Recently, I was working on setting up a webhook using the Sitecore Experience Edge Admin API for a cache revalidation scenario. The goal was straightforward: whenever content is updated in Sitecore, trigger a webhook that tells the frontend application to clear or revalidate cached pages.
The implementation itself is well documented by Sitecore, but I ran into an authentication issue that was not immediately obvious. Every request to create the webhook returned a 401 Unauthorized response with the message:
edge.cdn.11: Unauthorized. Failed to find tenant.
After troubleshooting, I discovered the issue was related to the type of OAuth credentials I had created in the Sitecore Deploy app.
If you run into the same problem, this post may save you some time.
What We Were Trying to Build
The use case was to create an Edge webhook that fires on content updates.
This is commonly used in headless implementations where the frontend (such as Next.js) uses caching or static generation. Once content authors publish updates, the webhook can notify the frontend to refresh content automatically.
The webhook was being created using the Experience Edge Admin API endpoint:
POST https://edge.sitecorecloud.io/api/admin/v1/webhooks
To authenticate with this API, a Bearer token is required.
Sitecore documents the token generation process here:
- Requesting JWT token for Experience Edge using OAuth
- Experience Edge Admin API documentation
The Issue
Everything looked correct in Postman:
- Valid API endpoint
- Proper request payload
- Bearer token included
- Required headers present
Yet every request returned:
401 Unauthorized
edge.cdn.11: Unauthorized. Failed to find tenant.
At first glance, it seemed like the token itself was invalid or expired. But the token was being generated successfully.
That made the error confusing.
Root Cause
The actual problem was the OAuth credentials used to generate the token.
When creating OAuth credentials in the Sitecore Deploy app, I mistakenly created:
✅ Organization-level OAuth credentials
Instead of:
✅ Environment-specific OAuth credentials
This distinction matters.
The Experience Edge Admin API expects a token tied to a specific Sitecore environment (tenant). If the token is generated using organization-level credentials, the API cannot associate it with the correct tenant environment.
As a result, the request fails with:
Failed to find tenant
How I Resolved It
The fix was simple once identified.
Step 1: Open Sitecore Deploy App
Go to your Sitecore Deploy portal.
Step 2: Create OAuth Credentials for the Correct Environment
Instead of creating credentials at the organization level, create them under the specific environment you are working with (DEV, UAT, PROD, etc.).
Step 3: Generate a New Access Token
Use the new client credentials to request a JWT token.
Step 4: Retry the API Call
After replacing the old token with the new environment-based token, the webhook request worked immediately.
Example Error Response
401 Unauthorized
edge.cdn.11: Unauthorized. Failed to find tenant.
After Fix
200 OK / 201 Created
Webhook created successfully
Key Takeaway
When working with Experience Edge Admin APIs, always make sure your OAuth credentials are created for the correct environment, not just the organization.
This small detail can cause authentication to appear valid while still failing with tenant-related errors.
Final Thoughts
Authentication issues are often tricky because the token generation process may succeed even when the token is not usable for the target API.
If you receive:
edge.cdn.11: Unauthorized. Failed to find tenant.
Check your OAuth credential scope first.
It may save you a lot of unnecessary debugging.
Helpful References
- Sitecore Docs – Request a JWT for Experience Edge using OAuth
https://doc.sitecore.com/xp/en/developers/101/developer-tools/request-a-jwt-for-experience-edge-xm-using-oauth.html - Sitecore Docs – Experience Edge Admin API
https://doc.sitecore.com/xp/en/developers/101/developer-tools/admin-api.html
No comments:
Post a Comment