AEM 6.5 AMS/Local OAuth2.0 + Assets HTTP api not working, it works with basic auth | Community
Skip to main content
F
FrancoisCournoyer
Level 2
April 9, 2026
Question

AEM 6.5 AMS/Local OAuth2.0 + Assets HTTP api not working, it works with basic auth

  • April 9, 2026
  • 2 replies
  • 23 views

We’re trying to implement a server to server integration with AEM 6.5 AMS (not Cloud), and I’ve been trying to set it up locally.

I got the OAuth2.0 client working (created the client in the OAuth Clients section of the Security Tools.

Given the access to the oauthserver service users, created a ScopeWithPrivileges class giving read/write access to the /content/dam path for the service to use.

I’m able to get the Bearer token correctly, but when I tried to upload an asset by posting to  
http://localhost:4502/api/assets/companies/product-staging/new_test.png
I’m getting a 500
with a status.message 
"status.message": "Can't create child on a synthetic root",

the same call using basic auth for the same user (admin), works correctly.
 

Anyone ever done this with the AssetAPI or are we stuck using basic auth for this?
I’m half guessing something isn’t right with the ScopeWithPrivilege class, if anyone succeeded knows what we’re doing wrong would be greatly appreciated.

    2 replies

    VishalKa5
    VishalKa5
    Level 6
    April 10, 2026

    Hi ​@FrancoisCournoyer,

    OAuth with AEM 6.5 AMS should work with the Assets HTTP API, so you are not limited to basic authentication. The error usually means the OAuth token is valid, but the service user linked to that token does not have the correct repository-level permissions or path mapping needed to create nodes under /content/dam.

    1. The Bearer token is being generated correctly, so OAuth setup itself is working.
    2. “Can't create child on a synthetic root” usually happens when AEM cannot properly resolve or write to the target DAM path.
    3. Most often, this means the OAuth service user does not have full create/modify permissions on /content/dam/companies/product-staging.
    4. Check that the ScopeWithPrivileges mapping includes:
      • Read access
      • Modify/Create node permissions
      • Replicate if needed
    5. Also verify the folder path already exists in DAM before upload — Assets API may fail if parent folders are missing.
    6. Confirm the OAuth client is correctly mapped to the intended service user, not just authenticated successfully.
    7. Basic auth works because admin has unrestricted rights, while OAuth only gets scoped permissions.

    In short: OAuth is supported, but the issue is likely permission mapping or folder path access for the OAuth service user, not the Assets API itself.

    Thanks & Regards,

    Vishal

    S
    Adobe Employee
    SubbaraoGa1Adobe Employee
    Adobe Employee
    April 10, 2026

    Hi ​@FrancoisCournoyer 

    I dug into the error and it’s not an issue in the Assets API itself; it’s a permissions / OAuth configuration issue.

    • With Basic Auth as admin the same URL works, which proves the API and DAM path are OK.
    • With OAuth, AEM executes the call as the user resolved from the access token (usually a technical account). That user currently does not have sufficient rights under /content/dam/companies/product-staging, and AEM throws Can't create child on a synthetic root.

    To move forward, please:

    1. Call a simple URL (like /.json) with your Bearer token and confirm which AEM user is being used.
    2. In /useradmin, temporarily add that user to the same DAM author/administrator group that can upload assets today, then retry the /api/assets/... upload.
    3. If that works, replace the broad group membership with explicit read/write ACLs on /content/dam/content/dam/companies, and /content/dam/companies/product-staging for this technical account.
    4. If you’re using a custom ScopeWithPrivileges, also double‑check that:
      • The scope name requested by the client matches your implementation, and
      • Your OAuth resource server/scope components are active and actually used (the default OAuth2ResourceServerImpl may need to be disabled or overridden).

    Once the technical-account user has the correct DAM permissions, the Assets HTTP API will work over OAuth just like it does with Basic Auth.

    F
    FrancoisCournoyerAuthor
    Level 2
    April 10, 2026

    Thanks for the information, but that’s the thing though.

    if I do

    GET http://localhost:4502/content/dam/loblaw-companies-limited/product-staging/manual.jsonAuthorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJnam1hZ2VkczVpaDk1cGRtZmdrZ2RtZDlqMy12bTNjOTN3eSIsImlzcyI6IkFkb2JlIEdyYW5pdGUiLCJzdWIiOiJhZG1pbiIsImV4cCI6MTc3NTgzNTAzMCwiaWF0IjoxNzc1ODI3ODMwLCJzY29wZSI6ImRhbS1zYWxzaWZ5LXdyaXRlIiwiY3R5IjoiYXQifQ.wb9Vu66oL29MV_uuCOtB-H7CF8ZD2O9tqNBc-iWyAtg

    I am getting 

    {
      "jcr:primaryType": "sling:Folder",
      "jcr:mixinTypes": [
        "rep:AccessControllable"
      ],
      "jcr:createdBy": "admin",
      "jcr:created": "Wed Apr 01 2026 16:36:35 GMT-0400"
    }

    but calling

    GET http://localhost:4502/api/assets/loblaw-companies-limited/product-staging/manual.jsonAuthorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJnam1hZ2VkczVpaDk1cGRtZmdrZ2RtZDlqMy12bTNjOTN3eSIsImlzcyI6IkFkb2JlIEdyYW5pdGUiLCJzdWIiOiJhZG1pbiIsImV4cCI6MTc3NTgzNTAzMCwiaWF0IjoxNzc1ODI3ODMwLCJzY29wZSI6ImRhbS1zYWxzaWZ5LXdyaXRlIiwiY3R5IjoiYXQifQ.wb9Vu66oL29MV_uuCOtB-H7CF8ZD2O9tqNBc-iWyAtg

    I am getting a 404

    if I copy the same in a browser while impersonating the technical account, I am getting the correct result.

    I went and checked the Oauth user being created when connecting with the bearer, and the user does have jrc:read and rep:write on that folder.

    it’s only when going through api/assets that it does not work somehow.

     

    Terms & ConditionsAccessibility statement

    Loading footer...