403 Forbidden Error: "IMS Client ID not allowlisted" - How to Enable App Builder OAuth Credential for Content Fragments API in AEM Cloud RDE? | Community
Skip to main content
M
Meghana_N
Level 2
April 22, 2026
Solved

403 Forbidden Error: "IMS Client ID not allowlisted" - How to Enable App Builder OAuth Credential for Content Fragments API in AEM Cloud RDE?

  • April 22, 2026
  • 1 reply
  • 18 views

I'm developing an Adobe App Builder integration to sync product data present in Salsify to AEM Content Fragments via the OpenAPI in my RDE environment. IMS OAuth authentication is working correctly (I'm obtaining tokens with the correct scopes: aem.fragments.management,aem.folders), and I've added my OAuth Server-to-Server credential to the "AEM Sites Content Managers - Author" product profile in Admin Console.

However, when my App Builder action calls the Content Fragments API (GET /adobe/sites/cf/fragments), I receive a 403 Forbidden error with: "IMS Client ID not allowlisted. Allowlist the Client ID using the Configuration Pipeline."

How do I properly configure my RDE environment to allow this OAuth Client ID to create and manage Content Fragments?

Specifically:

(1) What is the correct method to allowlist the Client ID in an RDE
  environment 

(2) Should I add the OAuth credential to any other product profile instead of "Sites Content Managers"?

(3) Is there additional RDE-specific configuration needed beyond the product profile assignment? The folders exist in DAM with correct CF model policies, and the technical account appears to authenticate successfully - the only blocker is this allowlist requirement. Any guidance on enabling App Builder OAuth credentials for CF API access in AEM Cloud RDE would be greatly appreciated!

 

Thanks, 

Meghana Nagendra

Best answer by SubbaraoGa1

@Meghana_N 

The 403 comes from the AEM auth proxy before repository permissions are evaluated, which means the missing step is the environment allowlist deployment, not DAM folder/model policy. I'm now tightening the answer around RDE specifics, especially whether RDE can use the same api.yaml / config pipeline flow and whether any extra provisioning is needed.

Your OAuth token and scopes can be correct, and your technical account can be in the right product profile, but AEM will still reject the call until that OAuth Client ID is explicitly allowlisted in AEM via the API configuration. That is the purpose of the allowedClientIDs config described in the OpenAPI setup docs. [1] [2]

[1] https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/aem-apis/openapis/setup

[2] https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/assets/content-hub/collections-content-hub

For RDE, this is not done through a normal Cloud Manager config pipeline. RDE uses command-line tooling to install that same config into the environment.  [3] [4]

[3] https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/developing/open-api-based-apis

[4] https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/developing/rapid-development-environments

 

1) Correct way to allowlist the Client ID in an RDE

For an RDE, create an API config YAML and install it with aio aem:rde:install -t env-config ....

Use something like:

kind: "API"
version: "1.0"
metadata:
  envTypes: ["rde"]
data:
  allowedClientIDs:
    author:
      - "<your-oauth-client-id>"

Why author? Because the Content Fragment Management OpenAPI is an author-tier API . [1] [5]

[5]https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/aem-apis/openapis/invoke-api-using-oauth-s2s

 

Then install it into the RDE:

 

aio aem:rde:install -t env-config ./config

Or zip the config tree and install the zip:

 

aio aem:rde:install -t env-config config.zip

RDE docs explicitly note that environment config can be installed this way, and that envTypes can include rde. 

Important: use the literal client ID string in YAML. An internal support thread notes that using an environment variable placeholder for the client ID did not work; it should be set directly in the YAML.

 

2) Should you use another product profile instead of "Sites Content Managers - Author"?

Not to solve this specific 403.

The error message:

IMS Client ID not allowlisted

points to the AEM allowlist layer, not to the Admin Console role mapping layer.

So:

  • Keep the OAuth credential associated with the appropriate author-side Sites content management profile
  • The missing step is the AEM API allowlist config, not a different profile

Also, the Content Fragment Management OpenAPI is generally enabled by default and does not need separate provisioning like the Delivery OpenAPI does.  That said, after you fix the allowlist, if you then start getting permission/ACL errors, then revisit whether the service account needs broader author permissions for the DAM path/model/folder operations.

 

3) Is there extra RDE-specific setup beyond the product profile?

Yes — the allowlist config itself is the RDE-specific missing piece.

For RDE specifically:

  • you do not use the normal non-RDE config pipeline flow
  • you install the API config with aio aem:rde:install -t env-config
  • the config should target envTypes: ["rde"]
  • the client ID should be listed under allowedClientIDs.author

This aligns with:

  • OpenAPI setup docs saying the AEM instance must be configured with allowedClientIDs
    OpenAPI platform docs saying RDE uses command line tooling instead of the normal config-pipeline flow.

    RDE docs showing env-config installation and envTypes: ["rde"] usage.
     

    Recommended implementation

    Create config/api.yaml

     

    kind: "API"
    version: "1.0"
    metadata:
      envTypes: ["rde"]
    data:
      allowedClientIDs:
        author:
          - "YOUR_APP_BUILDER_CLIENT_ID"

    Install it into the RDE

     

    aio aem:rde:install -t env-config ./config

    Retry your call

    Copy

    GET /adobe/sites/cf/fragments

    If the allowlist is the only blocker, the IMS Client ID not allowlisted error should disappear.

 

 

1 reply

S
Adobe Employee
SubbaraoGa1Adobe EmployeeAccepted solution
Adobe Employee
April 23, 2026

@Meghana_N 

The 403 comes from the AEM auth proxy before repository permissions are evaluated, which means the missing step is the environment allowlist deployment, not DAM folder/model policy. I'm now tightening the answer around RDE specifics, especially whether RDE can use the same api.yaml / config pipeline flow and whether any extra provisioning is needed.

Your OAuth token and scopes can be correct, and your technical account can be in the right product profile, but AEM will still reject the call until that OAuth Client ID is explicitly allowlisted in AEM via the API configuration. That is the purpose of the allowedClientIDs config described in the OpenAPI setup docs. [1] [2]

[1] https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/aem-apis/openapis/setup

[2] https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/assets/content-hub/collections-content-hub

For RDE, this is not done through a normal Cloud Manager config pipeline. RDE uses command-line tooling to install that same config into the environment.  [3] [4]

[3] https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/developing/open-api-based-apis

[4] https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/developing/rapid-development-environments

 

1) Correct way to allowlist the Client ID in an RDE

For an RDE, create an API config YAML and install it with aio aem:rde:install -t env-config ....

Use something like:

kind: "API"
version: "1.0"
metadata:
  envTypes: ["rde"]
data:
  allowedClientIDs:
    author:
      - "<your-oauth-client-id>"

Why author? Because the Content Fragment Management OpenAPI is an author-tier API . [1] [5]

[5]https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/aem-apis/openapis/invoke-api-using-oauth-s2s

 

Then install it into the RDE:

 

aio aem:rde:install -t env-config ./config

Or zip the config tree and install the zip:

 

aio aem:rde:install -t env-config config.zip

RDE docs explicitly note that environment config can be installed this way, and that envTypes can include rde. 

Important: use the literal client ID string in YAML. An internal support thread notes that using an environment variable placeholder for the client ID did not work; it should be set directly in the YAML.

 

2) Should you use another product profile instead of "Sites Content Managers - Author"?

Not to solve this specific 403.

The error message:

IMS Client ID not allowlisted

points to the AEM allowlist layer, not to the Admin Console role mapping layer.

So:

  • Keep the OAuth credential associated with the appropriate author-side Sites content management profile
  • The missing step is the AEM API allowlist config, not a different profile

Also, the Content Fragment Management OpenAPI is generally enabled by default and does not need separate provisioning like the Delivery OpenAPI does.  That said, after you fix the allowlist, if you then start getting permission/ACL errors, then revisit whether the service account needs broader author permissions for the DAM path/model/folder operations.

 

3) Is there extra RDE-specific setup beyond the product profile?

Yes — the allowlist config itself is the RDE-specific missing piece.

For RDE specifically:

  • you do not use the normal non-RDE config pipeline flow
  • you install the API config with aio aem:rde:install -t env-config
  • the config should target envTypes: ["rde"]
  • the client ID should be listed under allowedClientIDs.author

This aligns with:

  • OpenAPI setup docs saying the AEM instance must be configured with allowedClientIDs
    OpenAPI platform docs saying RDE uses command line tooling instead of the normal config-pipeline flow.

    RDE docs showing env-config installation and envTypes: ["rde"] usage.
     

    Recommended implementation

    Create config/api.yaml

     

    kind: "API"
    version: "1.0"
    metadata:
      envTypes: ["rde"]
    data:
      allowedClientIDs:
        author:
          - "YOUR_APP_BUILDER_CLIENT_ID"

    Install it into the RDE

     

    aio aem:rde:install -t env-config ./config

    Retry your call

    Copy

    GET /adobe/sites/cf/fragments

    If the allowlist is the only blocker, the IMS Client ID not allowlisted error should disappear.

 

 

    M
    Meghana_NAuthor
    Level 2
    April 23, 2026

    Thanks for the detailed explanation ​@SubbaraoGa1 . I deployed the config yaml file and then the app builder action was able to authenticate and create content fragments.

      Terms & ConditionsAccessibility statement

      Loading footer...