User Authentication Credentials API Reference
Following is an API reference for Adobe Identity Management Services (IMS) APIs.
On this page:
This API allows you to view information about Adobe's OpenID configuration.
curl -X GET 'https://ims-na1.adobelogin.com/ims/.well-known/openid-configuration'
{
"issuer": "https://ims-na1.adobelogin.com",
"authorization_endpoint": "https://ims-na1.adobelogin.com/ims/authorize/v2",
"token_endpoint": "https://ims-na1.adobelogin.com/ims/token/v3",
"userinfo_endpoint": "https://ims-na1.adobelogin.com/ims/userinfo/v2",
"revocation_endpoint": "https://ims-na1.adobelogin.com/ims/revoke",
"jwks_uri": "https://ims-na1.adobelogin.com/ims/keys",
"response_types_supported": [
"code",
"token",
"id_token",
"id_token token",
"code id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"claims_supported": [
"sub",
"given_name",
"family_name",
"name",
"email",
"email_verified",
"address"
],
"grant_types_supported": [
"authorization_code",
"implicit_grant",
"refresh_token"
]
}
This API allows you to retrieve the keys with which the ID Tokens are signed.
curl -X GET 'https://ims-na1.adobelogin.com/ims/keys'
{
"keys": [
{
"alg": "RS256",
"kty": "RSA",
"use": "sig",
"kid": "ims",
"e": "AQAB",
"n": "gBI3r_iauYJrKOTpEsFLeQ4TFktfzmNa30BK_84uh8mZ9N1NJ8VjOlwH9SzPD_gIpELaAaf2n7GeKN8kWYGtex6uCmz5iZZ3eDzryvTfvj3MwQx_XbGloz4QKQXSlCwADlOXP3-EhMqOVr3tVqQe0uX_TPn1F_b9yIONXAX1GwWTFb9UqNjjpFNOxuKJaAh6uod7Y9kmzw0GE4GvMs6AIjitxLNLlpeC8J3vyA0l4UWVJR9lwLjS1O0Lk07IfjAMMes6fonQ5AtzYewIOk4UdNCgb_XKpqLgYY_9J9nfIuBGVY-W7ZfHhXjA1AixQw6A4XoreGr5AnF5WMwd6DA7vw"
},
{
"alg": "RS256",
"kty": "RSA",
"use": "sig",
"kid": "ims_na1-key-1",
"e": "AQAB",
"n": "q2y0X2R0db3z6yUHWjnd3qppszntWcoel3WURBYekEcadjfxDFAWrAHX8OoceddD6n-qC_2b2GVJny45qKmhq8KFvVOUCMgUUY_ErnvrZXQl0r3USDpf5rxNOQuqxBl532Z9H17k2K_VdT5BL8xwYFYpKtOc-Vgi6Gz2KnhSXlOYBQW9PII2pGsCL4_uwIl32nibGnEDgJfnja01N-hUaLJikvR1OQuYPNaww6JcFQ_Z-_Jt4ec4YYOnrqOs7H7oE-hotwe57o5FxJlqPCccirysqlA7QU4lQxGw8qlIoU3S0WAzLqaxBOgiDET6sK_QVdq6A2TDo1NNY9ktzeW2ow"
}
]
}
This API allows you to fetch information about a user.
| Parameter | Mandatory | Description |
|---|---|---|
client_id | No | Your client ID |
ACCESS_TOKEN | Yes | An access token obtained by your application on behalf of the user |
curl -X GET 'https://ims-na1.adobelogin.com/ims/userinfo/v2?client_id={YOUR_CLIENT_ID}' \
-H 'Authorization: Bearer {ACCESS_TOKEN}'
{
"sub": "B0DC108C5CD449CA0A494133@c62f24cc5b5b7e0e0a494004",
"account_type": "ent",
"email_verified": true,
"address": {
"country": "US"
},
"name": "John Sample",
"given_name": "John",
"family_name": "Sample",
"email": "jsample@email.com"
}
| Properties | Projected by scope | Description |
|---|---|---|
sub | openid | The user ID |
account_type | profile | Can be one of two values:ind: User is an individual account ent: User is part of an organization |
email_verified | email | Whether the user's email address has been verified |
address | address | User's address - currently, only the two-digit country code is returned |
name | profile | User's full name |
given_name | profile | User's given name |
family_name | profile | User's family name or last name |
email | email | User's email address |
To fetch the keys with which the ID Tokens are signed see ID Token Keys.
Once a user lands on your application to initiate the OAuth authentication flow, your application should redirect the user to an Adobe IMS URL. While the URL endpoint is common, the query parameters would be specific to your application.
Read along to find out more about constructing the full authorize URL with values for the different query parameters.
Several query parameters are available to you as a developer to customize the user experience for your application. Some of the query parameters are mandatory, and others optional. Using the parameters outlined in the table below, you can construct the authorize URL for your application.
| Parameter | Mandatory | Description |
|---|---|---|
client_id | Yes | The client ID obtained from Adobe Developer Console. |
redirect_uri | No | The URI to which the user agent is redirected once the authorization completes. Note that this URI must be HTTPS. The supplied value for this parameter is validated against the Redirect URI pattern supplied by you at the time of credential creation . If a redirect URI is not provided with the request or if it does not match against the pattern, Adobe will redirect the response to the Default Redirect URI supplied by you at the time of credential creation. |
scope | No | The requested scopes in the form of a list of space or comma-delimited, case-sensitive strings. See the section on OAuth 2.0 Scopes for more information. |
response_type | No | Possible values are code, token, id_token, id_token token, code id_token. The default response type for the Authorization code flow is code. |
state | Recommended | Client-defined state data that is replayed back to the client. It must not be longer than 4096 characters and does not need to be a JSON object. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie. |
nonce | No | String value used to associate a Client session with an ID Token and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. |
prompt | No | Space-delimited, case-sensitive list of ASCII string values that specifies whether Adobe prompts the end-user for authentication or fails the authorize step if user is not authenticated. Supported values: none, login.none → Does not show any UI. Either returns successfully with a valid authentication response or returns with an error.error=login_required → No user is logged in.error=consent_required → User is Logged in, but has not granted access to your app.error=interaction_required → User is logged in and has granted access to your app, but there is some other action they need to perform (Accept terms of use, etc.).login → Even if the user is authenticated, they will see the login screen.No value supplied → Default behavior. |
code_challenge_method | No, defaults to plain | Possible values: S256, plain |
code_challenge | Required for Public Clients | The code_challenge parameter is a security measure to confirm whether the authorize and token requests originated from the same application.A code_challenge comes in pair with a code_verifier. A code_verifier is a random string of at least 43 characters (see allowed character set).Based on the code_challenge_method, the code_challenge can then be according to - If code_challenge_method = plain, then code_challenge = code_verifierIf code_challenge_method = S256, then code_challenge = BASE64_URL_ENCODE(SHA256(code_verifier)) The code_challenge is sent with the authorize request, while the corresponding code_verifier is sent with the token request. For more information, read the Proof Key for Code Exchange by OAuth Public Clients documentation. You can use online tools to experiment with code_challenge and code_verifier. |
response_mode | No | Possible values: query, fragment. For more information, refer to this openid documentation.If response_mode is not specified, the following defaults are applied:code → querytoken → fragmentid_token → fragmentid_token token → fragmentcode id_token → fragment |
Note: The request URL has been split into multiple lines for readability. A complete request path includes multiple parameters separated by an ampersand (&) with no spaces or line breaks.
https://ims-na1.adobelogin.com/ims/authorize/v2
?client_id={CLIENT_ID}
&redirect_uri={REDIRECT_URI}
&scope={SCOPES}
&state={STATE}
&response_type=code
https://ims-na1.adobelogin.com/ims/authorize/v2?client_id=202b135c20864fbfb26a46522aa2433b&redirect_uri=https://www.myapp.com/OAuth/callback&scope=openid,creative_sdk&state=90cff02f-da33-46ec-985c-1f5cf2f9644a&response_type=code
Note: Ensure that you are using the latest version (v2) of the /authorize endpoint.
Note: The request URL has been split onto multiple lines for readability. A complete request path includes multiple parameters separated by an ampersand (&) with no spaces or line breaks.
https://ims-na1.adobelogin.com/ims/authorize/v2
?client_id={CLIENT_ID}
&code_challenge={CODE_CHALLENGE}
&code_challenge_method=S256
&redirect_uri={REDIRECT_URI}
&scope={SCOPES}
&state={STATE}
&response_type=code
https://ims-na1.adobelogin.com/ims/authorize/v2?client_id=135c20864fbfb26a46522aa2433b&code_challenge=c9vBtg5G7DupTxSYODrpd2LpBeECiSTTQtQclGNMklM&code_challenge_method=S256&redirect_uri=https://www.myapp.com/OAuth/callback&scope=openid,creative_sdk&state=90cff02f-da33-46ec-985c-1f5cf2f9644a&response_type=code
Note: Ensure that you are using the latest version (v2) of the /authorize endpoint.
After the user has authenticated and been granted consent to your application, the user agent will be redirected to {YOUR_REDIRECT_URI} with parameters determined by the response_type sent in the request.
Response Type (response_type) | Parameters |
|---|---|
token | access_token={ACCESS_TOKEN}&state={STATE}&token_type=bearer&expires_in=86399 token_type will always be bearer.expires_in is the validity of the token in seconds. |
code | code={AUTHORIZATION_CODE}&state={STATE} |
id_token | id_token={ID_TOKEN}&state={STATE} |
id_token token | id_token={ID_TOKEN}&access_token={ACCESS_TOKEN}&state={STATE}&token_type=bearer&expires_in=86399 |
code id_token | id_token={ID_TOKEN}&code={AUTHORIZATION_CODE}&state={STATE} |
The parameters will be in the query or the fragment, according to the response_mode parameter included in the request. If a response_mode is not specified, the default values are used as shown in the Authorization parameters table.
Once the user grants access to your application your application can fetch access tokens by using the tokens API.
Parameters can be sent in the body or as query parameters. Passing parameters in the body is recommended for sensitive data, as query parameters may be logged by app servers.
| Parameter | Mandatory | Description |
|---|---|---|
code | Yes | The value of the code query/fragment parameter returned in the callback request from the autorize step |
grant_type | Yes | Value should always be authorization_code |
authorization | Required for confidential clients | Basic Authorization header.Authorization: Basic Base64(clientId:clientSecret) |
client_id | Required for PUBLIC clients | The Client ID obtained from the Adobe Developer Console |
code_verifier | Required for PUBLIC clients | Code verifier corresponding to the code_challenge sent during authorize request. |
curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3' \
-H 'Authorization: Basic {AUTHORIZATION}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'code={AUTHORIZATION_CODE}&grant_type=authorization_code'
curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3?client_id={CLIENT_ID}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'code={AUTHORIZATION_CODE}&grant_type=authorization_code&code_verifier={CODE_VERIFIER}'
{
"access_token": "{ACCESS_TOKEN}",
"refresh_token": "{REFRESH_TOKEN}",
"sub": "B0DC108C5CD449CA0A494133@c62f24cc5b5b7e0e0a494004",
"id_token": "{ID_TOKEN}",
"token_type": "bearer",
"expires_in": 86399
}
Note: The refresh token is only present if the offline_access scope is requested in the authorize step and subsequently consented to by the user.
| Property | Description |
|---|---|
access_token | Generated access token. By default they expire in 24 hours. |
refresh_token | Generated refresh token. By default they expire in 14 days. |
token_type | Token type will always be bearer. |
id_token | Generated ID token.Present if openid is added as scope. See the section on OAuth 2.0 Scopesfor more information. |
expires_in | Validity of access token in seconds. |
Once you have fetched the access tokens for a user you may also be provided a refresh token in the response. A refresh token is only presented when the offline_access scope is requested in the authorize step. Please note that not all APIs and Services support the offline_access scope for security reasons.
| Parameter | Mandatory | Description |
|---|---|---|
refresh_token | Yes | The base64-encoded refresh token received in the response to the initial request for an access token |
grant_type | Yes | The value is always refresh_token |
client_id | Only for PUBLIC clients | The client ID obtained from Adobe Developer Console |
authorization | Only for Confidential clients | Basic Authorization header.Authorization: Basic Base64(clientId:clientSecret) |
curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3' \
-H 'Authorization: Basic {AUTHORIZATION}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=refresh_token&refresh_token={REFRESH_TOKEN}'
curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3?client_id={CLIENT_ID}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=refresh_token&refresh_token={REFRESH_TOKEN}'
{
"access_token": "{ACCESS_TOKEN}",
"refresh_token": "{REFRESH_TOKEN}",
"token_type": "bearer",
"expires_in": 86399
}
| Property | Description |
|---|---|
access_token | Generated access token |
refresh_token | Generated refresh token.offline_access scope is needed for this to be returned. See the section on OAuth 2.0 Scopes for more information. |
token_type | Token type will always be bearer. |
expires_in | Validity of access token in seconds. |
Use this API to revoke an access token or refresh token.
Note: Users can also revoke your application's access to their data by visiting the Connected Applications page on their Adobe account. In case a user revokes access to your application and then visits your application - the authorization workflow will prompt the user for their consent again.
Parameters can be sent in the body or as query parameters. Passing parameters in the body is recommended for sensitive data, as query parameters may be logged by app servers.
| Parameter | Mandatory | Description |
|---|---|---|
AUTHORIZATION | Required only for OAuth Web and OAuth WebApp type credentials | Basic Authorization header.Authorization: Basic Base64(clientId:clientSecret) |
client_id | Required only for OAuth Android, OAuth iOS, OAuth Single Page App and OAuth Native App credentials | Your client id |
token | Yes | The access token or refresh token to be invalidated |
curl -X POST 'https://ims-na1.adobelogin.com/ims/revoke' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: Basic {AUTHORIZATION}' \
-d 'token={TOKEN}'
curl -X POST 'https://ims-na1.adobelogin.com/ims/revoke?client_id={CLIENT_ID}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'token={TOKEN}'
A successful response returns HTTP Status 200 (OK) and no response body.
| Scope | Consent description | Details |
|---|---|---|
openid | Can access user account and read a unique identifier | Mandatory scope to enable authorization flows. |
email | Can read user email address | Returns email and email_verified claims. |
address | Can read user postal address | Returns address claim. Currently this contains only the country code. |
profile | Can read basic user profile, including information like name | Returns name, family_name, given_name, account_type claims. |
offline_access | The app can access the data user has given permission to, even when user is not using the app | Allows the return of a refresh token. |
Scopes for Creative Cloud user authentication based APIs
| APIs | Scopes |
|---|---|
| Adobe Stock | openid |
| Creative SDK | openid,creative_sdk |
| Photoshop | openid,creative_sdk |
| Lightroom | openid,creative_sdk |
Scopes for Experience Cloud user authentication based APIs
| APIs | Scopes |
|---|---|
| Adobe Analytics | openid, AdobeID, read_organizations, additional_info.projectedProductContext, additional_info.job_function |