What is OAuth Server-to-Server used for with AEP/CJA?

It enables server-side apps to authenticate to Adobe APIs without user interaction using client credentials.

Where do I find the Client Secret?

In the Adobe Developer Console under OAuth Server-to-Server credentials (Retrieve client secret).

adobe-api-setup

Scanned

npx machina-cli add skill brian-a-au/bau_claude_skills/adobe-api-setup --openclaw

Files (1)

SKILL.md

9.1 KB

Adobe AEP/CJA API Prerequisites

This skill provides guidance on configuring Adobe Experience Platform (AEP) and Customer Journey Analytics (CJA) API access for projects using OAuth Server-to-Server authentication.

When to Use This Skill

Invoke this skill when:

Setting up a new project that integrates with Adobe CJA or AEP APIs
Troubleshooting OAuth authentication failures
Configuring API credentials for the first time
Diagnosing 401/403 permission errors

Prerequisites Checklist

Before using Adobe CJA/AEP APIs, ensure:

Adobe Experience Cloud Access - User account with access to CJA and/or AEP
Adobe Developer Console Access - Permission to create API integrations
System Administrator or Developer Role - Required to create OAuth credentials
Product Profile Access - User must be assigned to appropriate product profiles in Admin Console

Adobe Developer Console Setup

Step 1: Create a Project

Go to Adobe Developer Console
Sign in with your Adobe ID (must have appropriate permissions)
Verify you're in the correct organization (top-right dropdown)
Click "Create new project"
Name the project descriptively (e.g., CJA Integration, AEP Data Pipeline)

Step 2: Add the CJA API

In your project, click "Add API"
Filter by "Adobe Experience Platform" or search for "Customer Journey Analytics"
Select "Customer Journey Analytics"
Click "Next"
Choose "OAuth Server-to-Server" authentication
Click "Next"
Select a product profile that has access to your Data Views
Click "Save configured API"

Step 3: Add the AEP API (Required)

Critical: The Adobe Experience Platform API must be added to your project even if you're only using CJA. This associates your service account with an Experience Platform product profile, which is required for CJA API authentication.

In your project, click "Add API" again
Search for "Experience Platform API" (under Adobe Experience Platform)
Select "Experience Platform API"
Click "Next"
Choose "OAuth Server-to-Server" authentication
Click "Next"
Select a product profile (associates your service account with Experience Platform)
Click "Save configured API"

Step 4: Verify Configuration

Your project should now show two APIs configured:

Customer Journey Analytics
Experience Platform API

Both APIs share the same OAuth credentials (Client ID and Secret).

Required Credentials

Collect these four values from Adobe Developer Console:

Credential	Location	Format Example
Organization ID	Top-right of console, or Project Overview	`ABC123DEF456@AdobeOrg`
Client ID	OAuth Server-to-Server > Credentials	`cm1234567890abcdef...`
Client Secret	Click "Retrieve client secret"	`p8e-XXXXXXXXXXXX...`
Scopes	OAuth Server-to-Server > Scopes	Space-separated scope URIs

Security: Never commit credentials to version control. Use environment variables, secrets managers, or gitignored configuration files.

Configuration Methods

Method 1: Configuration File (config.json)

{
  "org_id": "ABC123DEF456@AdobeOrg",
  "client_id": "1234567890abcdef1234567890abcdef",
  "secret": "p8e-XXX...",
  "scopes": "your_scopes_from_developer_console"
}

Best for: Local development, single organization

Important: Add config.json to .gitignore

Method 2: Environment Variables

export ORG_ID="ABC123DEF456@AdobeOrg"
export CLIENT_ID="1234567890abcdef1234567890abcdef"
export SECRET="p8e-XXX..."
export SCOPES="your_scopes_from_developer_console"

Best for: CI/CD pipelines, Docker containers, cloud deployments

Method 3: .env File

# .env file (requires python-dotenv)
ORG_ID=ABC123DEF456@AdobeOrg
CLIENT_ID=1234567890abcdef1234567890abcdef
SECRET=p8e-XXX...
SCOPES=your_scopes_from_developer_console

Best for: Local development with environment variable pattern

OAuth Scopes

OAuth scopes define what permissions the API client has. Copy the exact scopes string from Adobe Developer Console.

Common Scope Patterns

API	Typical Scopes
CJA Read	`openid, AdobeID, read_organizations, additional_info.projectedProductContext`
CJA + AEP	Above plus AEP-specific scopes from your project

Important: Copy scopes exactly as shown in Developer Console. Incorrect or missing scopes cause invalid_scope or insufficient_scope errors.

Product Profile Requirements

CJA Product Profiles

Users and service accounts need appropriate CJA product profiles:

Profile Type	Permissions
Data View Access	Read access to specific Data Views
Component Access	Access to metrics, dimensions, segments, calculated metrics
Admin	Full access including configuration

AEP Product Profiles

Even for CJA-only projects, an AEP product profile association is required:

Go to Adobe Admin Console
Navigate to Products > Adobe Experience Platform
Select or create a product profile
Ensure your service account (from Developer Console) is assigned

Common OAuth Errors and Solutions

invalid_client

OAuth response: {"error": "invalid_client", "error_description": "..."}

Causes:

Client ID is incorrect
Client Secret is incorrect or expired
Project credentials were regenerated

Solutions:

Verify Client ID matches Developer Console exactly
Re-retrieve Client Secret from Developer Console
Check for copy/paste errors (extra spaces, missing characters)

invalid_scope

OAuth response: {"error": "invalid_scope", "error_description": "..."}

Causes:

Scopes string doesn't match Developer Console
Requested scope not authorized for this client

Solutions:

Copy scopes exactly from Developer Console (OAuth Server-to-Server > Scopes)
Don't modify or add scopes manually

unauthorized_client

OAuth response: {"error": "unauthorized_client", "error_description": "..."}

Causes:

OAuth Server-to-Server not enabled
Incorrect credential configuration

Solutions:

Ensure OAuth Server-to-Server is selected in Developer Console
Verify your project has the correct authentication type configured

403 Forbidden

ERROR - 403 Forbidden
ERROR - Failed to fetch data: 403

Causes:

Service account not assigned to required product profiles
Missing AEP API in project
Insufficient permissions for requested resource

Solutions:

Verify both CJA API and AEP API are added to project
Check product profile assignments in Admin Console
Wait 5-10 minutes after permission changes for propagation

401 Unauthorized

ERROR - 401 Unauthorized
ERROR - Authentication failed

Causes:

Expired or invalid access token
Credentials changed in Developer Console

Solutions:

Verify credentials haven't been regenerated
Check Client Secret is current
Ensure Organization ID is correct

Security Best Practices

Never commit credentials - Add config.json, .env, and credential files to .gitignore
Use environment variables in CI/CD - Inject secrets at runtime
Rotate secrets periodically - Regenerate Client Secret in Developer Console
Principle of least privilege - Use product profiles with minimum required permissions
Audit access - Review API usage in Adobe Developer Console

.gitignore Entries

# Adobe API credentials
config.json
.env

# Credential directories
.cja/
credentials/

Quick Reference

Minimum Configuration

{
  "org_id": "YOUR_ORG_ID@AdobeOrg",
  "client_id": "YOUR_CLIENT_ID",
  "secret": "YOUR_CLIENT_SECRET",
  "scopes": "your_scopes_from_developer_console"
}

Required APIs in Developer Console

Customer Journey Analytics - For CJA Data View access
Experience Platform API - Required for authentication (even for CJA-only projects)

Key URLs

Resource	URL
Adobe Developer Console	https://developer.adobe.com/console/
Adobe Admin Console	https://adminconsole.adobe.com/
CJA API Documentation	https://developer.adobe.com/cja-apis/docs/
AEP API Documentation	https://developer.adobe.com/experience-platform-apis/

Troubleshooting Checklist

When authentication fails, verify:

Organization ID ends with @AdobeOrg
Client ID copied exactly (no extra spaces)
Client Secret is current (not regenerated since last copy)
Scopes copied exactly from Developer Console
Both CJA API and AEP API added to project
OAuth Server-to-Server authentication selected
Service account assigned to product profiles in Admin Console
Product profiles have appropriate permissions
Waited 5-10 minutes after permission changes

Source

git clone https://github.com/brian-a-au/bau_claude_skills/blob/main/skills/adobe-api-setup/SKILL.mdView on GitHub

Overview

A practical guide to configuring Adobe Experience Platform (AEP) and Customer Journey Analytics (CJA) API access using OAuth Server-to-Server authentication. It covers when to set up credentials and how to troubleshoot common OAuth errors (401/403).

How This Skill Works

Follow the Adobe Developer Console workflow to create a project, add CJA and AEP APIs using OAuth Server-to-Server, and configure a shared set of credentials (Client ID, Client Secret, Organization ID, and Scopes). The credentials are then consumed by your applications via a config.json or environment variables.

When to Use It

Setting up a new project that integrates with Adobe CJA or AEP APIs
Troubleshooting OAuth authentication failures
Configuring API credentials for the first time
Diagnosing 401/403 permission errors
Ensuring a service account is linked to the correct product profiles in Admin Console

Quick Start

Step 1: Create a project in the Adobe Developer Console and ensure you have the necessary permissions
Step 2: Add the CJA API with OAuth Server-to-Server and select a product profile, then repeat for the Experience Platform API
Step 3: Retrieve Organization ID, Client ID, Client Secret, and Scopes; choose a configuration method (config.json or environment variables) and implement it

Best Practices

Never commit credentials to version control; use environment variables or secrets managers
Add config.json to .gitignore to prevent accidental exposure
Share the same OAuth credentials across both CJA and AEP APIs to simplify management
Use least-privilege product profiles with only required Data Views access
Document and rotate credentials periodically and revoke unused tokens

Example Use Cases

A data engineer sets up a new CJA integration by creating a project, adding CJA and AEP APIs, and configuring OAuth Server-to-Server credentials
A developer resolves a 401 error by regenerating a Client Secret and updating the config
An admin assigns appropriate product profiles in Admin Console to enable API access for CJA
CI/CD pipelines securely load ORG_ID, CLIENT_ID, SECRET, and SCOPES from environment variables
Two APIs (CJA and Experience Platform) share the same OAuth credentials for seamless authentication

Frequently Asked Questions

Add this skill to your agents

adobe-api-setup

Adobe AEP/CJA API Prerequisites

When to Use This Skill

Prerequisites Checklist

Adobe Developer Console Setup

Step 1: Create a Project

Step 2: Add the CJA API

Step 3: Add the AEP API (Required)

Step 4: Verify Configuration

Required Credentials

Configuration Methods

Method 1: Configuration File (config.json)

Method 2: Environment Variables

Method 3: .env File

OAuth Scopes

Common Scope Patterns

Product Profile Requirements

CJA Product Profiles

AEP Product Profiles

Common OAuth Errors and Solutions

invalid_client

invalid_scope

unauthorized_client

403 Forbidden

401 Unauthorized

Security Best Practices

.gitignore Entries

Quick Reference

Minimum Configuration

Required APIs in Developer Console

Key URLs

Troubleshooting Checklist

Source

Overview

How This Skill Works

When to Use It

Quick Start

Best Practices

Example Use Cases

Frequently Asked Questions

What is OAuth Server-to-Server used for with AEP/CJA?

Where do I find the Client Secret?

Do I need to add the Experience Platform API if I only use CJA?