Documentation AEM AEM Tutorials AEM as a Cloud Service Tutorials

OpenAPI-based AEM APIs

Last update: March 31, 2025

Topics:
Developing

CREATED FOR:

Beginner
Developer
Leader

IMPORTANT

The OpenAPI-based AEM APIs are only available in AEM as a Cloud Service and are not compatible with AEM 6.X.

Learn about the OpenAPI-based AEM APIs, including authentication support, key concepts, and how to access Adobe APIs.

The OpenAPI Specification (formerly known as Swagger) is a widely used standard for defining RESTful APIs. AEM as a Cloud Service provides several OpenAPI Specification based APIs (or simply OpenAPI-based AEM APIs), making it easier to create custom applications that interact with AEM’s author or publish service types. Below are some examples:

Sites

Sites API: APIs for working with Content Fragments.

Assets

Folders API: APIs for working with folders such as create, list and delete folders.
Assets Author API: APIs for working with assets and its metadata.

Forms

Forms Communications APIs: APIs for working with forms and documents.

In future releases, more OpenAPI-based AEM APIs will be added to support additional use cases.

AVAILABILITY

OpenAPI-based AEM APIs are available as part of an early access program. If you are interested in accessing them, we encourage you to email aem-apis@adobe.com with a description of your use case.

Authentication support

The OpenAPI-based AEM APIs supports OAuth 2.0 authentication, including the following grant types:

OAuth Server-to-Server credential: Ideal for backend services needing API access without user interaction. It uses the client_credentials grant type, enabling secure access management at the server level. For more information, see OAuth Server-to-Server credential.
OAuth Web App credential: Suitable for web applications with frontend and backend components accessing AEM APIs on behalf of users. It uses the authorization_code grant type, where the backend server securely manages secrets and tokens. For more information, see OAuth Web App credential.
OAuth Single Page App credential: Designed for SPAs running in the browser, which needs to access APIs on behalf of a user without a backend server. It uses the authorization_code grant type and relies on client-side security mechanisms using PKCE (Proof Key for Code Exchange) to secure the authorization code flow. For more information, see OAuth Single Page App credential.

Difference between OAuth Server-to-Server vs Web App vs Single Page App credentials

The following table summarizes the differences between the three OAuth authentication methods supported by OpenAPI-based AEM APIs:

OAuth Server-to-Server

OAuth Web App

OAuth Single Page App (SPA)

Authentication Purpose

Designed for machine-to-machine interactions.

Designed for user-driven interactions in a web app with a backend.

Designed for user-driven interactions in a client-side JavaScript application.

Token Behavior

Issues access tokens that represent the client application itself.

Issues access tokens on behalf of an authenticated user via a backend.

Issues access tokens on behalf of an authenticated user via a frontend-only flow.

Use Cases

Backend services needing API access without user interaction.

Web applications with frontend and backend components accessing APIs on behalf of users.

Pure frontend (JavaScript) applications accessing APIs on behalf of users without a backend.

Security Considerations

Securely store sensitive credentials (client_id, client_secret) in backend systems.

After user authentication, they are granted their own temporary access token via a backend call. Securely store sensitive credentials (client_id, client_secret) in backend systems to exchange authorization code for access token.

After user authentication, they are granted their own temporary access token via a frontend call. Does not use client_secret, as it’s unsafe to store in frontend apps. Relies on PKCE to exchange authorization code for access token.

Grant Type

client_credentials

authorization_code

authorization_code with PKCE

Adobe Developer Console Credential Type

OAuth Server-to-Server

OAuth Web App

OAuth Single-Page App

Before accessing Adobe APIs, it’s essential to understand these key constructs:

Adobe Developer Console: The developer hub for accessing Adobe APIs, SDKs, real-time events, serverless functions, and more. Note that it is different from the AEM Developer Console, which is used for debugging AEM applications.
Adobe Developer Console Project: Central place for managing API integrations, events, and runtime functions. Here, you configure APIs, set authentication, and generate required credentials.
Product Profiles: Product Profiles provide a permission preset that allows you to control user or application access to Adobe products such as AEM, Adobe Target, Adobe Analytics, and others. Every Adobe product has predefined product profiles associated with it.
Services: Services define the actual permissions and are associated with the Product Profile. To reduce or increase the permissions preset, you can deselect or select the services associated with the Product Profile. Thus, allowing you to control the level of access to the product and its APIs. In AEM as a Cloud Service, services represent user groups with predefined Access Control Lists (ACLs) for repository nodes, allowing granular permission management.

Get started

Learn how to set up your AEM as a Cloud Service environment and an Adobe Developer Console project to enable access to the OpenAPI-based AEM APIs. Also access AEM API using brower to verify the setup and review the request and response.