Migrating to OAuth Server-to-Server Credentials

The developer account credentials are used with custom applications, such as the User Sync Tool, created using the Developer Console. Under the current JWT model, certificates must be updated regularly. Adobe is moving to the OAuth model, which won't require these updates, and will facilitate more security features, such as automated credential cycling.

With this coming change, which is a server-to-server option, custom applications using JWT certificates don't have to re-create the certificate in the Developer Console.

Note:

As per the official documentation, all JWT integrations will continue to work until 1 January 2025. In addition, the console will continue to support the creation of new JWT integrations until May 1, 2024.

No immediate action is required. The 18-month timeline is as follows:

MAY 1, 2023 - APR 30, 2024

MAY 1, 2024 - DEC 31, 2024

JAN 1, 2025 (END OF LIFE)

Existing applications using a Service Account (JWT) credential.

Existing applications using the Service

Account (JWT) credential will continue to work.

Existing applications using the Service

Account (JWT) credential will continue to work.

Existing applications cannot refresh expiring certificates after Jan 1, 2025, and will stop working.

New applications creating a

Service Account (JWT)

credential

A new Service Account (JWT) credential can be added to the project.

A new Service Account (JWT) credential can't be created or added to the project.

A new Service Account (JWT) credential can't be created or added to the project.

OAuth2 data flow

The OAuth 2.0 credentials flow permits an application or API Client to use its own credentials instead of impersonating a user to authenticate when calling the Adobe APIs. The value of this is that when the developer leaves the organization, the application or integration will continue to work.

The Application/API-Client authenticates with the Adobe Identity Management Services using a specific ClientID and Client Secret. Once authenticated, the Adobe IMS Services return a bearer token to the client, which can then be used to access the Adobe API. This type of data flow is commonly used for server-to-server interactions that must run in the background without immediate interaction with a user. It's often referred to as daemons or service accounts.

Here's how the credential flow works:

A chart showing the credential flow

  1. Application sends the application’s credentials to the Adobe IMS Authorization Server.

  2. Adobe IMS Authorization Server validates the application’s credentials.

  3. Adobe IMS Authorization Server responds with an access/bearer token.

  4. The application uses the OAuth2 bearer token to call the Adobe API on behalf of itself.

  5. Adobe API responds with requested data.

Applications and services to be migrated

Before migrating, ensure that your applications will support the new OAuth model. The User Sync Tool is the most common application currently supporting JWT that must be migrated. Support for OAuth Server-to-Server will be supported in the next UST release (v2.9.0).

Other applications and services supporting JWT that will be migrated are:

PDF Services API I/O Management API AEM Brand Portal Content Tagging - Creative Cloud Automation Services
User Management API Auto Crop Content AI (Beta) Photoshop - Creative Cloud Automation Services
Adobe Target Auto Tag Cloud Manager Lightroom - Creative Cloud Automation Services
Adobe Campaign Body Crop Automated Forms Conversion Adobe Photoshop API
Experience Platform API Color Swatch Admin SDK - Insights API Customer Journey Analytics
Smart Content Image Cutout Asset Compute 3D Automation - 3D&AR Services
Adobe Stock Image Quality Commerce Partner API Adobe Acrobat Sign
I/O Events Privacy Service API Audience Manager API Primetime Ad Insertion
Experience Platform Launch API Places Journey Orchestration Experience Cloud Setup Automation
Adobe Analytics Task Queue Manager Remove Background - Creative Cloud Automation Services Adobe Journey Optimizer
Assurance API Adobe Status API AEM Forms - Communications Adobe I/O Events for Adobe Commerce

Additional questions may be answered in the Developer Forums.

Again, nothing needs to be done today. You've until May 1, 2024, before new applications will be required to use the OAuth model, so it would be best to start your migration when it is convenient for your development timeline.

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online