Generate a JSON Web Token (JWT)

Sitecore Experience Edge for Content Hub uses the OAuth authorization framework for security. OAuth allows one program to authorize another program to make changes on behalf of an account holder or end-user.

To execute any operation in Experience Edge protected APIs, the calling system must first obtain an authentication token (in JWT format) and include it in every request. Following successful authentication, the calling application has access to an access token used to call the protected APIs.


To request an access token, you use a POST request. Using curl, the access-token request has the following form:

curl --request POST --url "<auth_url>/oauth/token" --header "content-type: application/x-www-form-urlencoded" --data grant_type=client_credentials --data client_id=<client_id> --data client_secret=<client_secret> --data audience=https://<audience_domain>/<tenant_id>

The authority URL, <auth_url>, can have one of two values:

  • For all sandbox instances: https://auth-beta.sitecorecloud.io/oauth/token
  • For all other instances: https://auth.sitecorecloud.io/oauth/token

The audience domain, <audience_domain>, can have one of two values:

  • For pre-production: delivery.sitecore-beta.cloud
  • For production: delivery.sitecore.cloud

Other parameters are set as described in the following table.

grant_typeSet this to client_credentials.
client_idThe client ID for your tenant.
client_secretThe client secret for your tenant.
audienceThe audience for your tenant, in the form https://<audience_domain>/<tenant_id>, where <audience_domain> is described above and <tenant_id> is your tenant ID.

Access client ID and client secret

To access the client ID and client secret:

  1. On the menu bar, click Manage .

  2. On the Manage page, click OAuth clients.

  3. On the OAuth clients page, click the client named Delivery. The client ID and client secret are displayed on the View details pane.

Access tenant ID

To access the tenant ID, go to /api/status/license on your Content Hub instance. The tenant ID will be in details.tenant.


Your tenant ID will usually be the same as the name of your Content Hub instance.


In response to the request, you receive the access_token, token_type, and expires_in values. You can pass the retrieved access token as a Bearer token in the authorization header of your HTTP requests.


Pay attention to the expires_in property of the response because JWTs typically expire in 24 hours. After that time, the token is invalid, and you must request a new token.

Can we improve this article ? Provide feedback