Beta
Optimizely SaaS Core is in beta. Apply on Join the waitlist for SaaS Core or contact your Customer Success Manager.
Authentication
To use the REST API, you must authenticate calls with a bearer JSON Web Token (JWT) by requesting a JWT from the token endpoint with the OAuth 2.0 protocol and then specify the token as a bearer in the Authorization
header:
GET https://example.com/_cms/{version}/contenttypes
Authorization: Bearer [JWT]
Replace {version}
with preview1
(CMS (PaaS)), v0.5
(CMS SaaS Core beta program), or v1
(CMS SaaS Core API), depending on your
Request a token
Before a token can be requested, create an API client. Go to Settings > API Clients:
You can now request a token for the API client with application/json
or application/x-www-form-urlencoded
using basic authentication:
JSON
POST https://example.com/_cms/{version}/oauth/token
Content-Type: application/json
{
"grant_type": "client_credentials",
"client_id": "[REDACTED]",
"client_secret": "[REDACTED]"
}
Replace {version}
with preview1
(CMS (PaaS)), v0.5
(CMS SaaS Core beta program), or v1
(CMS SaaS Core API), depending on your
X-www-form-urlencoded
POST https://example.com/_cms/{version}/oauth/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic Base64(GetBytes(client_id:client_secret))
grant_type=client_credentials
Replace {version}
with preview1
(CMS (PaaS)), v0.5
(CMS SaaS Core beta program), or v1
(CMS SaaS Core API), depending on your
When correct credentials are provided, a JWT is returned in the access_token
property:
{
"access_token": "[REDACTED]",
"expires_in": 300,
"token_type": "Bearer"
}
The token is valid for 300 seconds. Request a new token when this token has expired.
Impersonation
To make API calls on behalf of a user instead of an API client, configure the client to allow impersonation, then when requesting a token, specify the username in the act_as
property:
POST https://example.com/_cms/{version}/oauth/token
Content-Type: application/json
{
"grant_type": "client_credentials",
"client_id": "[REDACTED]",
"client_secret": "[REDACTED]",
"act_as": "[email protected]"
}
Replace {version}
with preview1
(CMS (PaaS)), v0.5
(CMS SaaS Core beta program), or v1
(CMS SaaS Core API), depending on your
Authorization
Currently, no authorization takes place except when;
- a user is impersonated, then the user's permissions are evaluated instead of the API client's
- managing content, then the API client's content permissions are evaluated
Manage the API client content permissions through the Set Access Rights UI. Go to Settings > Set Access Rights: