DocumentationAEMAEM TutorialsAEM as a Cloud Service Tutorials

API Credentials and Product Profile management

Last update: Wed Mar 05 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Beginner
  • Developer
  • Leader

Learn how to manage Credentials and Product Profile for OpenAPI-based AEM APIs.

In this tutorial, you learn how to add or remove:

  • Credentials: Provide authentication for an AEM API.
  • Product Profiles: Provide permissions (or authorization) for credentials to access the AEM resources.

Background

When you use an AEM API, you need to define the Credentials and Product Profile in the Adobe Developer Console (or ADC) project. In the following screenshot, you can see the Credentials and Product Profile for an AEM Assets Author API:

Credentials and Product Profile

The Credentials provide the authentication mechanism for the API. The Product Profile grants permissions (or authorization) to the credentials, providing access the AEM resources. The API request could be on behalf of an application or a user.

A Product Profile is associated with one or more Services. In AEM as a Cloud Service, a Service represent user groups with predefined Access Control Lists (ACLs) for repository nodes, allowing granular permission management.

Technical Account User Product Profile

Upon successful API invocation, a user representing the ADC project’s credential is created in the AEM Author service, along with the user groups that match the Product Profile and Services configuration.

Technical Account User Membership

In above scenario, the user 1323d2... is created in the AEM Author service, and is a member of the user groups AEM Assets Collaborator Users - Service and AEM Assets Collaborator Users - author - Program XXX - Environment XXX.

Add or remove Credentials

The AEM APIs support the following types of credentials for authentication:

  1. OAuth Server-to-Server: Designed for machine-to-machine interactions.
  2. OAuth Web App: Designed for user-driven interactions with a backend server in your client application.
  3. OAuth Single Page App: Designed for user-driven interactions without a backend server in your client application.

You can support various use cases using different types of credentials.

All Credentials are managed in your ADC project.

Add Credentials

To add credentials for an AEM API, go to the APIs section of your ADC project and click Connect another credential. Then, follow the instructions for your specific credential type.

Connect another credential

Remove Credentials

To remove an AEM API credential, select it in the APIs section of your ADC project, then click Delete credential.

Delete credential

Add or remove Product Profiles

The Product Profile provides the permissions (or authorization) to the credentials to access the AEM resources. The permissions provided by the Product Profile are based on the Services associated with the Product Profile. Most of the Services provide the READ permission to the AEM resources, via the user groups in AEM instance that have the same name as the Service.

There are times when the credentials (aka technical account user) need additional permissions like Create, Update, Delete (CUD) of AEM resources. In such cases, you need to add a new Product Profile that is associated with the Services that provide the required permissions.

For example, when AEM Assets Author API invocation receives 403 error for non-GET requests, you can add AEM Administrators - author - Program XXX - Environment XXX Product Profile to resolve the issue.

CAUTION
The AEM Administrators service provides FULL administrative access to Experience Manager. Alternatively, you can update Services permissions to provide only the required permissions.
Add Product Profiles

To add Product Profiles for an AEM API, click Edit product profiles in the APIs section of the ADC project, select the desired Product Profile in the Configure API dialog, and save your changes.

code language-none 
![Edit product profiles](https://experienceleague.adobe.com/assets/how-to/edit-product-profiles.png?lang=en)

Select the desired Product Profile (e.g., AEM Administrators - author - Program XXX - Environment XXX) associated with the required services, then save your changes.

code language-none 
![Select Product Profile](https://experienceleague.adobe.com/assets/how-to/select-product-profile.png?lang=en)

Note that the AEM Administrators - author - Program XXX - Environment XXX Product Profile is associated with both the AEM Administrators service and the AEM Assets API Users service. Without the latter, the Product Profile will not appear in the list of available Product Profiles.

code language-none 
![Product Profile Services](https://experienceleague.adobe.com/assets/how-to/product-profile-services.png?lang=en)

The PATCH request to update the asset metadata should now work without issues.

code language-none 
![PATCH Request](https://experienceleague.adobe.com/assets/how-to/patch-request.png?lang=en)
Remove Product Profiles
To remove Product Profiles for an AEM API, click Edit product profiles in the APIs section of the ADC project, deselect the desired Product Profile in the Configure API dialog, and save your changes.
Deselect Product Profile

Summary

You learned how to change the authentication mechanism and permissions for AEM APIs using Credentials and Product Profile in the Adobe Developer Console (ADC) project.

recommendation-more-help
4859a77c-7971-4ac9-8f5c-4260823c6f69