Documentation Experience Platform Experience Platform overview

Authenticate and access Experience Platform APIs

Last update: January 28, 2025

Topics:
API

CREATED FOR:

Developer

This document provides a step-by-step tutorial for gaining access to an Adobe Experience Platform developer account in order to make calls to Experience Platform APIs. At the end of this tutorial, you will have generated or collected the following credentials that are required as headers in all Platform API calls:

{ACCESS_TOKEN}
{API_KEY}
{ORG_ID}

TIP

In addition to the three credentials above, many Platform APIs also require a valid {SANDBOX_NAME} to be provided as a header. See the sandboxes overview for more information about sandboxes and the sandbox management endpoint documentation for information about listing the sandboxes available to your organization.

To maintain the security of your applications and users, all requests to Experience Platform APIs must be authenticated and authorized using standards such as OAuth.

This tutorial covers how to gather the required credentials to authenticate Platform API calls, as outlined in the flowchart below. You can gather most of the required credentials in the initial one-time setup. The access token, however, must be refreshed every 24-hours.

The authentication flow requirements for the one-time initial setup and each subsequent session.

Prerequisites

In order to successfully make calls to Experience Platform APIs, you must have the following:

An organization with access to Adobe Experience Platform.
An Admin Console administrator that is able to add you as a developer and a user for a product profile.
An Experience Platform system administrator who can grant you the necessary attribute based access controls to perform read or write operations on different parts of Experience Platform through APIs.

You must also have an Adobe ID to complete this tutorial. If you do not have an Adobe ID, you can create one using the following steps:

Go to Adobe Developer Console.
Select Create a new account.
Complete the sign-up process.

Gain developer and user access for Experience Platform

Before creating integrations on Adobe Developer Console, your account must have developer and user permissions for an Experience Platform product profile in Adobe Admin Console.

Gain developer access

Contact an Admin Console administrator in your organization to add you as a developer to an Experience Platform product profile. See the Admin Console documentation for specific instructions on how to manage developer access for product profiles.

Once you are assigned as a developer, you can start creating integrations in Adobe Developer Console. These integrations are a pipeline from external apps and services to Adobe APIs.

Gain user access

Your Admin Console administrator must also add you as a user to the same product profile. With user access, you can see in the UI the outcome of the API operations that you perform.

See the guide on managing user groups in Admin Console for more information.

Generate an API key (client ID) and organization ID

NOTE

If you are following this document from the Privacy Service API guide, you can now return to that guide to generate the access credentials unique to Privacy Service.

After you have been given developer and user access to Platform through Admin Console, the next step is to generate your {ORG_ID} and {API_KEY} credentials in Adobe Developer Console. These credentials only need to be generated once and can be reused in future Platform API calls.

TIP

Instead of going to Developer Console, you can get all the authentication credentials that you need to work with Platform APIs directly from the API reference documentation pages. Read more about the functionality.

Add Experience Platform to a project

Go to Adobe Developer Console and sign in with your Adobe ID. Next, follow the steps outlined in the tutorial on creating an empty project in the Adobe Developer Console documentation.

Once you have created a new project, select Add API on the Project Overview screen.

TIP

If you are provisioned for several organizations, use the organization selector in the upper right corner of the interface to make sure that you are in the organization you need.

Developer Console screen with the Add API option highlighted.

The Add an API screen appears. Select the product icon for Adobe Experience Platform, then choose Experience Platform API before selecting Next.

Select Experience Platform API in the Add an API screen.

TIP

Select the View docs option to navigate in a separate browser window to the complete Experience Platform API reference documentation.

Select the OAuth Server-to-Server authentication type

Next, select the OAuth Server-to-Server authentication type to generate access tokens and access the Experience Platform API. Give your credential a meaningful name in the Credential name text field before selecting Next.

IMPORTANT

The OAuth Server-to-Server method is the only token generation method supported moving forward. The formerly supported Service Account (JWT) method is deprecated and cannot be selected for new integrations. While existing integrations using the JWT authentication method will continue to work until June 30th, 2025, Adobe strongly recommends that you migrate existing integrations to the new OAuth Server-to-Server method before that date. Get more information in the section Deprecated Generate a JSON Web Token (JWT).

Select the OAuth Server-to-Server authentication method for the Experience Platform API.

Select the product profiles for your integration

In the Configure API screen, select AEP-Default-All-Users along with any additional product profiles you wish to gain access to.

IMPORTANT

To get access to certain features in Platform, you also need a system administrator to grant you the necessary attribute-based access control permissions. Read more in the section Get the necessary attribute-based access control permissions.

Select product profiles for your integration.

Select Save configured API when you are ready.

A walkthrough of the steps described above to set up an integration with the Experience Platform API is also available in the video tutorial below:

video poster

https://video.tv.adobe.com/v/28832/?learn=on

Gather credentials

Once the API has been added to the project, the OAuth Server-to-Server page for the project displays the following credentials that are required in all calls to Experience Platform APIs:

Integration information after adding an API in Developer Consle.

{API_KEY} (Client ID)
{ORG_ID} (Organization ID)

Generate an access token

The next step is to generate an {ACCESS_TOKEN} credential for use in Platform API calls. Unlike the values for {API_KEY} and {ORG_ID}, a new token must be generated every 24 hours to continue using Platform APIs. Select Generate access token which produces your access token, as shown below.

Show how to generate access token

TIP

You can also use a Postman environment and collection to generate access tokens. For more information, read the section about using Postman to authenticate and test API calls.

Create and retrieve authentication credentials directly in the API reference documentation

Starting with the November 2024 release of Experience Platform, you can get credentials to use the Experience Platform APIs directly from the API reference pages, without needing to go to Developer Console. View the example below from the Flow Service API - Destinations page.

Get credentials functionality highlighted at the top of an API reference page.

To get credentials to call Platform APIs, navigate to any Experience Platform API reference page and select Sign in at the top of the page. Sign in with your Personal Account or Company or School Account.

After signing in, select Create new credential to create a new set of credentials to access Platform APIs.

Create new credentials to access Platform APIs.

Next, use the dropdown selector to open the credentials window, generate an access token, and get your API key and organization ID. Copy the credentials into the Try it blocks on the API reference pages to start working with Platform APIs.

Use the dropdown selector to view credentials and generate an access token.

TIP

The top-of-page credentials block remains displayed as you navigate between different endpoint pages in the Experience Platform API reference documentation.

Deprecated Generate a JSON Web Token (JWT)

WARNING

The JWT method to generate access tokens has been deprecated. All new integrations must be created using the OAuth Server-to-Server authentication method. Adobe also requires that you migrate your existing integrations to the OAuth method by June 30th, 2025 for your integrations to continue to work. Read the following important documentation:

View deprecated information

The next step is to generate a JSON Web Token (JWT) based on your account credentials. This value is used to generate your {ACCESS_TOKEN} credential for use in Platform API calls, which must be regenerated every 24 hours.

IMPORTANT

For the purposes of this tutorial, the steps below outline how to generate a JWT within Developer Console. However, this generation method should only be used for testing and evaluation purposes.

For regular use, the JWT must be generated automatically. For more information on how to programmatically generate JWTs, see the service account authentication guide on Adobe Developer.

Select Service Account (JWT) in the left navigation, then select Generate JWT.

In the textbox provided under Generate custom JWT, paste the contents of the private key that you previously generated when adding the Platform API to your service account. Then, select Generate Token.

The page updates to show the generated JWT, along with a sample cURL command that allows you to generate an access token. For the purposes of this tutorial, select Copy next to Generated JWT to copy the token to your clipboard.

Generate an access token

Once you have generated a JWT, you can use it in an API call to generate your {ACCESS_TOKEN}. Unlike the values for {API_KEY} and {ORG_ID}, a new token must be generated every 24 hours to continue using Platform APIs.

Request

The following request generates a new {ACCESS_TOKEN} based on the credentials provided in the payload. This endpoint only accepts form data as its payload, and therefore it must be given a Content-Type header of multipart/form-data.

curl -X POST https://ims-na1.adobelogin.com/ims/exchange/jwt \
  -H 'Content-Type: multipart/form-data' \
  -F 'client_id={API_KEY}' \
  -F 'client_secret={SECRET}' \
  -F 'jwt_token={JWT}'

Property

Description

{API_KEY}

The {API_KEY} (Client ID) that you retrieved in a previous step.

{SECRET}

The client secret that you retrieved in a previous step.

{JWT}

The JWT that you generated in a previous step.

NOTE

You can use the same API key, client secret, and JWT to generate a new access token for each session. This allows you to automate access token generation in your applications.

Response

{
  "token_type": "bearer",
  "access_token": "{ACCESS_TOKEN}",
  "expires_in": 86399992
}

Property

Description

token_type

The type of token being returned. For access tokens, this value is always bearer.

access_token

The generated {ACCESS_TOKEN}. This value, prefixed with the word Bearer, is required as the Authentication header for all Platform API calls.

expires_in

The number of milliseconds remaining until the access token expires. Once this value reaches 0, a new access token must be generated to continue using Platform APIs.

Test access credentials

Once you have gathered all three required credentials - access token, API key, and Organization ID - , you can try to make the following API call. This call lists all standard Experience Data Model (XDM) classes available to your organization. Import and execute the call in Postman.

recommendation-more-help

Request

curl -X GET https://platform.adobe.io/data/foundation/schemaregistry/global/classes \
  -H 'Accept: application/vnd.adobe.xed-id+json' \
  -H 'Authorization: Bearer {{ACCESS_TOKEN}}' \
  -H 'x-api-key: {{API_KEY}}' \
  -H 'x-gw-ims-org-id: {{ORG_ID}}'

Response

If your response is similar to the one shown below, then your credentials are valid and working. (This response has been truncated for space.)

{
  "results": [
    {
        "title": "XDM ExperienceEvent",
        "$id": "https://ns.adobe.com/xdm/context/experienceevent",
        "meta:altId": "_xdm.context.experienceevent",
        "version": "1"
    },
    {
        "title": "XDM Individual Profile",
        "$id": "https://ns.adobe.com/xdm/context/profile",
        "meta:altId": "_xdm.context.profile",
        "version": "1"
    }
  ]
}

IMPORTANT

While the call above is sufficient to test your access credentials, be aware that you will not be able to access or modify several resources without having the right attribute-based access control permissions. Read more in the Get the necessary attribute-based access control permissions section below.

Get the necessary attribute-based access control permissions

To access or modify several resources within Experience Platform, you must have the appropriate access control permissions. System administrators can grant you the permissions you need. Get more information in the section about managing API credentials for a role.

Detailed information about how a system administrator can grant the required permissions to access Platform resources through the API is also available in the video tutorial below:

video poster

https://video.tv.adobe.com/v/28832/?learn=on&t=159

Use Postman to authenticate and test API calls

Postman is a popular tool that allows developers to explore and test RESTful APIs. You can use Experience Platform Postman collections and environments to speed up your work with Experience Platform APIs. Read more about using Postman in Experience Platform and getting started with collections and environments.

Detailed information about using Postman with Experience Platform collections and environments is also available in the video tutorials below:

Download and import a Postman environment to use with Experience Platform APIs

video poster

https://video.tv.adobe.com/v/28832/?learn=on&t=106

Use a Postman collection to generate access tokens

Download the Identity Management Service Postman collection and watch the video below to learn how to generate access tokens.

video poster

https://video.tv.adobe.com/v/29698/?learn=on

Download Experience Platform API Postman collections and interact with the APIs

video poster

https://video.tv.adobe.com/v/29704/?learn=on

Transcript

Alright, after we’ve generated our access token, we can begin interacting with Adobe IO APIs. In this video, I interact with experienced platform APIs, using Adobe-provided Postman collections. To access these collections, head over to the experience-platform-postman-samples GitHub repository, navigate into APIs, Experience Platform, and there’s a Postman collection for each of the APIs available. For this video, I load a single collection for the Schema Registry API.

Once we’ve downloaded all the collections that we want to use, let’s head back to Postman, select import, and load all the Postman collection files.

As you can see, we have our Schema Registry API collection, and within this are a number of folders, and within each folder, are the HTTP requests we can make to interact with the API. Let’s keep this simple, and interact with the stats API.

So we can simply open this up, we can look at the headers, which are mapped to the environment variables, which are provided by the Adobe API environment export, as well as the access token, which we obtained from the Adobe IO access token generation Postman collection. Alright, so let’s try this out. We just hit send, to execute the API command, and there you go, we’ve successfully interacted with experienced platforms, a Schema Registry API, using Postman.

System administrators: Grant developer and API access control with Experience Platform permissions

Before you can create integrations on Adobe Developer Console, your account must have developer and user permissions for an Experience Platform product profile.

NOTE

Only system administrators have the ability to view and manage API credentials in Permissions.

Add developers to product profile

Navigate to the Admin Console and sign in with your Adobe ID.

Select Products from the navigation bar and then select Adobe Experience Platform from the list of products.

The products page on Adobe Admin Console with the Adobe Experience Platform product highlighted.

From the Product Profiles tab, select AEP-Default-All-Users. Alternatively, use the search bar to search for the product profile by entering the name.

The product profiles page with the search bar and AEP-Default-All-Users product highlighted.

Select the Developers tab, then select Add Developer.

The developers tab is displayed with the Add developers option highlighted,

The Add developers dialog appears. Enter the developer’s Email or username. A valid Email or username displays the developer details. Select Save.

The Add developers dialog with a developers information filled in and the Save option highlighted.

The developer has been successfully added and appears on the Developers tab.

The developers tab displaying the list of all added developers with the newly added developer highlighted.

Assign API credentials to a role

NOTE

Only a system administrator can assign APIs to roles in the Experience Platform UI.

To use and perform operations on Experience Platform APIs, a system administrator needs to add the API credentials in addition to a role’s given set of permissions. Get more information in the section about managing API credentials for a role.

A walkthrough of the steps described above for adding developers to product profiles and assigning APIs to roles is also available in the video tutorial below:

video poster

https://video.tv.adobe.com/v/3426407/?learn=on

Transcript

In this video, we’ll show you how a system admin can add a developer for Adobe Experience Platform using Adobe Admin Console. We’ll also show you how to add a developer’s API credentials to a role in the platform interface to grant access to features and sandboxes for the API integrations the developer will build. Experience Platform’s OpenAPI ecosystem allows developers to directly integrate platform capabilities into their own applications. In order to gain access to these APIs, users must be added as developers for Experience Platform through Adobe Admin Console. Once access has been granted, developers can generate credentials for Experience Platform APIs and use those credentials to create integrations with multiple applications. To add a new developer, you must be a system administrator for your organization. Start by logging into Adobe Admin Console, then navigate to the Products tab. Next, select Experience Platform, and here we see the default product profile called AEP Default All Users. So we’ll click into it. From here, we’ll select the Developers tab, then click Add Developer. In the dialog that appears, add the email addresses of the users that you want to add as developers for Experience Platform. If the email is associated with an Adobe ID or a Federated ID, further details about the user are auto-populated. If the email is not associated with Adobe Account, we’re given the option to manually enter their details instead. From here, you can scroll down to continue adding more developers if you wish. And once you’re happy with your selections, select Save to apply them. And that’s the first step done. These users now have developer access to platform and can generate API credentials using Adobe Developer Console. However, in order for those API credentials to actually provide access to specific platform capabilities, we need to perform the second step in the Experience Platform interface. Once a developer has generated their API credentials in Developer Console, navigate to the Permissions tab in the Platform interface. In Platform, we grant API access to features using a similar workflow to adding new users. In other words, we need to add the developer’s API credentials to a role, which provides access to a certain set of platform features and sandboxes. Clicking into one of the existing roles, select the API Credentials tab, and then select Add API Credentials. Here we have a list of credentials to choose from, and if the developer generated their credentials correctly, they should appear here. To narrow down the list, ask the developer for the technical account email that was generated as part of their credentials. Copying this value into the search box, we can locate the exact set of credentials that we want to add to this role. So, we’ll select it and then hit Save, and now these credentials have been added. When the developer uses these credentials in their API integration, they can use all of the platform features and sandboxes that this role grants access to. As a final step, we may also want to add the developer as a user under this same role, so they can also access the Platform interface to test and verify their API integrations. Heading over to the Users tab, select Add Users and select the developer from the list before hitting Save. If you don’t see them listed as a user here, be sure to add them as a user in Admin Console first. And that’s it! The newly added developer can now start building API integrations using their generated credentials. For details on how to leverage platform APIs in your code, please refer to the documentation. Thanks for watching.

Additional resources

Refer to the additional resources linked below for further help getting started with Experience Platform APIs

Authenticate and access Experience Platform APIs video tutorials page
Identity Management Service Postman Collection for generating access tokens
Experience Platform API Postman Collections

Next steps

By reading this document, you have gathered and successfully tested your access credentials for Platform APIs. You can now follow along with the example API calls provided throughout the documentation.

In addition to the authentication values you have gathered in this tutorial, many Platform APIs also require a valid {SANDBOX_NAME} to be provided as a header. See the sandboxes overview for more information.