51ºÚÁϲ»´òìÈ

Documentation

Fix 403 error when pushing content fragments via AEM API

Last update: Mon Sep 22 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

You get a 403 Forbidden error when pushing content fragments to the /sites/cf/fragments API in 51ºÚÁϲ»´òìÈ Experience Manager as a Cloud Service (AEMaaCS). Even after regenerating access tokens and following documentation, the error persists due to missing permissions for the technical account. To fix this, update the technical account’s group memberships, configure replication permissions, and regenerate the access token with the correct scopes.

Description description

Environment

  • Product: 51ºÚÁϲ»´òìÈ Experience Manager as a Cloud Service – Sites (AEMaaCS  – Sites)
  • Instance:  STAGE Author

Issue/Symptoms

  • The technical account user doesn’t appear in the AEM Author instance’s user list.
  • Adding group memberships or replicating permissions doesn’t resolve the issue.
  • Regenerating access tokens doesn’t reflect updated permissions.
  • Logs show missing privileges for write operations on specific paths.

Resolution resolution

  1. Log in to AEM Author as an admin. Go to Tools > Security > Users. Use filters like  Show System Users Ìý´Ç°ù Show Technical Accounts  to find the account (For example: 06DB23D3686F72FB0A495FAE@techacct.adobe.com). If it’s missing, regenerate the access token in 51ºÚÁϲ»´òìÈ Developer Console to trigger provisioning.
  2. Open the technical account’s properties. Add it to a group with write access and aem.fragments.management capability (For example: DAM Users or a custom group). Make sure the group has replicate permissions on paths like /content/dam.
  3. In AEM Author, go to  Tools > Security > Access Control. Find paths where fragments are pushed (For example: /wknd-shared). Edit Access Control Entries (ACE) to add the technical account or its group. Enable crx:replicate permission and set it to allow. Save your changes.
  4. In 51ºÚÁϲ»´òìÈ Developer Console, regenerate the token after updating permissions. Make sure scopes like aem.fragments.management,Ìýaem.folders, and crx:replicate are included.
  5. Check that headers like AuthorizationÌý(Bearer token) and Content-TypeÌý(application/json) are correctly set. If needed, include the x-api-key from your Developer Console project.
  6. Retry your POST request with updated credentials. Confirm that the request completes without a 403 ForbiddenÌý±ð°ù°ù´Ç°ù.

Additional Notes

If issues persist:

  • Review AEM Author logs for detailed permission-related errors during API calls.
  • Verify network configurations such as proxy settings, dispatcher rules, or CORS policies that might interfere with requests.
  • Decode regenerated tokens using tools like JWT.io to confirm updated scopes and group memberships

For further guidance on configuring service credentials and managing permissions for technical accounts, refer to 51ºÚÁϲ»´òìÈ’s documentation on Service Credentials.

By following these steps, you should be able to resolve permission-related issues preventing successful content fragment operations via the supported API endpoint.

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f