Documentation AEM AEM Tutorials AEM Headless Tutorial

Token-based authentication to AEM as a Cloud Service

March 23, 2025

Topics:
APIs

CREATED FOR:

Intermediate
Experienced
Developer

AEM exposes a variety of HTTP endpoints that can be interacted with in a headless manner, from GraphQL, AEM Content Services to Assets HTTP API. Often, these headless consumers may need to authenticate to AEM in order to access protected content or actions. To facilitate this, AEM supports token-based authentication of HTTP requests from external applications, services or systems.

In this tutorial well explore how an external application can programmatically authenticate and interact with to AEM as a Cloud Service over HTTP using access tokens.

video poster

https://video.tv.adobe.com/v/330460?quality=12&learn=on

Transcript

In this tutorial, we’ll look at how an external application can programmatically authenticate to AEM as a cloud service using access tokens. Keep in mind this external application is explicitly not code running in AEM, but rather code running outside the context of AEM, but needs HTTP access to AEM to get its job done.

We’ll use a simple custom node.js application run from the command line as our example, representing an external application, service, or system.

It uses the asset’s HTTP API to read a list of assets from AEM and then update a metadata property on these assets. In our scenario, this will be used to manage the copyright metadata of assets in AEM.

First, we’ll explore how developers can self-generate temporary access tokens that allow them to develop these types of external applications without jumping through the hoops of obtaining bonafide service credentials.

We’ll then use the local development access token to run our code against AEM as a cloud service to test it out.

After that, we’ll explore how to generate and use bonafide Service Credentials, which are to be used when this external application is deployed for QA, stage, and finally production use.

For simplicity, in this tutorial, we’ll store and read the service credentials from the local file system. However, these credentials must be managed and read in a secure manner with accordance to your organization’s security guidelines. We’ll look at how the service credentials are used to generate AJWT, which in turn is exchanged with Adobe’s IMS APIs for an access token, and then how this access token can be used in the same way as the temporary local development access token to authenticate HTTP requests to AEM.

Lastly, we’ll touch on what access in AEM the service credentials provide and how these can be managed in AEM by permissioning the AEM technical user ID it maps to. -

Pre-requisites

Ensure the following are in place before following along with this tutorial:

Access to am AEM as a Cloud Service environment (preferably a Development environment or a Sandbox program)
Membership in the AEM as a Cloud Service environment’s Author services AEM Administrator Product Profile
Membership in, or access, to your Adobe IMS Org Administrator (they will have to perform a one-time initialization of the Service Credentials)
The latest WKND Site deployed to your Cloud Service environment

External Application overview

This tutorial uses a simple Node.js application run from the command line to update asset metadata on AEM as a Cloud Service using Assets HTTP API.

The execution flow of the Node.js application is as follows:

External Application

The Node.js application is invoked from the command line
Command line parameters define:
- The AEM as a Cloud Service Author service host to connect to (aem)
- The AEM asset folder whose assets are updated (folder)
- The metadata property and value to update (propertyName and propertyValue)
- The local path to the file providing the credentials required to access AEM as a Cloud Service (file)
The access token used to authenticate to AEM is derived from the JSON file provided via command line parameter file

a. If Service Credentials used for non-local development are provided in the JSON file (file), the access token is retrieved from Adobe IMS APIs
The application uses the access token to access AEM and list all assets in the folder specified in the command line parameter folder
For each asset in the folder, the application updates its metadata based on the property name and value specified in the command line parameters propertyName and propertyValue

While this example application is Node.js, these interactions can be developed using different programming languages and executed from other external systems.

Local Development Access Token

Local Development Access Tokens are generated for a specific AEM as a Cloud Service environment and providing access to Author and Publish services. These access tokens are temporary, and are only to be used during the development of external applications or systems that interact with AEM over HTTP. Instead of a developer having to obtain and manage bonafide Service Credentials, they can quickly and easily self-generate a temporary access token allowing them to develop their integration.

How to use Local Development Access Token

Service Credentials

Service Credentials are the bonafide credentials used in any non-development scenarios - most obviously production - that facilitate an external application or system’s ability to authenticate to, and interact with, AEM as a Cloud Service over HTTP. Service Credentials themselves are not sent to AEM for authentication, instead the external application uses these to generate a JWT, which is exchanged with Adobe IMS’s APIs for an access token, which can then be used to authenticate HTTP requests to AEM as a Cloud Service.

How to use Service Credentials

Additional resources

Download the example application
Other code samples of JWT creation and exchange
- Node.js, Java, Python, C#.NET, and PHP code samples
- JavaScript/Axios-based code sample

recommendation-more-help