Authentication

The SDK currently supports two authentication paths:

• StaticTokenAuthProvider for an already-issued Adobe bearer token
• OAuthServerToServerAuthProvider for Adobe IMS OAuth Server-to-Server credentials
• OAuthUserAuthProvider for Adobe IMS user-auth authorization-code flows

Recommended Default

For most backend and automation use cases, use OAuthServerToServerAuthProvider.

Adobe's official implementation guide for this flow is:

• Adobe OAuth Server-to-Server implementation guide

The SDK follows that model directly:

• it requests an access token from Adobe IMS using the OAuth 2.0 client_credentials flow
• it caches the access token in memory until it expires
• it attaches the bearer token to outgoing Adobe Target Admin API requests

Static Token

Use StaticTokenAuthProvider when another system already acquires Adobe access tokens and this SDK only needs to send them.

from adobe_target_admin import StaticTokenAuthProvider, TargetClient

client = TargetClient(
    tenant="your-tenant-id",
    api_key="your-api-key",
    auth_provider=StaticTokenAuthProvider("your-access-token"),
)

This is useful when:

• your platform already manages Adobe token acquisition
• you want to inject a short-lived token from a secret store or wrapper script
• you are experimenting from a shell or notebook

OAuth Server-to-Server

Use OAuthServerToServerAuthProvider when the SDK should fetch and cache Adobe access tokens itself.

from adobe_target_admin import OAuthServerToServerAuthProvider, TargetClient

auth_provider = OAuthServerToServerAuthProvider(
    client_id="your-client-id",
    client_secret="your-client-secret",
    scopes=["your-scope"],
)

client = TargetClient(
    tenant="your-tenant-id",
    api_key="your-api-key",
    auth_provider=auth_provider,
)

The provider classes are documented in Class Reference.

Current behavior:

• token acquisition uses Adobe IMS client_credentials
• token caching is in-memory only
• the token is refreshed on the next request after expiry

Required Values

To call the Adobe Target Admin API you need:

• Adobe Target tenant ID
• Adobe API key
• either an Adobe bearer token or Adobe IMS Server-to-Server credentials

For the SDK-managed OAuth flow you also need:

• client_id
• client_secret
• scopes

Use Adobe's docs as the source of truth for credential setup and scope selection:

• Adobe OAuth Server-to-Server implementation guide

User Authentication

The SDK now includes OAuthUserAuthProvider for Adobe IMS user-authentication flows.

Adobe's current user-auth implementation guide is:

• Adobe User Authentication implementation guide

Important constraints from Adobe's docs:

• user authentication is a 3-legged OAuth flow
• available credential types depend on the Adobe API configured in the project
• Web App, Single Page App, and Native App credential types have different redirect and secret-handling requirements

Adobe's user-auth API reference is also relevant for the token and authorize endpoints:

• Adobe User Authentication API reference

What The SDK Supports

OAuthUserAuthProvider supports:

• building Adobe IMS authorization URLs
• exchanging an authorization code for access and refresh tokens
• refreshing cached user access tokens
• both confidential-client and public-client token flows

One important Adobe-specific caveat: refresh-token availability depends on the credential type. Web App credentials can use offline_access, while Single Page App and Native App credentials do not issue refresh tokens. For CLI-style user login, that means some configurations can support a persistent session and some require logging in again after the access token expires.

That means it can support CLI-style login flows where another layer:

• opens the browser
• captures the authorization code at the redirect URI
• passes the code into exchange_code(...)

Example

from adobe_target_admin import OAuthUserAuthProvider

provider = OAuthUserAuthProvider(
    client_id="your-client-id",
    scopes=["openid", "offline_access"],
    redirect_uri="https://localhost/callback",
)

authorize_url = provider.build_authorization_url(
    state="random-state",
    code_challenge="pkce-code-challenge",
)

For public clients such as native-style CLI flows, exchange the code with the PKCE verifier:

access_token = provider.exchange_code(
    "authorization-code-from-callback",
    code_verifier="pkce-code-verifier",
)

For confidential clients, initialize the provider with client_secret. The provider will use Basic authentication for token exchange and refresh requests, matching Adobe's docs.

Choosing Between Them

Use OAuthServerToServerAuthProvider when:

• the SDK runs in a backend service, job, or automation environment
• you want the SDK to manage token acquisition
• your Adobe project is set up for Server-to-Server credentials

Use StaticTokenAuthProvider when:

• token acquisition happens outside the SDK
• you want to experiment quickly with a known-good bearer token
• you want to integrate a future user-auth flow before the SDK implements it directly

Use OAuthUserAuthProvider when:

• requests should run on behalf of a specific Adobe user
• you are building a CLI or app that can complete the 3-legged OAuth flow
• you need authorization-code and refresh-token support instead of server-to-server client credentials