Dev GuideAPI ReferenceUser Guide
HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunitySubmit a ticketLog In
GitHubNuGetDev CommunitySubmit a ticket

Authentication and authorization

šŸ‘

Beta

Optimizely SaaS Core is in beta. Apply on Join the waitlist for SaaS Core or contact your Customer Success Manager.

Authentication

To use the REST API, you must authenticate calls with a bearer JSON Web Token (JWT) by requesting a JWT from the token endpoint with the OAuth 2.0 protocol and then specify the token as a bearer in the Authorization header:

GET https://example.com/_cms/{version}/contenttypes
Authorization: Bearer [JWT]

Replace {version} with preview1 (CMS (PaaS)), v0.5 (CMS SaaS Core beta program), or v1 (CMS SaaS Core API), depending on your

Request a token

Before a token can be requested, create an API client. Go to Settings > API Clients:

Manage API clients.

Manage API clients.

You can now request a token for the API client with application/json or application/x-www-form-urlencoded using basic authentication:

JSON

POST https://example.com/_cms/{version}/oauth/token
Content-Type: application/json

{
  "grant_type": "client_credentials",
  "client_id": "[REDACTED]",
  "client_secret": "[REDACTED]"
}

Replace {version} with preview1 (CMS (PaaS)), v0.5 (CMS SaaS Core beta program), or v1 (CMS SaaS Core API), depending on your

X-www-form-urlencoded

POST https://example.com/_cms/{version}/oauth/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic Base64(GetBytes(client_id:client_secret))

grant_type=client_credentials

Replace {version} with preview1 (CMS (PaaS)), v0.5 (CMS SaaS Core beta program), or v1 (CMS SaaS Core API), depending on your

When correct credentials are provided, a JWT is returned in the access_token property:

{
  "access_token": "[REDACTED]",
  "expires_in": 300,
  "token_type": "Bearer"
}

The token is valid for 300 seconds. Request a new token when this token has expired.

Impersonation

To make API calls on behalf of a user instead of an API client, configure the client to allow impersonation, then when requesting a token, specify the username in the act_as property:

POST https://example.com/_cms/{version}/oauth/token
Content-Type: application/json

{
  "grant_type": "client_credentials",
  "client_id": "[REDACTED]",
  "client_secret": "[REDACTED]",
  "act_as": "[email protected]"
}

Replace {version} with preview1 (CMS (PaaS)), v0.5 (CMS SaaS Core beta program), or v1 (CMS SaaS Core API), depending on your

Authorization

Currently, no authorization takes place except when;

  • a user is impersonated, then the user's permissions are evaluated instead of the API client's
  • managing content, then the API client's content permissions are evaluated

Manage the API client content permissions through the Set Access Rights UI. Go to Settings > Set Access Rights:

Manage API client content permissions.

Manage API client content permissions.