AEM Headless authentication in Publish Environment

Forum|Forum|11 months ago
February 5, 2025
5 replies
1517 views

At Present, We use content fragments in AEM and we have multiple team consume CF using assets API.
I noticed that in my environment, the api request to author instance requires authentication whereas request exposed by the publish instance are served without authentication.
I need to expose the api through the dispatcher to internet but I would like to be authentication protected. What does adobe recommended solution for this implementation?

narendragandhi

Community Advisor

Hi @dhinuba

The recommendation is to use the new OpenAPI based apis. Please refer this documentation for the list of available APIs - https://developer.adobe.com/experience-cloud/experience-manager-apis/

This also covers your concern for the authentication. Hope this helps!

Thanks

Narendra

Aditya_Chabuku

Community Advisor

Hi @dhinuba ,

These 3 simple steps would help you to expose API to 3rd party consumers or your SPA FE.

Step 1: Expose API via Dispatcher

Step 2: Require Authentication via OAuth/JWT

Step 3: Implement Token Validation in AEM

Refer these links for more details

https://experienceleague.adobe.com/en/docs/events/adobe-developers-live-recordings/2021/feb2021/api-authentication

Once its all done, You will need to create Content Fragments suitable for API Delivery, Here is the API Schema that helps https://developer.adobe.com/experience-cloud/experience-manager-apis/api/experimental/sites/delivery/

Hope this helps,

Thanks,Aditya Chabuku

D

DhinuBaAuthor

This works fine for author. When it comes to publisher, it works even without authentication. Our use case is, we should not allow to retrieve content without authorization in publisher as well.

kautuk_sahni

Community Manager

@dhinuba Did you find the suggestions helpful? Please let us know if you need more information. If a response worked, kindly mark it as correct for posterity; alternatively, if you found a solution yourself, we’d appreciate it if you could share it with the community. Thank you!

Kautuk Sahni

K

Karthik_2

Hi @dhinuba ,
Did you find any solution for this issue?

D

DhinuBaAuthor

No, Still I am looking for a solution

K

Karthik_2

Checkout this doc, where it says content can be protected using CUGs,
Protected content in AEM Headless | Adobe Experience Manager

AmitVishwakarma

Community Advisor

Hi @dhinuba ,

RECOMMENDED METHOD

Use JWT or OAuth authentication with AEM Publish, combined with Dispatcher filtering and Sling Authentication.

1. Enable Token Authentication on Publish

Use AEM’s Adobe IMS Authentication Handler or Custom JWT/OAuth Token Validator.

Example with JWT-based OAuth:

Configure your JWT Issuer (like Adobe I/O, Auth0, etc.)

Use an Authentication Servlet Filter to validate tokens

Return 401 Unauthorized for invalid tokens

2. Secure the Dispatcher Layer

In your dispatcher/src/conf.dispatcher.d/filters/filters.any, restrict API paths:

/0091 { /type "deny" /url "/content/dam.*" }
/0092 { /type "allow" /url "/api.*" }

Ensure only authorized endpoints are allowed.

3. Set Up CUGs (Closed User Groups) (Optional)

For protecting certain paths:

Create a group with read access

Use CUGs on the Publish instance

Add the group to the CUG on /content/dam or wherever CFs are

4. Use Token-Based Access from Consumers (SPAs, APIs)

Every client consuming the API:

Requests a token (OAuth2, JWT)

Passes it via Authorization: Bearer <token> header

Your custom AEM servlet or filter checks token validity.

Regards,
Amit

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded