

    // Base64 decode the private key value
    const privateKey = Buffer.from(params.JWT_PRIVATE_KEY, 'base64').toString('utf-8');

    // Exchange the JWT credentials for an 24-hour Access Token
    let { accessToken } = await auth({
      clientId: params.JWT_CLIENT_ID,                          // Client Id
      technicalAccountId: params.JWT_TECHNICAL_ACCOUNT_ID,     // Technical Account Id
      orgId: params.JWT_IMS_ORG,                               // Adobe IMS Org Id
      clientSecret: params.JWT_CLIENT_SECRET,                  // Client Secret
      metaScopes: metascopes,                                  // Metadcopes defining level of access the access token should provide
      privateKey: privateKey,                                  // Private Key to sign the JWT

    // The 24-hour IMS Access Token is used to call the Analytics APIs
    // Can look at caching this token for 24 hours to reduce calls
    const accessToken = await getAccessToken(params);

    // Invoke an exmaple Adobe API endpoint using the generated accessToken
    const res = await fetch('', {
      headers: {
        "Accept": "application/json",
        "Content-Type": "application/json",
        "X-Proxy-Global-Company-Id": 'example',
        "Authorization": `Bearer ${accessToken}`,
        "x-Api-Key": params.JWT_CLIENT_ID,
      method: "POST",
      body: JSON.stringify({... An Analytics query ... }),

    if (!res.ok) { throw new Error("Request to API failed with status code " + res.status);}

    // Analytics API data
    let data = await res.json();

    const response = {
      statusCode: 200,
      body: data,

    return response;
  } catch (error) {
    return errorResponse(500, "server error", logger);

exports.main = main;

On this page