Setting up Access
Before you can access the User Management API, you must use the Adobe Developer Portal to obtain access credentials by creating a new Integration. To do this, you must sign in as a user with administrative privilege for your organization. Use the Admin Console to grant administrative privilege to users.
- Create or purchase at least one valid digital signing certificate. For more information about certificates, see Certificates for Secure API Access.
- Sign in to Developer Portal as the admin user and create a new Integration. As part of this process, you upload at least one certificate. You can associate more than one certificate with your Integration.
To begin each access session, you will use the Integration's client credentials to create a JSON Web Token (JWT) including the API key, secret and technical Account ID. You must sign the JWT with the private key of a certificate associated with your Integration so that Adobe can verify it. Your programs or scripts will use the JWT to obtain the access token that you must pass to every user management API call in the Authorization : Bearer header. An access token expires after 24 hours. This type of token cannot be refreshed. For complete details of this exchange, see Access API for User Management.
Step 1: Create a Certificate
The certificate creation process produces both a public key and a private key. Adobe uses the public key to verify request credentials that you have signed with your private key.
- Create or purchase a valid digital signing certificate. You can purchase one from a vendor, or create your own using openssh in Mac OS, or Cygwin in Windows, which includes openssh. See Creating a Self-signed Certificate.
- Submit the certificate file containing the public key to Adobe as part of creating your Integration.
- Retain the private key securely. It cannot be recovered or replaced. If you lose it or it is compromised, you must delete the corresponding certificate from your Integration. If necessary, you must create and upload a new certificate. Your Integration must be associated with at least one valid certificate.
Step 2: Configure a New Integration
Each application is an API client, and requires a unique API key. To generate an API key the client needs to create a new Integration. Note that in this context, an "application" is a script or service call from an administrative application, not an end-user mobile or web app. You might need only one such script or application for user management, but you could create more than one in order to track usage by application, or disable one application without disabling others.
- Log into the Developer Portal (https://www.adobe.io/console) as an Adobe user who has been assigned administrative privilege for your organization.
- Click "+ New Integration". The Configure Your New Integration page appears.
On this page:
- Enter an Integration Name and Description. If you have multiple applications, you can use these values to keep track of which credentials go with which applications.
- Upload at least one certificate that you have created or purchased. You can edit the Integration later to add more certificates, or remove a certificate.
- Complete the Captcha Verification.
- When you click next, the Integration Details page is displayed.
Your Integration contains your generated credentials, which you use to uniquely identify your API client in all of your requests.
The generated client credentials (including the API key) are listed in the Technical Info section:
Step 3: Secure your Client Credentials
You are responsible for saving all credential values and keeping them in a secure location. You must protect them at least as well as you would protect an account name and password. The best practice is to store the key file in a credential management system or use a file system protection so that it can only be accessed by authorized users.
Use your client credentials (the API key and secret, technical account ID, and organization ID) to create a JSON Web Token (JWT), and sign it with your private key. The JWT encodes all of the identity and security information that Adobe needs to verify your identity and grant you access to the User Management API.
Public libraries are available for creating a JWT. The JWT must be digitally signed and base-64 encoded for inclusion in the access request. For details of what libraries are available and what fields must be included in your JWT, see Creating a JWT