Adobe Multi-Environment Setup
Overview
Configure Adobe APIs across development, staging, and production environments using separate Developer Console projects, environment-specific OAuth credentials, and cloud-native secret management.
Prerequisites
- Adobe Developer Console access (admin or developer role)
- Secret management solution (GCP Secret Manager, AWS Secrets Manager, or Vault)
- CI/CD pipeline with environment variable injection
Instructions
Step 1: Create Separate Developer Console Projects
Adobe best practice: one Developer Console project per environment with separate OAuth credentials.
| Environment | Console Project | Scopes | Product Profile |
|-------------|----------------|--------|-----------------|
| Development | my-app-dev | openid,AdobeID | Dev sandbox |
| Staging | my-app-staging | openid,AdobeID,firefly_api | Staging profile |
| Production | my-app-prod | openid,AdobeID,firefly_api,ff_apis | Production profile |
Step 2: Environment Configuration Files
// src/config/adobe.ts
interface AdobeEnvConfig {
imsEndpoint: string; // Same across all envs
fireflyEndpoint: string; // Same across all envs
photoshopEndpoint: string; // Same across all envs
scopes: string; // Different per env (least privilege)
retries: number;
timeoutMs: number;
cache: { enabled: boolean; ttlMs: number };
}
const configs: Record<string, AdobeEnvConfig> = {
development: {
imsEndpoint: 'https://ims-na1.adobelogin.com',
fireflyEndpoint: 'https://firefly-api.adobe.io',
photoshopEndpoint: 'https://image.adobe.io',
scopes: 'openid,AdobeID', // Minimal scopes for dev
retries: 1, // Fast failure in dev
timeoutMs: 15_000,
cache: { enabled: false, ttlMs: 0 }, // No cache in dev
},
staging: {
imsEndpoint: 'https://ims-na1.adobelogin.com',
fireflyEndpoint: 'https://firefly-api.adobe.io',
photoshopEndpoint: 'https://image.adobe.io',
scopes: 'openid,AdobeID,firefly_api',
retries: 3,
timeoutMs: 30_000,
cache: { enabled: true, ttlMs: 60_000 },
},
production: {
imsEndpoint: 'https://ims-na1.adobelogin.com',
fireflyEndpoint: 'https://firefly-api.adobe.io',
photoshopEndpoint: 'https://image.adobe.io',
scopes: 'openid,AdobeID,firefly_api,ff_apis',
retries: 5,
timeoutMs: 60_000,
cache: { enabled: true, ttlMs: 300_000 },
},
};
export function getAdobeConfig(): AdobeEnvConfig & { clientId: string; clientSecret: string } {
const env = process.env.NODE_ENV || 'development';
const config = configs[env] || configs.development;
return {
...config,
clientId: process.env.ADOBE_CLIENT_ID!,
clientSecret: process.env.ADOBE_CLIENT_SECRET!,
};
}
Step 3: Secret Management per Environment
# --- Local Development ---
# .env.local (git-ignored)
ADOBE_CLIENT_ID=dev-client-id-from-console
ADOBE_CLIENT_SECRET=p8_dev_secret
ADOBE_SCOPES=openid,AdobeID
# --- GCP Secret Manager ---
# Create secrets for staging and production
gcloud secrets create adobe-client-id-staging --data-file=- <<< "staging-client-id"
gcloud secrets create adobe-client-secret-staging --data-file=- <<< "p8_staging_secret"
gcloud secrets create adobe-client-id-prod --data-file=- <<< "prod-client-id"
gcloud secrets create adobe-client-secret-prod --data-file=- <<< "p8_prod_secret"
# Grant service account access
gcloud secrets add-iam-policy-binding adobe-client-secret-prod \
--member="serviceAccount:my-app@project.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor"
# --- AWS Secrets Manager ---
aws secretsmanager create-secret \
--name adobe/staging/credentials \
--secret-string '{"client_id":"...","client_secret":"p8_staging_..."}'
aws secretsmanager create-secret \
--name adobe/production/credentials \
--secret-string '{"client_id":"...","client_secret":"p8_prod_..."}'
# --- HashiCorp Vault ---
vault kv put secret/adobe/staging client_id="..." client_secret="p8_staging_..."
vault kv put secret/adobe/production client_id="..." client_secret="p8_prod_..."
Step 4: CI/CD Environment Matrix
# .github/workflows/deploy.yml
jobs:
deploy:
strategy:
matrix:
environment: [staging, production]
environment: ${{ matrix.environment }}
runs-on: ubuntu-latest
env:
NODE_ENV: ${{ matrix.environment }}
ADOBE_CLIENT_ID: ${{ secrets[format('ADOBE_CLIENT_ID_{0}', matrix.environment)] }}
ADOBE_CLIENT_SECRET: ${{ secrets[format('ADOBE_CLIENT_SECRET_{0}', matrix.environment)] }}
steps:
- uses: actions/checkout@v4
- run: npm ci && npm test
- name: Verify Adobe credentials for ${{ matrix.environment }}
run: |
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
'https://ims-na1.adobelogin.com/ims/token/v3' \
-d "client_id=${ADOBE_CLIENT_ID}&client_secret=${ADOBE_CLIENT_SECRET}&grant_type=client_credentials&scope=openid,AdobeID")
if [ "$HTTP_CODE" != "200" ]; then
echo "::error::Adobe credential validation failed for ${{ matrix.environment }}"
exit 1
fi
- run: npm run deploy:${{ matrix.environment }}
Step 5: Environment Safety Guard
// Prevent accidental production operations in non-prod
function requireEnvironment(required: string): void {
const current = process.env.NODE_ENV || 'development';
if (current !== required) {
throw new Error(
`Operation requires ${required} environment, currently running in ${current}`
);
}
}
// Usage: guard dangerous operations
async function deleteAllCachedAssets() {
requireEnvironment('production');
// ... actual deletion logic
}
Output
- Separate Developer Console projects per environment
- Environment-aware configuration with least-privilege scoping
- Cloud-native secret management for credentials
- CI/CD pipeline with per-environment credential injection
- Safety guards preventing cross-environment operations
Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| invalid_scope in staging | Scope not in staging project | Add API to staging Console project |
| Wrong credentials deployed | Environment mismatch | Verify NODE_ENV matches secret path |
| Secret access denied | Missing IAM binding | Grant secretAccessor role |
| Config merge fails | Missing env config file | Ensure all environments defined |
Resources
Next Steps
For observability setup, see adobe-observability.