name: adobe-api-setup
description: Guide for configuring Adobe AEP and CJA API access with OAuth Server-to-Server authentication. Use when setting up API credentials or troubleshooting OAuth errors (401/403).

Adobe AEP/CJA API Prerequisites

This skill provides guidance on configuring Adobe Experience Platform (AEP) and Customer Journey Analytics (CJA) API access for projects using OAuth Server-to-Server authentication.

When to Use This Skill

Invoke this skill when:
- Setting up a new project that integrates with Adobe CJA or AEP APIs
- Troubleshooting OAuth authentication failures
- Configuring API credentials for the first time
- Diagnosing 401/403 permission errors

Prerequisites Checklist

Before using Adobe CJA/AEP APIs, ensure:

• [ ] Adobe Experience Cloud Access - User account with access to CJA and/or AEP
• [ ] Adobe Developer Console Access - Permission to create API integrations
• [ ] System Administrator or Developer Role - Required to create OAuth credentials
• [ ] Product Profile Access - User must be assigned to appropriate product profiles in Admin Console

Adobe Developer Console Setup

Step 1: Create a Project

1. Go to Adobe Developer Console
2. Sign in with your Adobe ID (must have appropriate permissions)
3. Verify you're in the correct organization (top-right dropdown)
4. Click "Create new project"
5. Name the project descriptively (e.g., CJA Integration, AEP Data Pipeline)

Step 2: Add the CJA API

1. In your project, click "Add API"
2. Filter by "Adobe Experience Platform" or search for "Customer Journey Analytics"
3. Select "Customer Journey Analytics"
4. Click "Next"
5. Choose "OAuth Server-to-Server" authentication
6. Click "Next"
7. Select a product profile that has access to your Data Views
8. Click "Save configured API"

Step 3: Add the AEP API (Required)

Critical: The Adobe Experience Platform API must be added to your project even if you're only using CJA. This associates your service account with an Experience Platform product profile, which is required for CJA API authentication.

1. In your project, click "Add API" again
2. Search for "Experience Platform API" (under Adobe Experience Platform)
3. Select "Experience Platform API"
4. Click "Next"
5. Choose "OAuth Server-to-Server" authentication
6. Click "Next"
7. Select a product profile (associates your service account with Experience Platform)
8. Click "Save configured API"

Step 4: Verify Configuration

Your project should now show two APIs configured:
- Customer Journey Analytics
- Experience Platform API

Both APIs share the same OAuth credentials (Client ID and Secret).

Required Credentials

Collect these four values from Adobe Developer Console:

Security: Never commit credentials to version control. Use environment variables, secrets managers, or gitignored configuration files.

Configuration Methods

Method 1: Configuration File (config.json)

{
  "org_id": "ABC123DEF456@AdobeOrg",
  "client_id": "1234567890abcdef1234567890abcdef",
  "secret": "p8e-XXX...",
  "scopes": "your_scopes_from_developer_console"
}

Best for: Local development, single organization

Important: Add config.json to .gitignore

Method 2: Environment Variables

export ORG_ID="ABC123DEF456@AdobeOrg"
export CLIENT_ID="1234567890abcdef1234567890abcdef"
export SECRET="p8e-XXX..."
export SCOPES="your_scopes_from_developer_console"

Best for: CI/CD pipelines, Docker containers, cloud deployments

Method 3: .env File

# .env file (requires python-dotenv)
ORG_ID=ABC123DEF456@AdobeOrg
CLIENT_ID=1234567890abcdef1234567890abcdef
SECRET=p8e-XXX...
SCOPES=your_scopes_from_developer_console

Best for: Local development with environment variable pattern

OAuth Scopes

OAuth scopes define what permissions the API client has. Copy the exact scopes string from Adobe Developer Console.

Common Scope Patterns

Important: Copy scopes exactly as shown in Developer Console. Incorrect or missing scopes cause invalid_scope or insufficient_scope errors.

Product Profile Requirements

CJA Product Profiles

Users and service accounts need appropriate CJA product profiles:

AEP Product Profiles

Even for CJA-only projects, an AEP product profile association is required:

1. Go to Adobe Admin Console
2. Navigate to Products > Adobe Experience Platform
3. Select or create a product profile
4. Ensure your service account (from Developer Console) is assigned

Common OAuth Errors and Solutions

invalid_client

OAuth response: {"error": "invalid_client", "error_description": "..."}

Causes:
- Client ID is incorrect
- Client Secret is incorrect or expired
- Project credentials were regenerated

Solutions:
1. Verify Client ID matches Developer Console exactly
2. Re-retrieve Client Secret from Developer Console
3. Check for copy/paste errors (extra spaces, missing characters)

invalid_scope

OAuth response: {"error": "invalid_scope", "error_description": "..."}

Causes:
- Scopes string doesn't match Developer Console
- Requested scope not authorized for this client

Solutions:
1. Copy scopes exactly from Developer Console (OAuth Server-to-Server > Scopes)
2. Don't modify or add scopes manually

unauthorized_client

OAuth response: {"error": "unauthorized_client", "error_description": "..."}

Causes:
- OAuth Server-to-Server not enabled
- Incorrect credential configuration

Solutions:
1. Ensure OAuth Server-to-Server is selected in Developer Console
2. Verify your project has the correct authentication type configured

403 Forbidden

ERROR - 403 Forbidden
ERROR - Failed to fetch data: 403

Causes:
- Service account not assigned to required product profiles
- Missing AEP API in project
- Insufficient permissions for requested resource

Solutions:
1. Verify both CJA API and AEP API are added to project
2. Check product profile assignments in Admin Console
3. Wait 5-10 minutes after permission changes for propagation

401 Unauthorized

ERROR - 401 Unauthorized
ERROR - Authentication failed

Causes:
- Expired or invalid access token
- Credentials changed in Developer Console

Solutions:
1. Verify credentials haven't been regenerated
2. Check Client Secret is current
3. Ensure Organization ID is correct

Security Best Practices

1. Never commit credentials - Add config.json, .env, and credential files to .gitignore
2. Use environment variables in CI/CD - Inject secrets at runtime
3. Rotate secrets periodically - Regenerate Client Secret in Developer Console
4. Principle of least privilege - Use product profiles with minimum required permissions
5. Audit access - Review API usage in Adobe Developer Console

.gitignore Entries

# Adobe API credentials
config.json
.env

# Credential directories
.cja/
credentials/

Quick Reference

Minimum Configuration

{
  "org_id": "YOUR_ORG_ID@AdobeOrg",
  "client_id": "YOUR_CLIENT_ID",
  "secret": "YOUR_CLIENT_SECRET",
  "scopes": "your_scopes_from_developer_console"
}

Required APIs in Developer Console

1. Customer Journey Analytics - For CJA Data View access
2. Experience Platform API - Required for authentication (even for CJA-only projects)

Key URLs

Troubleshooting Checklist

When authentication fails, verify:

• [ ] Organization ID ends with @AdobeOrg
• [ ] Client ID copied exactly (no extra spaces)
• [ ] Client Secret is current (not regenerated since last copy)
• [ ] Scopes copied exactly from Developer Console
• [ ] Both CJA API and AEP API added to project
• [ ] OAuth Server-to-Server authentication selected
• [ ] Service account assigned to product profiles in Admin Console
• [ ] Product profiles have appropriate permissions
• [ ] Waited 5-10 minutes after permission changes