Adobe Experience Manager Headless

DhinuBa · 2/4/25

At Present, We use content fragments in AEM and we have multiple team consume CF using assets API.
I noticed that in my environment, the api request to author instance requires authentication whereas request exposed by the publish instance are served without authentication.
I need to expose the api through the dispatcher to internet but I would like to be authentication protected. What does adobe recommended solution for this implementation?

narendragandhi · 2/6/25

Hi @DhinuBa

The recommendation is to use the new OpenAPI based apis. Please refer this documentation for the list of available APIs - https://developer.adobe.com/experience-cloud/experience-manager-apis/

This also covers your concern for the authentication. Hope this helps!

Thanks

Narendra

Aditya_Chabuku · 2/6/25

Hi @DhinuBa ,

These 3 simple steps would help you to expose API to 3rd party consumers or your SPA FE.

Step 1: Expose API via Dispatcher

Step 2: Require Authentication via OAuth/JWT

Step 3: Implement Token Validation in AEM

Refer these links for more details

https://experienceleague.adobe.com/en/docs/events/adobe-developers-live-recordings/2021/feb2021/api-...

Once its all done, You will need to create Content Fragments suitable for API Delivery, Here is the API Schema that helps https://developer.adobe.com/experience-cloud/experience-manager-apis/api/experimental/sites/delivery...

Hope this helps,

Thanks,

Aditya Chabuku

DhinuBa · 2/7/25

This works fine for author. When it comes to publisher, it works even without authentication. Our use case is, we should not allow to retrieve content without authorization in publisher as well.

kautuk_sahni · 2/10/25

@DhinuBa Did you find the suggestions helpful? Please let us know if you need more information. If a response worked, kindly mark it as correct for posterity; alternatively, if you found a solution yourself, we’d appreciate it if you could share it with the community. Thank you!

Kautuk Sahni

Karthik_2 · 2/20/25

Hi @DhinuBa ,
Did you find any solution for this issue?

DhinuBa · 2/20/25

No, Still I am looking for a solution

Karthik_2 · 2/20/25

Checkout this doc, where it says content can be protected using CUGs,
Protected content in AEM Headless | Adobe Experience Manager

AmitVishwakarma · 4/30/25

Hi @DhinuBa ,

RECOMMENDED METHOD

Use JWT or OAuth authentication with AEM Publish, combined with Dispatcher filtering and Sling Authentication.

1. Enable Token Authentication on Publish

Use AEM’s Adobe IMS Authentication Handler or Custom JWT/OAuth Token Validator.

Example with JWT-based OAuth:

Configure your JWT Issuer (like Adobe I/O, Auth0, etc.)

Use an Authentication Servlet Filter to validate tokens

Return 401 Unauthorized for invalid tokens

2. Secure the Dispatcher Layer

In your dispatcher/src/conf.dispatcher.d/filters/filters.any, restrict API paths:

/0091 { /type "deny" /url "/content/dam.*" }
/0092 { /type "allow" /url "/api.*" }

Ensure only authorized endpoints are allowed.

3. Set Up CUGs (Closed User Groups) (Optional)

For protecting certain paths:

Create a group with read access

Use CUGs on the Publish instance

Add the group to the CUG on /content/dam or wherever CFs are

4. Use Token-Based Access from Consumers (SPAs, APIs)

Every client consuming the API:

Requests a token (OAuth2, JWT)

Passes it via Authorization: Bearer <token> header

Your custom AEM servlet or filter checks token validity.

Regards,
Amit

Adobe Experience Manager Headless

AEM Headless authentication in Publish Environment

Kautuk Sahni

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe