Authentication
The Frame.io V4 API uses Adobe Identity Management Service (IMS), Adobe’s OAuth 2.0 identity platform. There are two categories of authentication:
Lets technical or service account users take action without user interaction. Only available to Frame.io V4 accounts administered via the Adobe Admin Console.
Acts as the user whose token it is. Available to all Frame.io V4 accounts administered via the Adobe Admin Console, as well as Frame-managed accounts that have switched to Adobe Authentication.
SDK Authentication Guides
The Frame.io SDKs handle the full OAuth lifecycle for you — authorization URLs, token exchange, automatic refresh, and revocation. Choose your language to get started:
ServerToServerAuth, WebAppAuth, and SPAAuth with sync and async support.
ServerToServerAuth, WebAppAuth, SPAAuth, and NativeApp authentication for Node.js and browser environments.
If you’re building a backend service or automation, start with Server-to-Server. If your app has users who sign in, choose Web App (if you can store a client secret) or SPA (if you can’t).
User Authentication
User authentication credentials are created in the Adobe Developer Console. Adobe supports three credential types — choose the one that matches your application architecture:
For server-side applications that can securely store a client secret (Flask, Django, FastAPI, Express, etc.).
For browser-based applications, CLIs, or desktop apps that cannot store a client secret. Uses PKCE.
For native mobile or desktop apps that use custom URI scheme redirects.
The Frame.io Python SDK does not include a Native App credential class, since Python has no standard way to register custom URI scheme handlers. Use Web App with a local callback server instead. The TypeScript SDK supports all three credential types.
Server-to-Server Authentication
Server-to-server authentication lets your application act as a service account user — no human in the loop. Your app authenticates with client credentials and receives an access token directly. Service account actions are visible in Frame.io under the service account’s name.
Service account access is managed through the Adobe Admin Console and Developer Console. The service account name is currently not able to be adjusted. See the SDK-specific guides above for implementation details.
See Automate your setup using Frame.io server to server support for more on service account setup.
How Adobe IMS Authentication Works
Adobe Identity Management Service (IMS) is Adobe’s OAuth 2.0-based identity management feature that supports authentication. There are two steps required for generating the access token:
User Authorization
First, the user authorizes the application before a token is generated. Details are here.
Token Exchange
Next, fetch the access token. The above step returns a code in the response body needed in this step. See the exact endpoints to access, and the parameters to use, here.
The above steps are required for all three types of app credentials. There are differences in the way the IMS endpoints /authorize/v2 and /token/v3 are accessed to get the token. After you have the access token, you can use it to interact with the Frame.io V4 API.
For Server-to-Server authentication, there is no user authorization step — the application uses client credentials directly to obtain an access token via the client_credentials grant.
Using the Access Token
Once you have an access token, include it in the Authorization header of every API request:
The Frame.io SDKs handle this for you — just pass the token (or a token-supplying callable) when creating the client.
Token TTL
Access tokens are short-lived — they typically expire in 1 hour. For user authentication flows (Web App, SPA, Native App), Adobe IMS also returns a refresh token that can be used to obtain a new access token without requiring the user to sign in again. Refresh tokens are longer-lived but will eventually expire as well.
For Server-to-Server authentication, there are no refresh tokens. The client credentials themselves never expire (unless manually rotated), so the application can always request a new access token.
The Frame.io SDKs handle token refresh automatically — see the SDK-specific guides for details.
Scopes
When creating credentials in the Adobe Developer Console, you’ll configure OAuth scopes that determine what your application can access. The Frame.io SDKs use the following default scopes:
The offline_access scope is required for user authentication flows to receive a refresh token. Without it, you’ll only get an access token and users will need to re-authenticate when it expires.
Legacy Developer Tokens
For V4-migrated accounts that are not yet administered via the Adobe Admin Console, you can continue to use Legacy Developer Tokens managed in the Frame.io developer site. Pass the token directly to the SDK:
When using a legacy developer token with the V4 API, you must add the x-frameio-legacy-token-auth header with a value of true to all API requests. If you’re using the SDK, set it via the client’s request options.
Legacy developer tokens do not expire, but they are a transitional mechanism. For new integrations and production workloads, we recommend using one of the OAuth 2.0 flows below. See the Migration Guide for details.
If you are an Enterprise customer migrating from Frame.io Legacy to V4, please reach out to your CSM for help in getting set up with the legecy developer token & V4
See the Migration Guide for details on transitioning from legacy tokens to Adobe IMS authentication.
