How to List Assets in a Folder Using AEM Assets Author API with OAuth Web App? | Community
Skip to main content
S
Shardul
Level 1
May 25, 2026
Question

How to List Assets in a Folder Using AEM Assets Author API with OAuth Web App?

  • May 25, 2026
  • 2 replies
  • 57 views

We're doing a POC for a multi-tenant SaaS application that integrates with Adobe Experience Manager as a Cloud Service to enable bulk asset import functionality. Our application uses OAuth Web App authentication to access the AEM Assets Author API on behalf of authenticated users.

Core Requirement:

Our application needs to:

  1. Browse AEM folder structures
  2. List assets within selected folders
  3. Retrieve asset metadata (title, description, tags)
  4. Download original asset binaries

Current Setup (Successfully Completed):

  • ✅ OAuth Web App credential configured in Adobe Developer Console
  • ✅ Scopes: openidAdobeIDaem.assets.authoraem.folders
  • ✅ Client ID allowlisted via api.yaml deployed through Cloud Manager Config Pipeline
  • ✅ User assigned to "AEM Assets Collaborator Users" Product Profile with "AEM Assets API Users" service enabled
  • ✅ OAuth authentication flow working (successfully obtaining access tokens)
  • ✅ Able to list folders using: GET /adobe/folders 

Issue - Unable to List Assets:
adobe/assets?limit=10&offset=0
adobe/folders/{folderId}/assets

Requests include required headers:

    • Authorization: Bearer <valid_access_token>
    • X-Api-Key: <client_id> 

Error:

{

    "type": "https://api.adobeaemcloud.com/adobe/meta/errors/not_found",

    "title": "Not Found",

    "status": 404,

    "detail": "No RequestProcessor can handle this request.",

    "requestId": "53f8ac2e-46b3-48cd-ab55-c7aed8f29125"

}

2 replies

S
Adobe Employee
SubbaraoGa1Adobe Employee
Adobe Employee
May 26, 2026

@Shardul 

We reviewed the AEM as a Cloud Service API usage for your POC.

Your OAuth Web App setup appears aligned for accessing AEM APIs on behalf of authenticated users. The main issue is the endpoint choice for listing assets inside folders.

For folder browsing, the OpenAPI-based Folders API can be used successfully. However, for listing the contents of a DAM folder, the recommended approach is to use the Assets HTTP API with the DAM path, for example:

GET /api/assets/<folder-path-relative-to-/content/dam>.json

Example: if the folder is /content/dam/my-company/imports, the request should be:

GET /api/assets/my-company/imports.json

This endpoint returns the folder contents, including child folders and assets.

For asset metadata, continue using the OpenAPI-based Assets Author API with the asset ID:

GET /adobe/assets/{assetId}/metadata

For downloading the original binary, use the content link returned in the Assets HTTP API response for the asset.

So the recommended integration pattern for this POC is:

Folders API for browsing folder hierarchy
Assets HTTP API for listing assets in a folder
Assets Author API for asset metadata by asset ID
Assets HTTP API content link for downloading the original binary

If helpful, we can provide sample requests or a small reference implementation for this hybrid pattern.

Sources:

S
ShardulAuthor
Level 1
May 27, 2026

Thank you for the clarification regarding the hybrid API approach for our multi-tenant SaaS POC. We understand the recommended pattern:

  1. Folders API (OpenAPI) - Folder hierarchy browsing
  2. Assets HTTP API - Listing assets within folders
  3. Assets Author API (OpenAPI) - Asset metadata by ID
  4. Assets HTTP API - Binary downloads via content links

However, we need clarification on several critical aspects before proceeding:

1. Authentication for Assets HTTP API (/api/assets)

Issue: When calling the Assets HTTP API endpoints using the OAuth access token obtained through our Web App credential flow, we receive a 403 Forbidden error:

{

"type": "https://api.adobeaemcloud.com/adobe/meta/errors/forbidden",

"title": "Forbidden",

"status": 403,

"detail": "The access token is missing required scopes.",

"request_id": "4bd80730-9222-480b-95fd-18a27c06e7f0"

}

Request Details:

  • Endpoint: GET https://<author-instance>/api/assets/<folder-path>.json
  • Headers:
    • Authorization: Bearer <oauth_access_token>
    • Content-Type: application/json
  • Current OAuth Scopes: openidAdobeIDaem.assets.authoraem.folders

Questions:

  • Does the Assets HTTP API require different authentication than the OpenAPI-based endpoints (Folders API, Assets Author API)?
  • Can a single OAuth Web App credential authenticate to both OpenAPI and Assets HTTP API endpoints, or do we need separate credential types?

2. Refresh Token Support (offline_access Scope)

Issue: The Adobe Developer Console does not provide an offline_access scope option when configuring our OAuth Web App credential. This scope is listed as required in the documentation to obtain refresh tokens for long-lived sessions.

Questions:

  • How do we enable the offline_access scope for our OAuth Web App credential?
  • Is there a configuration step in Adobe Developer Console or Cloud Manager that we're missing?
  • Without refresh tokens, our users would need to re-authenticate every time the access token expires (24 hours), which is not feasible for our use case.
  • Is there a workaround or alternative approach for maintaining persistent authentication?

3. Multi-Tenant AEM Instance Discovery

Context: Our SaaS application serves multiple tenants, each with their own AEM as a Cloud Service instance (different author URLs like https://author-p1234-e5678.adobeaemcloud.com).

Questions:

  • Does Adobe provide an API to dynamically discover a user's AEM author instance URL based on their authenticated IMS identity?
  • Or do we need to require each tenant to manually input their AEM author URL in our application's configuration UI?
  • Is there a tenant-to-instance mapping service or directory we can query programmatically?
  • How do other multi-tenant applications typically handle this requirement?

4. Required User Inputs - Clarification

To ensure we design the correct user experience in our application, please confirm the minimum required inputs we need from users to enable asset browsing and metadata retrieval:

Our Current Understanding:

  1. ✅ User authenticates via OAuth (handled by our app)
  2. ❓ User provides their AEM Author URL (manual input?)
  3. ✅ User selects folders via Folders API (browsing UI)
  4. ✅ Application retrieves assets and metadata using provided APIs

Questions:

  • Is the AEM Author URL the only tenant-specific configuration users need to provide?
  • Are there other tenant-specific identifiers (Org ID, IMS Org, Program ID, Environment ID) that we need to collect?
  • Can any of these values be derived programmatically from the OAuth token or IMS user profile?

Summary of Blockers:

  1. 403 Forbidden when accessing Assets HTTP API with OAuth Web App token
  2. No offline_access scope available in Adobe Developer Console for refresh tokens
  3. Unclear process for multi-tenant AEM instance URL discovery
S
Adobe Employee
SubbaraoGa1Adobe Employee
Adobe Employee
May 27, 2026

@Shardul 

Thank you for the detailed follow-up. After re-checking the current AEM Cloud Service API model, our recommendation is to separate the newer OpenAPI-based AEM APIs from the older RESTful Assets HTTP API (/api/assets), because they do not use the same authentication pattern.

1. Why /api/assets returns 403 with your OAuth Web App token

The behavior you are seeing is consistent with an authentication-model mismatch, not simply a missing product-profile permission.
Your current OAuth Web App credential is the correct approach for OpenAPI-based AEM APIs such as:

  • Folders API
  • Assets Author API

However, the legacy Assets HTTP API (/api/assets) is part of the RESTful API family, which does not use the same OAuth 2.0 user-authentication model as the OpenAPI-based APIs. As a result, a token that works for /adobe/folders or /adobe/assets/{id}/metadata should not be assumed to work for /api/assets/...json.

Recommendation: for this POC, do not treat /api/assets as interchangeable with the OpenAPI endpoints under the same OAuth Web App credential.

2. Can one OAuth Web App credential be used for both API families?

At this time, the safe guidance is no:

  • OpenAPI-based AEM APIs → supported with OAuth Web App authentication
  • RESTful APIs such as Assets HTTP API → different auth model

So if your architecture depends on user-delegated OAuth from an external web app, the preferred path is to stay within the OpenAPI-based / IMS-authenticated integration model, rather than combining it with /api/assets.

3. What to use instead for asset browsing/listing

For a third-party web application that needs end users to browse and select assets interactively, the supported integration pattern to evaluate is AEM Asset Selector. Asset Selector is specifically documented for integration with non-Adobe applications and uses IMS-based authentication.
If your requirement is a custom-built browsing UI, then we recommend validating the exact supported API coverage for "list assets in folder" under the OpenAPI model before proceeding further, rather than continuing to build on /api/assets.

4. Refresh tokens / offline_access

In general, OAuth Web App credentials do support refresh tokens when the offline_access scope is available and granted. That capability is not enabled through Cloud Manager.
If offline_access is not shown in Adobe Developer Console for your setup, that points to a Developer Console / API onboarding scope availability issue, not an AEM api.yaml or Cloud Manager configuration issue.

So the practical guidance is:

  • there is no Cloud Manager step that adds offline_access
  • if that scope is not exposed in your Developer Console configuration, Adobe needs to confirm whether it is currently enabled/supported for this API package and tenant setup
  • without refresh tokens, your application would need to re-establish user authorization after access-token expiry

5. Multi-tenant AEM author URL discovery

We are not aware of a general public API that resolves a user's IMS identity directly to their AEM author URL for arbitrary multi-tenant SaaS onboarding.

For most third-party integrations, the practical pattern is:

  • the tenant/admin provides the AEM author URL during onboarding, and your application stores it as tenant configuration
  • if you adopt Adobe-managed repository-selection experiences such as Asset Selector, there are Adobe-specific provisioning/discovery flows, but those should not be treated as a generic author-URL discovery API for all SaaS integrations

6. Minimum tenant-specific inputs

For your use case, the minimum tenant-specific runtime input should be assumed to be:

  • AEM author URL for that tenant

Depending on the final integration path, you may also need:

  • IMS Org / repository context for Asset Selector-style integrations or Adobe-assisted discovery flows

But for direct OpenAPI calls, values such as Program ID or Environment ID are generally operational/admin details rather than end-user inputs required by the API call itself.

Note:- 

Your current blocker is most likely not a permission bug in /api/assets; it is that /api/assets belongs to a different API/authentication model than the OpenAPI-based AEM APIs you have already enabled successfully.
Our recommendation is to pivot the POC away from relying on /api/assets with the same OAuth Web App token, and either:

  1. use OpenAPI-based AEM APIs + Asset Selector for the interactive browsing/selection experience, or
  2. have Adobe confirm the exact supported API surface for folder asset listing under the OpenAPI path you are targeting before you invest further in a custom browser.

If helpful, we can next provide either:

  • a customer-ready architecture diagram / decision tree, or
  • a revised endpoint-by-endpoint implementation plan for the POC.
Terms & ConditionsAccessibility statement

Loading footer...