Optimizely Graph OIDC Authentication with Opti ID and SSO

Optimizely Graph supports OpenID Connect (OIDC) authentication through Opti ID, Optimizely's unified identity platform. This provides secure, standards-based access to content APIs and simplifies identity management across services.

Why Optimizely Graph uses Opti ID authentication

Optimizely Graph uses OIDC with Opti ID to provide flexible and secure access control. This approach offers several benefits for developers and organizations:

Centralized identity – Authenticate users and services through a single identity provider.
Standards-based security – Use OAuth 2.0-based OIDC for token authentication.
Granular access – Control access with roles and claims in JWTs.
SSO support – Let users sign in with shared credentials across Optimizely products.
Modern architecture – Align with Optimizely's composable identity model.

How authentication works in Graph

Graph authorizes access based on JWTs issued by Opti ID or a federated identity provider.

Authorization header – Pass the token in the Authorization: Bearer header. Learn more about Bearer.
Claims-based access – Graph uses claims like sub, cg-roles, and email to determine access.
Scope enforcement – Graph allows or denies access based on roles and scopes in the token.

Configure authentication with Opti ID

Configure SSO, assign roles, and use issued tokens in Graph API requests.

Configure SSO in Opti ID – Configure OIDC-based SSO with your identity provider.
Assign user roles – Embed roles like cg-editor or cg-admin in the token's cg-roles claim to control access.
Use the token in API requests – Include the JWT in the Authorization header to authenticate Graph queries.

curl -X POST "https://cg.optimizely.com/content/v2" \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"query": "{ Article { items { title } } }"}'