Access control
Access control enables
trusted per-user metadata
to be injected into widget
sessions, so that content filters can be enforced on a per-user basis. Your backend mints a
signed token (JWT/HMAC) carrying user attributes (e.g.
audience=admin
); the
widget sends this token in the
X-Api-Metadata
header; the platform validates
it against the HMAC signing key and enforces the content-filter rules scoped to that user.
Pre-requisites
-
You must have the
site:manage:access_controlpermission to edit the metadata schema. -
You must have the
site:access_control:key_downloadpermission to generate or rotate the signing key.
Register a new IMS OAuth client at developer.adobe.com.
Add the IMS client identity to Guides Knowledge AI.
Create or select a domain-scoped role that includes the required permissions.
Assign that role to the user added in the previous step for the relevant domain(s).
Configure the allowed metadata vocabulary.
Navigate to Settings → Access control on the target domain.
In the Allowed metadata table, add rows defining the permitted vocabulary:
each row is an Attribute (e.g. audience) and a Value
(e.g. admin or internal).
If the table is empty, any well-signed claim is accepted.
Check Enable metadata based access check to enforce content filters based on the token's metadata. When enabled, users whose tokens do not carry matching attributes will not see content restricted by content-filter rules.
Generate the HMAC signing key.
In the Signing key section, click Generate key. The HMAC secret is shown only once — copy it immediately and store it securely.
To rotate the key, click Rotate key. Existing tokens signed with the old key will stop working immediately.
Your backend signs a JSON payload of user attributes with this secret and passes the
result as the X-Api-Metadata header in widget API calls. The platform
verifies the signature before applying metadata-based content filtering.