Step 2: Create your Yext Auth Policy to secure your Yext Site

Next, you’ll need to create an authentication policy in the Admin Console via Configuration as Code. This authentication policy will ultimately be linked to your site, so your site will know how to authenticate users.

  1. Navigate to the Admin Console.
  2. Click Add Resource and choose to add an authentication-policy resources under pages. Give your policy a name and click Create.
  3. Configure the first part of your resource to look like the following. This will signal to Sites that you would like to use Yext Auth to protect your page, meaning users will have to authenticate into the Site with their Yext credentials.

    example-authentication-policy.json

     {
     "$id": "example-authentication-policy",
     "$schema": "https://schema.yext.com/config/pages/authentication-policy/v1",
     "name": "example-yextAuth-policy",
     "authentication": {
       "yext": true
      }
     }

    You can choose any name of your choice, but be sure to remember it for the next part.

  4. Below the authentication part, you’ll want to configure secure API tokens. This is done within the same policy that you have just created. These tokens are essential for your Search experience in order to make secure client-side calls to Yext APIs from an authenticated page. By using Yext Auth to protect your page, your Search experience can utilize the permissions and identities of Yext Users (explained more in later steps), and Sites will place the configured token on the window for Search to use. The token may look like the following:

example-authentication-policy.json // SAME RESOURCE AS ABOVE

{
"apiTokens": [
  {
"name": "SITE_SEARCH",
"keyId": "1nfhkeafjlzn439",
"claims": {
   "aud": "/v2/accounts/me/search",
   "expiresIn": 3600000,
   "query": {
      "experienceKey": "authorized-search",
      "experienceVersion": "ENV.DOMAIN_ENVIRONMENT"
    }
  },
      "scope": "/about.html"
     }
   ]
}

For more information on how to configure secure tokens, you can follow this guide . The important things to note right now are:

  • Remember the name of your token for the next part.
  • The keyID is from step 1 of this guide. This is required.
  • The audience specifies the intended URL, or array of URLs, of which endpoint(s) the token is authorized to call. For all search endpoints, for instance, the audience would be “/v2/accounts/me/search. This is required.
  • The expiresIn value is in milliseconds and designates how long the token will last for after being minted by Sites. You can choose any value. For example, if you choose 3600000 milliseconds (1 hour), the token will expire 1 hour after the time in which Sites mints it, which is when the user logs into the site. Setting the expiry time is optional. If unset, it will not expire.
    • Note: you also have the option to set exp, or the expiry time in UNIX time, directly. This is NOT recommended, as all tokens for the experience will expire at the given time, rather than dynamically based on when the token is minted.
  • The experienceKey designates which search experience your secure tokens should work for. The experience key can be found under the General Settings tab within your search experience. This is optional.
  • The experienceVersion is optional but recommended and should remain unchanged. This is not truly a CaC variable, but rather set to ensure that a specific version is used and that previous versions of the configuration cannot be searched with the token. The version will be set based on the environment variable DOMAIN_ENVIRONMENT, either to STAGING or PRODUCTION.
  • The scope is a regex that specifies paths in the site. If set, the system will only generate tokens for pages matching the regex of this path. This is useful to improve performance, so that Sites does not have to mint a token for pages where it is not used. If not set, the system will generate a token for every page in the Site.

Note that identity is also part of the JWT that Sites will put on the page. It will be added at runtime to match that of user logging into the Site with Yext Auth.

Once you are satisfied with your authentication policy, including the configuration of your authentication policy as well as apiTokens, you can apply your resources to the account.