App Builder | AEM Cloud Service — Sling POST Servlet returns 403 "The access token is missing required scopes" with OAuth Server-to-Server credential

Hi Meghana,

The issue does not appear to be with your token generation or the scopes you've configured. Those scopes are valid for the APIs you've enabled. The main issue is that the Sling POST Servlet on /content/... is not part of AEM Cloud’s officially exposed OpenAPI surface for Server-to-Server OAuth in the same way as APIs like Content Fragment Management.

That’s why your CF Management API calls work correctly with aem.fragments.management, while POST requests to /content/... through Sling POST return a 403. The Sling POST Servlet is essentially a repository-level operation and does not behave like the newer IMS-scoped OpenAPI endpoints.

For programmatic page creation in AEM Cloud with App Builder, the approach that typically works best is:

1. Build a custom AEM servlet or endpoint (for example /bin/yourapp/createpage) deployed inside AEM

2. Have the App Builder action call that endpoint using the IMS token

3. Validate the token in AEM and internally create pages using PageManager#create() with a service user that has the required permissions

This approach gives you much better control over:

• permissions

• validation

• business rules

• auditing

• scalability

I have worked on a similar use case and I have followed the above approach which worked well for me. 

At the moment, Content Fragment APIs are much more mature from an OpenAPI perspective than generic Sites page creation APIs, so the custom endpoint approach is generally the safest and most flexible option for this use case.

Hope this helps!

Thanks

Veena

Hi ​@VeenaVikraman  Thanks for the detailed response. 

I followed the suggested architecture and ran into the below issue:

  What I implemented:
  - Deployed a custom AEM servlet  (GET for existence check, POST for create/delete)
  - Created a JCR service user via repoinit with jcr:read and rep:write on the content path
  - Mapped the service user to the OSGi bundle via ServiceUserMapperImpl.amended
  - App Builder action calls the servlet with an IMS Bearer token

  The problem:
  The IMS token is being rejected at the CDN layer before the request reaches AEM, with this response:

  {
    "status": 403,
    "detail": "The access token is missing required scopes."
  }

So the service user never gets invoked — the CDN blocks the request first.

Is there anything that I am missing here? Please let me know!

Thanks in advance!

​@Meghana_N 

The custom servlet + service user approach is valid from an AEM perspective, but in AEM Cloud the App Builder request must first pass Adobe IMS/AEM authorization before reaching your servlet.

So even if the servlet internally uses PageManager#create() with a service user, the external call still needs an IMS token with scopes allowed for that endpoint/path.

The 403 - access token is missing required scopes indicates the request is being blocked at the platform auth layer, before servlet/service-user logic is invoked.

Also, aem.fragments.management and aem.folders are API-specific scopes and don’t provide generic authoring access on /content/*.

So this looks more like an OAuth/API exposure limitation in AEM Cloud rather than a servlet or permission issue.

Hi Meghana,

Good question and I’ve run into this exact issue before. Here’s what’s going on.
The root cause is that the Sling POST Servlet on /content paths is not covered by the Content Fragment Management or Folders API scopes you currently have. Those scopes only authorize the OpenAPI endpoints under /adobe/sites/. The Sling POST Servlet is a different beast entirely and requires a different authorization mechanism.
To answer your two questions directly:
On the scope question — there is no IMS scope currently available in Developer Console that grants access to the Sling POST Servlet for arbitrary /content paths via Server-to-Server credentials. This is a known limitation Adobe has acknowledged. The Sling POST Servlet was designed around user-based authentication and the OAuth Server-to-Server flow doesn’t map cleanly to it, which is why you keep getting the missing required scopes 403 even with a valid token.
On the alternative endpoint question yes and this is actually the path Adobe wants you to take going forward. For programmatic page creation from App Builder with Server-to-Server credentials, the recommended approach is to use the AEM Sites Pages API if it’s available in your environment, or to go through a custom OSGi servlet on the AEM side that handles the token exchange and creates the page server-side. The App Builder action calls your custom servlet with the IMS token, the servlet validates it using the AEM service user context, and the actual page creation happens within AEM where Sling permissions apply normally.
The practical workaround most teams use right now is a lightweight proxy servlet approach. You deploy a simple Sling servlet to your AEM Cloud instance that accepts the IMS bearer token, validates it against IMS, maps it to an appropriate service user, and then does the jcr:primaryType=cq:Page node creation internally. This way your App Builder action keeps using Server-to-Server OAuth, the token is valid for calling your custom endpoint, and the page creation happens inside AEM where it has full repository access.
It’s a bit more setup than a direct Sling POST call but it’s stable, it works in RDE and production, and it doesn’t depend on Adobe exposing a scope that doesn’t exist yet.