SSO Cookie Authentication

SSO Cookie Authentication enables API requests using a browser session cookie. It is ideal for browser-based applications and interactive workflows where users are already authenticated.

SSO Cookie Authentication is a session-based authentication method built into Heretto CCMS that enables you to authenticate API requests using your active browser session. This method is particularly useful for browser-based applications, browser extensions, interactive scripts, and any scenario where a user is already signed into the CCMS.

With SSO Cookie Authentication, you use the session cookie (JSESSIONID) that's automatically created when you sign into Heretto CCMS through your browser. This cookie is sent with each API request and the server validates your active session to process the request.

Important:

Session cookies are tied to your active browser session and have a limited lifetime. If you sign out of the CCMS or your session expires, API requests using that cookie will fail. For long-running automated processes, Basic Authentication with a token is recommended instead.

SSO Cookie Authentication requires:

  • Active Browser Session: You must be signed into Heretto CCMS through a web browser

  • JSESSIONID Cookie: The session cookie automatically created upon successful authentication

  • SSO Configuration: Your CCMS instance must have SSO configured (otherwise, standard session-based authentication is used)

Important:

SSO Cookie Authentication is best suited for browser-based or short-lived integrations. For automated workflows, server-to-server integrations, and long-running processes, Basic Authentication with an API token provides better reliability and security control.

SSO Cookie Authentication Process

When a user signs into Heretto CCMS through their web browser (via single sign-on (SSO)), the server creates a session and sends back a cookie that gets stored in the browser. This cookie essentially says “this user has been authenticated and has an active session.” The cookie reminds valid until the user is automatically logged out of the CCMS.

This method is useful when testing the API from the help site (example) or integrating with browser-based tools that maintain SSO sessions.

Note:

This authentication method is available only if Heretto CCMS has authentication set up with SSO.

  1. Sign into Heretto CCMS through a web browser by using the single sign-on mechanism configured.

    Officially supported browsers are Google Chrome™ (recommended) and Mozilla Firefox.

  2. Get the Session Cookie.
    Get the session cookie from your browser's developer tools or cookie storage.
  3. Get a Resource UUID.
    For resource-specific operations, obtain the resource UUID from the CCMS interface to use it as the fileId parameter.
  4. Make Authenticated API Calls.

    Include the cookie in your API requests by using the Cookie header and test your setup it by making an API call.

You are ready to make authenticated API calls.

Important:

Session cookies are tied to your active browser session and have a limited lifetime. If you sign out of the CCMS or your session expires, API requests using that cookie will fail. For long-running automated processes, Basic Authentication with a token is recommended instead.

Get the Session Cookie

You can extract the JSESSIONID cookie from your browser session and use it for API calls. The session cookie is automatically created when you sign into Heretto CCMS. The cookie's lifetime is tied to your session - when you sign out or your session expires, the cookie becomes invalid.

Sign into Heretto CCMS through a web browser by using the single sign-on mechanism (SSO) configured. Officially supported browsers are Google Chrome™ (recommended) and Mozilla Firefox.

Google Chrome™
  1. Follow: https://developer.chrome.com/docs/devtools/application/cookies
Mozilla Firefox
  1. Follow: https://firefox-source-docs.mozilla.org/devtools-user/storage_inspector/

JavaScript (Browser Console)

  1. If you're building a browser-based application, you can access the cookie programmatically:
    Important:

    For security reasons, cookies with the HttpOnly flag cannot be accessed via JavaScript. If you cannot retrieve the cookie this way, use browser developer tools instead.

    JAVASCRIPT 
    // Note: This only works if your application runs on the same domain
const jsessionid = document.cookie
  .split('; ')
  .find(row => row.startsWith('JSESSIONID='))
  ?.split('=')[1];

console.log(jsessionid);

Get a Resource UUID

Each resource in Heretto CCMS has its own Universally Unique Identifier (UUID). UUIDs are essential when working with Heretto CCMS API and are also useful in other scenarios, such as referencing resources like graphics or custom fonts in PDF Generator publishing configurations.

  1. In the Content Library, click a resource.
    The Resource Drawer opens on the right.
  2. At the bottom of the resource drawer, click API Info and copy the contents of the UUID field.
    a gif showing a user clicking on a map, Resource Drawer opening on the right, user going to API Info section and selecting resource UUID

Make Authenticated API Calls

With authentication set up, you are ready to test your setup by making an API call using your browser session cookie.

Important:

SSO Cookie Authentication is best suited for browser-based or short-lived integrations. For automated workflows, server-to-server integrations, and long-running processes, Basic Authentication with an API token provides better reliability and security control.

  • Sign into Heretto CCMS through a web browser by using the single sign-on mechanism (SSO) configured. Officially supported browsers are Google Chrome™ (recommended) and Mozilla Firefox.

  • Obtain the session cookie from your web browser. See Get the Session Cookie.

  • For resource-specific operations, obtain the resource UUID (fileId) from the CCMS interface. See Get a Resource UUID.

Replace Endpoint URL Variables

  1. All CCMS API endpoints use this base URL structure: https://{organizationId}.heretto.com/ezdnxtgen/api. Replace the organizationId variable with your CCMS subdomain.

    If you access Heretto CCMS at https://thunderbird.heretto.com, use thunderbird as the organizationId.

    Before:

    JSON 
    https://{organizationId}.heretto.com/ezdnxtgen/api/v2/deployments

    After:

    CODE 
    https://thunderbird.heretto.com/ezdnxtgen/api/v2/deployments

Apply SSO Cookie Authentication

  1. Include the Cookie header with your JSESSIONID value in each API request.

    Header format:

    CODE 
    Cookie: JSESSIONID=<your_session_cookie_value>

    cURL example:

    CODE 
    curl -X GET \
  'https://thunderbird.heretto.com/ezdnxtgen/api/v2/deployments' \
  -H 'Cookie: JSESSIONID=A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6'

A successfully authenticated request returns a 200 status code with the requested content. An example of a successful response is:

JSON 
{
  "content": [
    {
      "id": "deployment-123",
      "name": "Product Documentation",
      "type": "manual",
      "lastUpdated": "2025-11-24T10:30:00Z"
    }
  ],
  "number": 0,
  "size": 20,
  "totalElements": 1,
  "totalPages": 1
}