Try our conversational search powered by Generative AI!

Area: Optimizely Service API
Applies to versions: 5
Other versions:
ARCHIVED This content is retired and no longer maintained. See the version selector for other versions of this topic.

Installation and configuration

Recommended reading 

This section describes how to install and configure the Optimizely Service API, a service layer used for integration of Optimizely Commerce with external systems, such as PIM, DAM and ERPs. See Service API for introduction and use cases.



Install Optimizely updates through the NuGet Package Manager in Visual Studio. See Installing Optimizely updates how to set up the NuGet feed.

Installing the Service API components

Open Visual Studio and follow the steps below.

  1. Set the target framework for your project to .NET Framework 4.6.1 or higher by right-clicking on the project and choosing Properties.
  2. Select Tools > NuGet Package Manager > Manage NuGet packages for Solution... (or right-click on the solution References and select there).
  3. Click Settings to create a source pointing to the Optimizely NuGet feed.
  4. Open the Online section and select the source you just created.
  5. Install EPiServer.ServiceApi or EPiServer.ServiceApi.Commerce if working with Commerce, and all dependencies (including both Optimizely and third-party packages) Optimizely-based solution (either the Commerce sample website or your actual solution).

    Note: Ensure you install EPiServer.ServiceApi and EPiServer.ServiceApi.Commerce on the front-end site  (not the Commerce Manager back-end site in Commerce).

  6. Select Tools > NuGet Package Manager > Package Manage Console, and run the command update-epidatabase.
  7. Running update-epidatabase or Automatic schema updates set administrator permissions automatically, but you should check that they are set correctly. Otherwise, set account permissions for administrators to execute the Service API in the database (tblUserPermission). (If not, an HTTP 401 status is returned.)
  8. Open EPiServerFramework.config and make sure that <appData> has a <basePath> directory that points to a valid location for which IIS has write permissions. In your site, the EPiServerFramework.config file is in the same level as the web.config file. So, it can be either <episerver.framework configSource="EPiServerFramework.config" >/ or <episerver.framework ...>< the settings> </episerver.framework>.

    Note: Monitor this folder over time because there is no built-in cleanup.

  9. Open IIS > Edit Bindings, and assign a custom HTTPS binding (HTTPS is required for the integration service).
  10. Open the website to verify that it works.

Configuring OWIN startup

Since Service API uses OWIN-based authentication, this needs to be configured in the application’s Startup class.

Note: The Startup class should be in the root folder of the web app, see App startup in ASP.NET Core.

The EPiServer.ServiceApi.Owin namespace contains the application builder extension methods required for this configuration. The following example sets up Service API to authenticate service calls using ASP.NET Membership.

using EPiServer.ServiceApi.Owin;
using Owin;

namespace EPiServer.ServiceApi.Sample
    public class Startup
        public void Configuration(IAppBuilder app)
            // Enable bearer token authentication using Membership for Service Api

Service API can also be set up to authenticate service calls using ASP.NET Identity. How to set up ASP.NET Identity in general and work with the Optimizely UI is described in Optimizely AspNetIdentity. The following example extends the Optimizely UI ASP.NET call to the UseServiceApiIdentityTokenAuthorization method to configure Service API to use the same user type.

using System;
using EPiServer.Cms.UI.AspNetIdentity;
using EPiServer.ServiceApi.Owin;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin;
using Microsoft.Owin.Security.Cookies;
using Owin;

namespace EPiServer.ServiceApi.Sample
    public class Startup
        public void Configuration(IAppBuilder app)
            // Add CMS integration for ASP.NET Identity

            // Use cookie authentication
            app.UseCookieAuthentication(new CookieAuthenticationOptions
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/util/login.aspx"),
                Provider = new CookieAuthenticationProvider
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager<ApplicationUser>,
                                                           validateInterval   : TimeSpan.FromMinutes(30),
                                                           regenerateIdentity : (manager, user) => 

            // Enable bearer token authentication using ASP.NET Identity for Service Api
            app.UseServiceApiIdentityTokenAuthorization<ApplicationUserManager<ApplicationUser>, ApplicationUser>();

Note: With ASP.NET Identity configured, ensure you have a registered user account with appropriate permissions (Administrators member).  Since the Service API uses the authorization provider specified in the Startup file, replace other uses of authorization server like UseOAuthAuthorizationServer  with IAppBuilder.UseServiceApiIdentityTokenAuthorization.

Configuration modifications

Some settings are configured in the OWIN startup, while others are configured in web.config.

Token timeout in minutes

You can add this setting to the OWIN startup configuration. If omitted, the authorization server is configured without a setting, so the default OAuthAuthorizationServerOptions.AccessTokenExpireTimeSpan is used (20 minutes).

app.UseServiceApiMembershipTokenAuthorization(new ServiceApiTokenAuthorizationOptions
    AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(60)

File upload maximum size

To increase the maximum size that can be uploaded, change maxAllowedContentLength. Currently, the maximum file size is 2 GB.

Note: maxAllowedContentLength is in bytes, while maxRequestLength is in kilobytes.

      <requestLimits maxAllowedContentLength="524288000" />
  <httpRuntime requestValidationMode="2.0" maxRequestLength="102400" />

Disable attribute routing

XMLService API automatically enables attributes routing. If you already configured this, you can disable the Service API from automatically enabling attributes by adding an app setting, see Attribute Routing in ASP.NET Web API 2.

  <add key="episerver:serviceapi:maphttpattributeroutes" value="false" />

Disable SSL requirement for request

By default, Service API requires secure connections both for authentication and for API calls. You can disable this with an app setting, for example, for a debug configuration in development.

  <add key="episerver:serviceapi:requiressl" value="false" />
Note: Live sites should not disable SSL.

Authentication tokens

To use any EPiServer.ServiceApi RESTful method, you must obtain an "OAuth 2 Bearer Token" to send with the request.

using (var client = new HttpClient())
    client.BaseAddress = new Uri("");
    var fields = new Dictionary<string, string>
        { "grant_type", "password" },
        { "username", username },
        { "password", password }
    var response = client.PostAsync("/episerverapi/token", new FormUrlEncodedContent(fields)).Result;
    if (response.StatusCode == HttpStatusCode.OK)
        var content = response.Content.ReadAsStringAsync().Result;
        var token = JObject.Parse(content).GetValue("access_token");

POST /episerverapi/token HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 29
Accept-Encoding: gzip
HTTP/1.1 200 OK
Status: 200 OK
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip
Content-Length: 140

Sending request with tokens

using (var client = new HttpClient())
    client.BaseAddress = new Uri("");
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token.ToString());
    var content = new MultipartFormDataContent();
    var filestream = new FileStream(path, FileMode.Open);
    content.Add(new StreamContent(filestream), "file", "");
    var response = client.PostAsync("/episerverapi/commerce/import/catalog", content).Result;
    if (response.StatusCode == HttpStatusCode.OK)
        var returnString = response.Content.ReadAsStringAsync().Result;
        returnString = returnString.Replace("\"", "");
        Guid taskId = Guid.Empty;
        Guid.TryParse(returnString, out taskId);

Strongly typed catalog content types

Strongly typed catalog content types must be present in the context of a ServiceAPI site. If you install ServiceAPI to an existing website, this is solved automatically. However, if you install ServiceAPI as a standalone application, you must deploy the assembly that contains strongly typed catalog content types (and any dependencies of your assembly) to the ServiceAPI bin folder.


The following issues may arise when you set up the Service API.

  • Make sure there is a valid certificate on the server from a trusted certificate authority for the site.
  • Make sure all Service API requests are HTTPS.
  • You receive an error when trying to send a file to an import method. The Service API stores uploaded files in the AppDataPath set in the episerverframework.config file. Make sure the specified folder has the proper security permissions for the application pool identity.
  • Make sure there is a proper OWIN startup. You can disable this if there is a key on the appsettings.
    <add key="owin:AutomaticAppStartup" value="false" />
  • If controller resolution appears to not be working correctly, delete the temporary ASP.NET files and see if that fixes the problem.

Related topics

Do you find this information helpful? Please log in to provide feedback.

Last updated: Feb 22, 2022

Recommended reading