The Contentstack Migration Tool uses single sign-on (SSO) over OAuth 2.0 to authenticate users against Contentstack. Once SSO is configured, signing in to the migration tool redirects you to Contentstack's login page, and a session is established automatically after authentication. No separate credentials or tokens need to be managed by the user.
This guide outlines how to provision the OAuth application for the migration tool, configure SSO end-to-end, and verify the login flow.
Configure SSO before performing your first migration. The migration tool requires an active Contentstack session to read your organization, list stacks, and write content. SSO replaces long-lived management tokens with short-lived access tokens, which limits the scope of permissions granted to the tool. The tool also refreshes the access token automatically using a refresh token, so long-running migrations do not interrupt.
The OAuth flow works for any Contentstack organization, regardless of whether the organization has SAML SSO enabled at the identity provider level.
Before you begin, ensure the following requirements are met:
The build.sh script registers the migration tool as an OAuth application in your Contentstack organization, configures the redirect URI, and creates the app.json manifest used by the migration tool's application programming interface (API).
chmod +x build.sh
./build.shNote: Always run build.sh from the repository root. The script writes app.json to the current working directory. Running it from a subdirectory places app.json in the wrong location.
Warning: The region you choose here must match the region you select in the migration tool's login screen later. Mismatched regions cause authentication failures.
Note: If the browser does not open or the login fails, run csdx auth:logout to clear cached credentials, then re-run ./build.sh.
| Scenario | Input |
| Local API on default port 5001 | Press Enter with no input. Resolves to http://localhost:5001/v2/auth/save-token. |
| Local API on a custom port (for example, 3000) | Enter the origin only: http://localhost:3000. The script appends the path. |
| Hosted environment | Enter the origin only (for example, https://api.mycompany.com). The script appends the path. |
Warning: Do not include /v2/auth/save-token in your input. The script appends this path automatically. Including it produces a duplicated path and breaks the redirect.
Warning: The organization you select here must be the same organization that contains your target stacks, and the same organization where you install the migration app from the Contentstack Marketplace. Selecting different organizations across these steps causes the app to be registered in one organization while permissions exist in another, breaking authentication.
Note: Re-running build.sh is safe. If the migration app already exists in the selected organization, its settings are updated rather than a new app being created.
To confirm SSO is working end-to-end:
This completes the SSO configuration for the Contentstack Migration Tool.