403 Forbidden Error with OAuth Server-to-Server for AEM Assets Author API - Configuration Seems Correct | Community
Skip to main content
E
EstebanTr
Level 2
October 30, 2025
Solved

403 Forbidden Error with OAuth Server-to-Server for AEM Assets Author API - Configuration Seems Correct

  • October 30, 2025
  • 2 replies
  • 555 views

Hello community,

I’m trying to configure OAuth Server-to-Server authentication to access the AEM Assets Author API, but I’m getting a 403 Forbidden error when making requests. I’ve followed all the configuration steps, but it seems like I’m missing something.

Here’s what I’ve done so far:

  1. Created a project in Adobe Developer Console

    • Added the API: AEM Assets Author API

    • Selected authentication type: OAuth Server-to-Server

    • Configured the credentials correctly

  2. Selected the correct Product Profile:

    • AEM Administrators - author - Program 123456 - Environment 1234567

    • This profile has the following services enabled: AEM Administrators and AEM Assets API

  3. Successfully generated the access token (successful response confirmed).

  4. Made the API request example:

     
    curl -X GET \ 'https://author-p123456-e1234567.adobeaemcloud.com/api/assets/content/dam.json' \ -H 'Authorization: Bearer eyJhbGci...' \ -H 'x-api-key: 504220494ec74541afabd9541f47e2e1' \ -H 'Content-Type: application/json'

The problem:
I’m getting a 403 Forbidden response.

I’d really appreciate any help resolving this issue. I need it to work the same way as the deprecated JWT technical account authentication — for example, to create folders, upload files, delete assets, etc.

Best answer by muskaanchandwani

Hello @estebantr 

The Next *important* step is to enable the ADC Project’s Client ID to communicate with the AEM instance.

>> It is done by defining the API configuration in a YAML file and deploying it using the Config Pipeline in the Cloud Manager.
The YAML file defines the allowed ClientIDs from the ADC Project that can communicate with the AEM instance.

Please follow the "Configure the AEM instance to enable ADC Project communication" Section of the below Documentation :

https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/aem-apis/openapis/setup#configure-aem-instance

Since the Client ID has not yet been added to AEM via the Config Pipeline, the API requests are returning 403 Forbidden responses.

2 replies

Syed_Shaik
Syed_Shaik
Level 3
October 31, 2025

Hi @estebantr 

 

1. Verify the IMS configuration in AEM

Log in to your AEM Author instance and check:

Path:
Tools → Security → Adobe IMS Configurations

  • Ensure your IMS configuration (linked to Adobe Developer Console) is active and associated with your organisation.

  • If it’s not there, create it using the same credentials from the Developer Console project.

2. Map the Service Account to an AEM user

You must map your Adobe IMS technical account (from the server-to-server credential) to an AEM user.

Steps:

  1. Go to:
    Tools → Security → Adobe IMS Technical Account Mappings

  2. Click Create Mapping.

  3. Select your IMS configuration.

  4. Select a local AEM user or group to associate (for example, a custom service user).

  5. Save.

This step ensures that when AEM receives the OAuth token, it knows which AEM user permissions to apply.

3. Verify Product Profile permissions

In Adobe Admin Console → Products → AEM as a Cloud Service,
Open your product profile (AEM Administrators - author - Program 123456 - Environment 1234567):

  • Confirm that the profile has the AEM Assets API service checked.

  • Make sure the environment ID matches the author environment in your API call.

  • If you’re using multiple environments (dev/stage/prod), select the correct one.

4. Validate the API call

Check your curl syntax:

 

 
curl -X GET \ 'https://author-p123456-e1234567.adobeaemcloud.com/api/assets/content/dam.json' \ -H 'Authorization: Bearer <ACCESS_TOKEN>' \ -H 'x-api-key: <CLIENT_ID> ' \ -H 'Content-Type: application/json' 
 

✅ Confirm:

  • The <ACCESS_TOKEN> has not expired (tokens are short-lived — usually 24 hours).

  • The x-api-key matches your Client ID from the Developer Console.

  • The endpoint exists — try /api/assets.json or /content/dam.json depending on your AEM version.

5. Test the token in AEM

You can check if AEM recognizes your token:

  • In AEM Author, go to /system/console/jwt or /system/console/ims (if available).

  • Or try this diagnostic endpoint:

     
    curl -X GET \ 'https://author-p123456-e1234567.adobeaemcloud.com/api/assets' \ -H 'Authorization: Bearer <ACCESS_TOKEN>' \ -H 'x-api-key: <CLIENT_ID>'

    If this also returns 403, the mapping step (Step 2) likely hasn’t been set up.

    muskaanchandwani
    Adobe Employee
    muskaanchandwaniAdobe EmployeeAccepted solution
    Adobe Employee
    October 31, 2025

    Hello @estebantr 

    The Next *important* step is to enable the ADC Project’s Client ID to communicate with the AEM instance.

    >> It is done by defining the API configuration in a YAML file and deploying it using the Config Pipeline in the Cloud Manager.
    The YAML file defines the allowed ClientIDs from the ADC Project that can communicate with the AEM instance.

    Please follow the "Configure the AEM instance to enable ADC Project communication" Section of the below Documentation :

    https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/aem-apis/openapis/setup#configure-aem-instance

    Since the Client ID has not yet been added to AEM via the Config Pipeline, the API requests are returning 403 Forbidden responses.

      E
      EstebanTrAuthor
      Level 2
      October 31, 2025

      Hi,

      Thanks! That solved the 403 issue. The api.yaml + Config Pipeline approach worked.

      Quick question: Is this Client ID registration via api.yaml mandatory for ALL
      AEM Cloud environments, or are there any exceptions? I'm wondering if there are
      scenarios (besides RDE with aio CLI) where the OAuth token could work directly
      without the Config Pipeline step.

      Appreciate your insights!

      muskaanchandwani
      Adobe Employee
      muskaanchandwaniAdobe Employee
      Adobe Employee
      November 3, 2025

      Hello @estebantr 

      Happy to hear that the api.yaml configuration deployment resolved the 403 issue!

      Yes, the Client ID registration via api.yaml would be required for all AEMaaCS Environments (Prod/Stage/Dev).
      This step authorizes your ADC project to communicate securely with the AEM instance. Without it, AEM will reject API calls even if the access token is valid.

      For RDE - configurations (including api.yaml) can be pushed directly using the Adobe I/O CLI instead of deploying through the Config Pipeline.

      For all other environments (Development, Stage, Production), the api.yaml must be deployed via the Config Pipeline in Cloud Manager.

      https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/operations/config-pipeline#overview

        Terms & ConditionsAccessibility statement

        Loading footer...