Expand my Community achievements bar.

Get ready! An upgraded Experience League Community experience is coming in January.
Learn more
SOLVED

403 Forbidden Error with OAuth Server-to-Server for AEM Assets Author API - Configuration Seems Correct

Avatar

Level 2
Level 2
10/30/25 4:29:28 PM

Hello community,

I’m trying to configure OAuth Server-to-Server authentication to access the AEM Assets Author API, but I’m getting a 403 Forbidden error when making requests. I’ve followed all the configuration steps, but it seems like I’m missing something.

Here’s what I’ve done so far:

  1. Created a project in Adobe Developer Console

    • Added the API: AEM Assets Author API

    • Selected authentication type: OAuth Server-to-Server

    • Configured the credentials correctly

  2. Selected the correct Product Profile:

    • AEM Administrators - author - Program 123456 - Environment 1234567

    • This profile has the following services enabled: AEM Administrators and AEM Assets API

  3. Successfully generated the access token (successful response confirmed).

  4. Made the API request example:

     
    curl -X GET \ 'https://author-p123456-e1234567.adobeaemcloud.com/api/assets/content/dam.json' \ -H 'Authorization: Bearer eyJhbGci...' \ -H 'x-api-key: 504220494ec74541afabd9541f47e2e1' \ -H 'Content-Type: application/json'

The problem:
I’m getting a 403 Forbidden response.

I’d really appreciate any help resolving this issue. I need it to work the same way as the deprecated JWT technical account authentication — for example, to create folders, upload files, delete assets, etc.

Views

780

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee
Employee
10/31/25 8:07:56 AM

Hello @EstebanTr 

The Next *important* step is to enable the ADC Project’s Client ID to communicate with the AEM instance.

>> It is done by defining the API configuration in a YAML file and deploying it using the Config Pipeline in the Cloud Manager.
The YAML file defines the allowed ClientIDs from the ADC Project that can communicate with the AEM instance.

Please follow the "Configure the AEM instance to enable ADC Project communication" Section of the below Documentation :

https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/aem-apis/openapis/...

Since the Client ID has not yet been added to AEM via the Config Pipeline, the API requests are returning 403 Forbidden responses.

View solution in original post

Views

676

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Level 3
Level 3
10/30/25 8:33:07 PM

Hi @EstebanTr 

 

1. Verify the IMS configuration in AEM

Log in to your AEM Author instance and check:

Path:
Tools → Security → Adobe IMS Configurations

  • Ensure your IMS configuration (linked to Adobe Developer Console) is active and associated with your organisation.

  • If it’s not there, create it using the same credentials from the Developer Console project.

2. Map the Service Account to an AEM user

You must map your Adobe IMS technical account (from the server-to-server credential) to an AEM user.

Steps:

  1. Go to:
    Tools → Security → Adobe IMS Technical Account Mappings

  2. Click Create Mapping.

  3. Select your IMS configuration.

  4. Select a local AEM user or group to associate (for example, a custom service user).

  5. Save.

This step ensures that when AEM receives the OAuth token, it knows which AEM user permissions to apply.

3. Verify Product Profile permissions

In Adobe Admin Console → Products → AEM as a Cloud Service,
Open your product profile (AEM Administrators - author - Program 123456 - Environment 1234567):

  • Confirm that the profile has the AEM Assets API service checked.

  • Make sure the environment ID matches the author environment in your API call.

  • If you’re using multiple environments (dev/stage/prod), select the correct one.

4. Validate the API call

Check your curl syntax:

 

 
curl -X GET \ 'https://author-p123456-e1234567.adobeaemcloud.com/api/assets/content/dam.json' \ -H 'Authorization: Bearer <ACCESS_TOKEN>' \ -H 'x-api-key: <CLIENT_ID> ' \ -H 'Content-Type: application/json' 
 

Confirm:

  • The <ACCESS_TOKEN> has not expired (tokens are short-lived — usually 24 hours).

  • The x-api-key matches your Client ID from the Developer Console.

  • The endpoint exists — try /api/assets.json or /content/dam.json depending on your AEM version.

5. Test the token in AEM

You can check if AEM recognizes your token:

  • In AEM Author, go to /system/console/jwt or /system/console/ims (if available).

  • Or try this diagnostic endpoint:

     
    curl -X GET \ 'https://author-p123456-e1234567.adobeaemcloud.com/api/assets' \ -H 'Authorization: Bearer <ACCESS_TOKEN>' \ -H 'x-api-key: <CLIENT_ID>'

    If this also returns 403, the mapping step (Step 2) likely hasn’t been set up.

Views

737

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee
Employee
10/31/25 8:07:56 AM

Hello @EstebanTr 

The Next *important* step is to enable the ADC Project’s Client ID to communicate with the AEM instance.

>> It is done by defining the API configuration in a YAML file and deploying it using the Config Pipeline in the Cloud Manager.
The YAML file defines the allowed ClientIDs from the ADC Project that can communicate with the AEM instance.

Please follow the "Configure the AEM instance to enable ADC Project communication" Section of the below Documentation :

https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/aem-apis/openapis/...

Since the Client ID has not yet been added to AEM via the Config Pipeline, the API requests are returning 403 Forbidden responses.

Views

677

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
10/31/25 1:11:02 PM
In response to muskaanchandwani

Hi,

Thanks! That solved the 403 issue. The api.yaml + Config Pipeline approach worked.

Quick question: Is this Client ID registration via api.yaml mandatory for ALL
AEM Cloud environments, or are there any exceptions? I'm wondering if there are
scenarios (besides RDE with aio CLI) where the OAuth token could work directly
without the Config Pipeline step.

Appreciate your insights!

Views

642

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee
Employee
11/3/25 9:39:05 AM
In response to EstebanTr

Hello @EstebanTr 

Happy to hear that the api.yaml configuration deployment resolved the 403 issue!

Yes, the Client ID registration via api.yaml would be required for all AEMaaCS Environments (Prod/Stage/Dev).
This step authorizes your ADC project to communicate securely with the AEM instance. Without it, AEM will reject API calls even if the access token is valid.

For RDE - configurations (including api.yaml) can be pushed directly using the Adobe I/O CLI instead of deploying through the Config Pipeline.

For all other environments (Development, Stage, Production), the api.yaml must be deployed via the Config Pipeline in Cloud Manager.

https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/operations/confi...

Views

561

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Metadata properties are automatically populated during asset upload.

Views

77

Likes

0

Replies

3
Permission for Pages and Components

Views

59

Likes

0

Replies

2
Does AEM Bulk Import Support Dedicated Egress IP?

Views

69

Likes

0

Replies

1
Console error related to Guide Bridge after AEM LTS upgrade

Views

106

Likes

0

Replies

3
Numerical Selector for Json request is getting 404 Error from Dispatcher Filters

Views

114

Likes

0

Replies

4