Authentication
The Adobe Customer Experience (CX) Commenting API accepts Adobe IMS OAuth 2.0 bearer tokens on the Authorization header. Integrations should follow the Adobe IMS Server-to-Server authentication guide to obtain access tokens.
Required headers
Include these headers on every request:
AuthorizationBearer <IMS_ACCESS_TOKEN>x-api-keyx-gw-ims-org-idwf-useridwf-customeridContent-Typeapplication/jsonUser tokens
Pass the end-user IMS token in Authorization. The service validates the token and resolves the user context for access checks.
Service tokens
Service tokens include a pac claim. When using a service token you must supply tenant and user context headers so the service can enforce object access:
x-gw-ims-org-idorwf-customerid— tenantwf-useridoruser-id— acting user
The service validates the token against IMS with scope workfront.comment-stream.
Object access
The default requirement for allowing comments on an object is that the user has view access to that object. If the resolved user does not have at least view permission on the target object, the API returns a 403 Forbidden response.
Session-based access (Workfront UI only)
Workfront browser sessions may authenticate via sessionid cookie or wf-auth cookie through Kong. That path is for product UI traffic, not for third-party server integrations. External integrators should use IMS OAuth only.
First request — create a comment
curl -X POST "https://domain.my.workfront.com/comments/api/v1/comment" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "x-api-key: $API_KEY" \
-H "x-gw-ims-org-id: $IMS_ORG_ID" \
-H "Content-Type: application/json" \
-d '{
"objectID": "6400cae3000c141416060e29",
"objectCode": "PROJ",
"content": "Kickoff notes are ready for review.",
"contentHTML": "<p>Kickoff notes are ready for review.</p>",
"isPrivate": false
}'
List comments on an object
curl -G "https://workfront.adobe.io/comments/api/v1/comment" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "x-api-key: $API_KEY" \
--data-urlencode "objectID=6400cae3000c141416060e29" \
--data-urlencode "objectCode=PROJ" \
--data-urlencode "limit=20"
Response (200 OK):
{
"data": [
{
"_id": "...",
"content": "...",
"objectID": "...",
"objectCode": "PROJ"
}
],
"pageInfo": {
"hasNextPage": true,
"nextCursor": 1710000000000
}
}
Use pageInfo.nextCursor as the cursor query parameter on the next request to fetch the following page.