Important Update for Developers Using Adobe APIs
Developers using APIs from Adobe should be aware of a very important update to how authentication works. The TLDR is that we are moving from Service Account (JWT-based) credentials to an OAuth 2.0 implementation for server-to-server authentication. Your existing credentials will continue to work until January 1, 2025, but you should begin working on migrating your code and credentials soon. Read on for more details.
What’s changing
In the past, developers used a Service Account, JWT-based, set of credentials to work with many Adobe APIs and services. This credential made use of a private key and public certificate that expired yearly. This required developers to schedule and rotate their credentials to ensure their implementations continued working properly.
As of May 2023, newly created credentials can make use of OAuth Server-to-Server based credentials. Implementations can use OAuth2 libraries (which exist for all major development platforms) in order to generate access tokens and call Adobe APIs.
At this time, it is important to note that many of the SDKs and tooling available to developers for various services have not yet been updated to support the new credentials. But, all products and services are working to update their SDKs to support new credentials.
Updates in the Console
Developers logging into our Developer Console will begin seeing changes related to this update now. Here’s an example:
As you can see, there’s a warning both on top as well as an “Attention required” alert in the credential. If you click to load the credential, you’ll see further details:
At this point, you can choose to start a migration process. This begins with a warning that you won’t be able to modify existing APIs in the project until complete, so be sure before you begin:
After clicking to add a new credential, you’ll see this, indicating it has been created:
And if you look in the left-hand navigation of your project, you’ll see the new credential:
To be clear, at this point, you’ve only created your credential. Before you can remove the old one, you’ll need to edit and test your code. Let’s take a quick look at how that can look.
Service account (JWT) based API call
For our example, we’re going to use a simple endpoint of the Photoshop API. Our call needs to get an access token and then simply hit https://image.adobe.io/pie/psdService/hello. This returns a string, "Welcome to the Photoshop API!".
In Node.js, we can define this process like so:
The getAccessToken function looks like so:
This is making use of the jsonwebtoken NPM module to generate a JWT and then pass it to our authentication service to get an access token.
OAuth server-to-server based API call
Now let’s look at a version using the new credentials. The code that calls the API hasn’t changed, but our call to get an access token is simpler — we only need a client id and the client secret.
Now let’s look at the updated function:
As you can see, this is much simpler than the previous version, and in fact, it lets us skip using any additional npm libraries (outside of node-fetch, of course). Each language will have its own method of handling the calls, of course, but you can see this is going to be simpler all around.
See our OAuth Server-to-Server implementation guide to familiarize yourself with the new credential.
Next steps and timeline
As a reminder, here are important dates to keep in mind:
- Existing JWT credentials stop working on January 1, 2025
- You will not be able to create new JWT-based credentials starting May 1, 2024
- Individual services will be announcing SDK updates on a case-by-case basis.
For more information, see our migration guide here.
