@salesforce/b2c-tooling-sdk / auth / JwtOAuthStrategy

Class: JwtOAuthStrategy

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:80

OAuth 2.0 JWT Bearer authentication strategy.

Implements RFC 7523 (JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants).

Key differences from client credentials flow:

• Uses public/private key pair instead of client secret
• Sends JWT as client_assertion in POST body (not Authorization header)
• JWT is self-signed and short-lived (60 seconds)

Example

const strategy = new JwtOAuthStrategy({
  clientId: 'my-client-id',
  certPath: './cert.pem',
  keyPath: './key.pem',
  accountManagerHost: 'account.demandware.com',
});

const response = await strategy.fetch('https://api.example.com/data');

Implements

• AuthStrategy

Constructors

Constructor

new JwtOAuthStrategy(config): JwtOAuthStrategy

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:87

Parameters

config

JwtOAuthConfig

Returns

JwtOAuthStrategy

Methods

fetch()

fetch(url, init): Promise<Response>

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:197

Performs a fetch request with JWT Bearer authentication. Automatically injects the Authorization header with a fresh access token. Includes 401 retry logic and x-dw-client-id header.

Parameters

url

string

init

FetchInit = {}

Returns

Promise<Response>

Implementation of

AuthStrategy.fetch

---

getAuthorizationHeader()

getAuthorizationHeader(): Promise<string>

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:227

Returns the Authorization header value for legacy clients.

Returns

Promise<string>

Implementation of

AuthStrategy.getAuthorizationHeader

---

getJWT()

getJWT(): Promise<DecodedJWT>

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:235

Gets the decoded JWT payload.

Returns

Promise<DecodedJWT>

---

getTokenResponse()

getTokenResponse(): Promise<AccessTokenResponse>

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:259

Gets the full token response including expiration and scopes. Useful for commands that need to display or return token metadata.

Returns

Promise<AccessTokenResponse>

---

invalidateToken()

invalidateToken(): void

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:274

Invalidates the cached access token, forcing re-authentication on next request.

Returns

void

Implementation of

AuthStrategy.invalidateToken

---

withAdditionalScopes()

withAdditionalScopes(additionalScopes): JwtOAuthStrategy

Defined in: packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:247

Creates a new JwtOAuthStrategy with additional scopes merged in. Used by clients that have specific scope requirements.

Parameters

additionalScopes

string[]

Scopes to add to this strategy's existing scopes

Returns

JwtOAuthStrategy

A new JwtOAuthStrategy instance with merged scopes