Knowledge Base
Admin

Adobe Identity Management Service (IMS)

Adobe Identity Management Service (IMS) is Adobe's OAuth 2.0-based authentication and identity management platform. It provides secure authentication for all Adobe products and services, supporting multiple OAuth 2.0 grant types including Authorization Code (with PKCE), Client Credentials for server-to-server communication, and Implicit flows. The API enables applications to authenticate users via Adobe accounts, obtain and manage access tokens, retrieve user profile information, and manage O...

Active

Capabilities (14)

Validate an access token

Validates whether a given access token is still valid and has not expired or been revoked. This endpoint is used by Adobe products and integrations to verify token validity without making an API call that requires the token. Adobe Commerce uses this endpoint to periodically validate access tokens (every 10 minutes) during admin sessions. If the token is valid, the session continues; if invalid, the session is terminated. The endpoint returns token metadata including the client_id it was issued to, the scopes granted, and the expiration time.

validate_token(client_id, type?) -> {client_id, created_at, expires_in, scope, ...}

Exchange JWT token for access token (Deprecated)

Exchanges a signed JSON Web Token (JWT) for an IMS access token. This endpoint is DEPRECATED as of May 2024 - new JWT credentials can no longer be created, and existing JWT credentials stopped working after January 1, 2025. Applications should migrate to OAuth Server-to-Server credentials using the /ims/token/v3 endpoint with client_credentials grant type instead. The JWT must be signed with the application's private key using RS256 algorithm and contain claims including the issuer (IMS organization ID), subject (technical account ID), audience, expiration, and meta scopes.

exchange_jwt() -> {access_token, expires_in, id_token, refresh_token, ...}

Add a new client secret to a credential

Adds a new client secret to an OAuth Server-to-Server credential. Each credential can have a maximum of 2 client secrets at any time. This supports credential rotation: add a new secret, update your application to use the new secret, then delete the old secret. The response includes the actual client_secret value - this is the only time the secret value is returned, so it must be stored securely. Requires the I/O Management API to be added to your project and an access token with manage_client_secrets scope.

add_client_secret(credentialId, orgId) -> {client_secret, created_at, created_at_str, expires_at, ...}
Required scopes:
manage_client_secrets

Retrieve authenticated user information via OpenID Connect

Returns claims about the authenticated user as defined by the OpenID Connect UserInfo specification. The claims returned depend on the scopes granted during the authorization flow. With 'openid' scope, the 'sub' (subject identifier) claim is returned. With 'email' scope, 'email' and 'email_verified' claims are included. With 'profile' scope, 'name', 'given_name', 'family_name', and 'account_type' claims are included. With 'address' scope, the 'address' claim containing the country code is included. Requires a valid access token in the Authorization header.

get_user_info(client_id?) -> {account_type, address, email, email_verified, ...}
Required scopes:
openid email profile

Exchange credentials for access tokens

Multi-purpose token endpoint that supports multiple OAuth 2.0 grant types for obtaining access tokens. Supports: (1) Authorization Code grant - exchanges an authorization code for access and refresh tokens after user authentication, (2) Client Credentials grant - obtains access tokens for server-to-server communication without user interaction, (3) Refresh Token grant - exchanges a refresh token for a new access token and optionally a new refresh token. Access tokens are valid for approximately 24 hours (86,399 seconds). Refresh tokens are valid for 14 days and are only issued when the offline_access scope is requested. For confidential clients (OAuth Web App), authentication uses the Authorization header with Basic scheme (Base64 encoded client_id:client_secret). For public clients (SPA, Native App), PKCE code_verifier is required with authorization code exchange. Parameters can be sent as form data in the request body (recommended for sensitive data) or as query parameters.

get_token(grant_type, client_id?, client_secret?, code?, code_verifier?, refresh_token?, scope?) -> {access_token, expires_in, id_token, refresh_token, ...}
Required scopes:
AdobeID

Retrieve JSON Web Key Set for ID token verification

Returns the JSON Web Key Set (JWKS) containing the RSA public keys used by Adobe IMS to sign ID tokens. Client applications use these keys to verify the signature of ID tokens received during OpenID Connect authentication flows. The keys use RS256 (RSA with SHA-256) signing algorithm. Keys may be rotated periodically, so applications should cache the JWKS but also handle key rotation by re-fetching when verification fails with a cached key. This is an unauthenticated endpoint.

get_jwks() -> {keys}
Required scopes:
openid

Retrieve OpenID Connect discovery configuration

Returns the OpenID Connect discovery document containing metadata about the Adobe IMS OpenID Connect provider. This includes supported endpoints, grant types, response types, signing algorithms, and available scopes. The discovery document conforms to the OpenID Connect Discovery 1.0 specification and provides all necessary configuration for OpenID Connect Relying Parties to dynamically discover and interact with Adobe IMS. This is an unauthenticated endpoint that can be called without any credentials.

get_open_id_configuration() -> {authorization_endpoint, grant_types_supported, id_token_signing_alg_values_supported, issuer, ...}
Required scopes:
openid

Check token validity and cache status

Verifies a given token and returns a status that can be used to determine cache status. This endpoint is primarily used by Adobe SDKs (such as aio-lib-ims) for internal token verification with caching support to avoid repeated IMS calls. It provides a lightweight way to check if a token is still valid without the overhead of a full validation request. The response can be cached for a configured duration to reduce the number of calls to IMS.

check_token(client_id, token) -> {expires_in, token_type, valid}

List all client secrets for a credential

Retrieves a list of all client secrets associated with an OAuth Server-to-Server credential. Each credential can have up to 2 client secrets. The response includes metadata about each secret including its UUID, creation time, expiration status, and last usage information. Note that the actual client_secret values are never returned by this endpoint - only the UUID and metadata are provided. Requires the I/O Management API to be added to your Adobe Developer Console project. The caller must have an access token with adobeio_api and read_client_secret scopes.

list_client_secrets(credentialId, orgId) -> {client_id, client_secrets}
Required scopes:
read_client_secret

Initiate OAuth 2.0 authorization flow

Initiates the OAuth 2.0 authorization flow by redirecting the user to Adobe's login page. After successful authentication and consent, Adobe IMS redirects the user back to the specified redirect_uri with an authorization code (for authorization_code flow) or tokens (for implicit flow). This endpoint supports multiple response types including code, token, id_token, and hybrid combinations. PKCE (Proof Key for Code Exchange) is supported and recommended for public clients (Single Page Apps and Native Apps) to prevent authorization code interception attacks. The state parameter should be used for CSRF protection.

authorize(client_id, code_challenge?, code_challenge_method?, nonce?, prompt?, redirect_uri?, response_mode?, response_type?, scope?, state?)
Required scopes:
openid AdobeID

Revoke an access token or refresh token

Invalidates an access token or refresh token, effectively ending the session or preventing further use of the token. When an access token is revoked, it can no longer be used to access Adobe APIs. When a refresh token is revoked, no new access tokens can be obtained using that refresh token. For OAuth Web App (confidential) clients, the client must authenticate using the Authorization header with Basic scheme. For other credential types, the client_id should be passed as a parameter. Users can also revoke application access from their Adobe account at adobe.com/security/connected-applications, which triggers re-consent on next login.

revoke_token(token, client_id?)
Required scopes:
AdobeID

Delete a client secret from a credential

Removes a specific client secret from an OAuth Server-to-Server credential, identified by its UUID. This is used during credential rotation to remove old secrets after the application has been updated to use a new secret. The secret UUID can be obtained from the list secrets endpoint. Note: you cannot use the plain-text client_secret value to identify which secret to delete - only the UUID is accepted. Requires the I/O Management API to be added to your project and an access token with manage_client_secrets scope. Deleting the last active secret will prevent the credential from generating new access tokens until a new secret is added.

delete_client_secret(credentialId, orgId, uuid)
Destructive
Required scopes:
manage_client_secrets

Retrieve detailed user profile from Adobe IMS

Returns detailed profile information for the authenticated user, including organizational membership and roles. This endpoint provides more comprehensive profile data than the OpenID Connect UserInfo endpoint, including the user's assigned organizations and their roles within each organization. The profile response contains a roles array listing all assigned organizations, which is used by Adobe products like Commerce to verify the user belongs to the configured organization. Requires a valid access token in the Authorization header.

get_user_profile(client_id?) -> {account_type, email, family_name, given_name, ...}
Required scopes:
read_organizations additional_info.roles profile

End user session and log out

Logs the user out of Adobe IMS by invalidating their session. The application redirects the user to this endpoint with their access token, and after the session is terminated, IMS redirects the browser to the specified redirect_uri. This effectively ends the user's Single Sign-On (SSO) session across all Adobe applications that share the same IMS session. After logout, the user will need to re-authenticate to access any Adobe services.

logout(access_token, redirect_uri?)
Required scopes:
AdobeID

Links

No external links available.

Authentication

  • Bearer Token
  • Oauth2_authorization_code (Primary)
  • Oauth2_client_credentials (Primary)