@salesforce/b2c-tooling-sdk / auth / JwtOAuthStrategy

Class: JwtOAuthStrategy

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:81

OAuth 2.0 JWT Bearer authentication strategy.

Implements RFC 7523 (JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants).

Key differences from client credentials flow:

• Uses public/private key pair instead of client secret
• Sends JWT as client_assertion in POST body (not Authorization header)
• JWT is self-signed and short-lived (60 seconds)

Example

const strategy = new JwtOAuthStrategy({
  clientId: 'my-client-id',
  certPath: './cert.pem',
  keyPath: './key.pem',
  accountManagerHost: 'account.demandware.com',
});

const response = await strategy.fetch('https://api.example.com/data');

Implements

• AuthStrategy

Constructors

Constructor

new JwtOAuthStrategy(config): JwtOAuthStrategy

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:99

Creates a new JwtOAuthStrategy instance.

Validates the provided configuration and caches the private key during construction to avoid repeated file I/O during token requests.

Parameters

config

JwtOAuthConfig

JWT OAuth configuration containing clientId, certificate/key file paths, and Account Manager host

Returns

JwtOAuthStrategy

Throws

Error if clientId, certPath, keyPath, or accountManagerHost are missing

Throws

Error if certificate or key files do not exist, are unreadable, or have invalid PEM format

Throws

Error if the private key is encrypted but no passphrase is provided, or the passphrase is incorrect

Methods

fetch()

fetch(url, init): Promise<Response>

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:209

Performs a fetch request with JWT Bearer authentication. Automatically injects the Authorization header with a fresh access token. Includes 401 retry logic and x-dw-client-id header.

Parameters

url

string

init

FetchInit = {}

Returns

Promise<Response>

Implementation of

AuthStrategy.fetch

---

getAuthorizationHeader()

getAuthorizationHeader(): Promise<string>

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:239

Returns the Authorization header value for legacy clients.

Returns

Promise<string>

Implementation of

AuthStrategy.getAuthorizationHeader

---

getJWT()

getJWT(): Promise<DecodedJWT>

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:247

Gets the decoded JWT payload.

Returns

Promise<DecodedJWT>

---

getTokenResponse()

getTokenResponse(): Promise<AccessTokenResponse>

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:271

Gets the full token response including expiration and scopes. Useful for commands that need to display or return token metadata.

Returns

Promise<AccessTokenResponse>

---

invalidateToken()

invalidateToken(): void

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:286

Invalidates the cached access token, forcing re-authentication on next request.

Returns

void

Implementation of

AuthStrategy.invalidateToken

---

withAdditionalScopes()

withAdditionalScopes(additionalScopes): JwtOAuthStrategy

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:259

Creates a new JwtOAuthStrategy with additional scopes merged in. Used by clients that have specific scope requirements.

Parameters

additionalScopes

string[]

Scopes to add to this strategy's existing scopes

Returns

JwtOAuthStrategy

A new JwtOAuthStrategy instance with merged scopes