Disclaimer: This website requires Please enable JavaScript in your browser settings for the best experience.

HomeDev GuideRecipesAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunityOptimizely AcademySubmit a ticketLog In
API Reference

Authentication and authorization

How to authenticate to use the Content Management System (CMS) (SaaS) API.

Authentication

To use CMS (SaaS) REST API, you must authenticate calls with a bearer JSON Web Token (JWT) by requesting a JWT from the token endpoint with the OAuth 2.0 protocol and then specify the token as a bearer in the Authorization header:

GET https://api.cms.optimizely.com/<version>/<endpoint>
Authorization: Bearer <your_access_token>

Request a token

You need a Client ID and Secret to request a token. If you do not have these credentials, create an API key using the following instructions.

Create API key

  1. Go to Settings > API Keys in your CMS (SaaS) instance.

  2. Click Create API Key.

  3. Enter a Name and click Create API Key. The Name can only contain letters, numbers, hyphens, and underscores.

  4. (Optional) Select Impersonation. This lets the client act as the user authorized to access resources. Use this when you need the client application to perform actions on behalf of the user without the user being directly involved or present.

  5. The Client ID and Secret are auto-filled. Save these values.

    You can restrict what operations the API key can execute. See the Authorization section.

Request token

After creating an API key, you can request a token for the API client using application/json or application/x-www-form-urlencoded using basic authentication. The token is valid for 300 seconds (five minutes). Request a new token when this token expires.

JSON

POST https://api.cms.optimizely.com/oauth/token
Content-Type: application/json

{
  "grant_type": "client_credentials",
  "client_id": "CLIEND_ID",
  "client_secret": "CLIENT_SECRET"
}

Replace CLIENT_ID and CLIENT_SECRET with the values you saved from creating the API key.

X-www-form-urlencoded

POST https://api.cms.optimizely.com/oauth/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic Base64(GetBytes(client_id:client_secret))

grant_type=client_credentials

Response

When you provide correct credentials, a JWT is returned in the access_token property:

{
  "access_token": "[REDACTED]",
  "expires_in": 300,
  "token_type": "Bearer"
}

Copy the access_token to use with your API calls. The token is valid for 300 seconds (five minutes). Request a new token when this token expires.

Impersonation

To make API calls on behalf of a user instead of an API client, configure the client to let you use impersonation, then when requesting a token, specify the username in the act_as property:

POST https://api.cms.optimizely.com/oauth/token
Content-Type: application/json

{
  "grant_type": "client_credentials",
  "client_id": "[REDACTED]",
  "client_secret": "[REDACTED]",
  "act_as": "[email protected]"
}

Authorization

Currently, no authorization takes place except in the following cases:

  1. When a user is impersonated, the user's permissions are evaluated in addition to the API key's.
  2. When managing content, the API key's content permissions are evaluated.

Find API key content permissions on the Set Access Rights page. Go to Settings > Set Access Rights, as shown in the following image: