@amazon-devices/tve-adobe-sso-enabler
The Kepler Adobe SSO Enabler for TVE API provides functionalit that allows third party TV Everywhere (TVE) apps to authenticate, authorize, and verify entitlements for local TV subscribers. For detailed documentation about Adobe's solution, see REST API V2 - APIs - Overview on the Adobe website.
TVE apps on Kepler that use the Single Sign-On (SSO) functionality provided by Adobe can use the TveAdobeSsoEnabler API to get "Adobe-Subject-Token" which can then be attached to API calls made to Adobe as described in Adobe's Single sign-on using platform identity flows documentation.
Getting Started
Prerequisites
- Follow Adobe's documentation to create an app for authentication, authorization, or entitlement verification flows.
- Work with Amazon's Solution Architect to authorize the application's package ID to fetch SSO Token.
Authorization
The SSO Token provided by this API can only be accessed by apps that are authorized by an Amazon Solution Architect. After the app is authorized by Amazon's Solution Architect, app developers might have to wait up to 24 hours before accessing the API to fetch the SSO Token.
Setup
-
Add the following library dependency to the
dependenciessection of your package.json file."@amazon-devices/tve-adobe-sso-enabler": "~0.0.4", -
Add the following privilege in your manifest.toml.
[wants] [[wants.module]] id = /com.amazon.tve.adobe_sso_enabler@IAdobeSsoEnabler [[wants.service]] id = "com.amazon.tve.sso.companion.service"
Usage
-
Import
TveAdobeSsoEnablerin your app code.import { TveAdobeSsoEnabler } from '@amazon-devices/tve-adobe-sso-enabler'; -
Fetch an SSO Token and use the token or handle the error.
TveAdobeSsoEnabler.getSsoToken().then((token: string) => { // Handle token. }).catch((error: string) => { // Handle error. });
Note: Apps can authenticate with Adobe's API even without using an SSO Token. If the SSO Token is missing or incorrect, then Single Sign-On functionality won't work. This means that users must login to every TVE app individually.
Common Use Cases
The following example code shows how to use the SSO Token to fetch profiles as described in Adobe's documentation. The app gets the PROVIDER_NAME and MVPD_NAME while registering their application with Adobe. The SSO token (stored in the SsoToken field) is part of the GetProfilesParams object, which is retrieved by calling TveAdobeSsoEnabler.getSsoToken().
const ADOBE_GET_PROFILES_PATH = `/api/v2/%PROVIDER_NAME%/profiles/%MVPD_NAME%`;
const ADOBE_BASE_URL = 'https://sp.auth.adobe.com';
export interface GetProfilesParams {
accessToken: string;
ssoToken: string;
deviceIdentifier: string;
}
export interface GetProfilesResponse {
profiles: Record<string, Profile>;
}
export interface Profile {
notBefore: number;
notAfter: number;
issuer: string;
type: string;
attributes: Record<string, Record<string, string>>;
}
export async function getProfiles(params: GetProfilesParams) {
const url = new URL(ADOBE_GET_PROFILES_PATH, ADOBE_BASE_URL);
const response = await fetch(url, {
method: 'GET',
headers: {
Accept: 'application/json',
'Adobe-Subject-Token': params.ssoToken,
'AP-Device-Identifier': `fingerprint ${params.deviceIdentifier}`,
Authorization: `Bearer ${params.accessToken}`,
},
});
if (!response.ok) {
throw new Error('Bad response');
}
const payload: GetProfilesResponse = await response.json();
return payload;
}
Troubleshooting
- If the app receives this error "«package id» is not allowed" after calling the
TveAdobeSsoEnabler.getSsoToken()function, then the app is not authorized to retrieve the SSO Token. App developers should work with Amazon's Solution Architect to authorize the app's package ID and then wait for 24 hours before attemptiong to retrieve the token again.
Related topic Resources
REST API V2 - APIs - Overview in the Adobe documentation .
Interfaces
Variables
Last updated: Sep 30, 2025
