---
editLink: false
lastUpdated: false
---

[@salesforce/b2c-tooling-sdk](../../modules.md) / [auth](../index.md) / JwtOAuthStrategy

# Class: JwtOAuthStrategy

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:80](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/5f9b348d598ad92ddf670da42e944b204395bdc8/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L80)

OAuth 2.0 JWT Bearer authentication strategy.

Implements RFC 7523 (JSON Web Token (JWT) Profile for OAuth 2.0 Client
Authentication and Authorization Grants).

Key differences from client credentials flow:
- Uses public/private key pair instead of client secret
- Sends JWT as `client_assertion` in POST body (not Authorization header)
- JWT is self-signed and short-lived (60 seconds)

## Example

```typescript
const strategy = new JwtOAuthStrategy({
  clientId: 'my-client-id',
  certPath: './cert.pem',
  keyPath: './key.pem',
  accountManagerHost: 'account.demandware.com',
});

const response = await strategy.fetch('https://api.example.com/data');
```

## Implements

- [`AuthStrategy`](../interfaces/AuthStrategy.md)

## Constructors

### Constructor

> **new JwtOAuthStrategy**(`config`): `JwtOAuthStrategy`

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:87](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/5f9b348d598ad92ddf670da42e944b204395bdc8/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L87)

#### Parameters

##### config

[`JwtOAuthConfig`](../interfaces/JwtOAuthConfig.md)

#### Returns

`JwtOAuthStrategy`

## Methods

### fetch()

> **fetch**(`url`, `init`): `Promise`\<`Response`\>

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:197](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/5f9b348d598ad92ddf670da42e944b204395bdc8/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L197)

Performs a fetch request with JWT Bearer authentication.
Automatically injects the Authorization header with a fresh access token.
Includes 401 retry logic and x-dw-client-id header.

#### Parameters

##### url

`string`

##### init

[`FetchInit`](../type-aliases/FetchInit.md) = `{}`

#### Returns

`Promise`\<`Response`\>

#### Implementation of

[`AuthStrategy`](../interfaces/AuthStrategy.md).[`fetch`](../interfaces/AuthStrategy.md#fetch)

***

### getAuthorizationHeader()

> **getAuthorizationHeader**(): `Promise`\<`string`\>

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:227](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/5f9b348d598ad92ddf670da42e944b204395bdc8/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L227)

Returns the Authorization header value for legacy clients.

#### Returns

`Promise`\<`string`\>

#### Implementation of

[`AuthStrategy`](../interfaces/AuthStrategy.md).[`getAuthorizationHeader`](../interfaces/AuthStrategy.md#getauthorizationheader)

***

### getJWT()

> **getJWT**(): `Promise`\<[`DecodedJWT`](../interfaces/DecodedJWT.md)\>

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:235](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/5f9b348d598ad92ddf670da42e944b204395bdc8/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L235)

Gets the decoded JWT payload.

#### Returns

`Promise`\<[`DecodedJWT`](../interfaces/DecodedJWT.md)\>

***

### getTokenResponse()

> **getTokenResponse**(): `Promise`\<[`AccessTokenResponse`](../interfaces/AccessTokenResponse.md)\>

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:259](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/5f9b348d598ad92ddf670da42e944b204395bdc8/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L259)

Gets the full token response including expiration and scopes.
Useful for commands that need to display or return token metadata.

#### Returns

`Promise`\<[`AccessTokenResponse`](../interfaces/AccessTokenResponse.md)\>

***

### invalidateToken()

> **invalidateToken**(): `void`

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:274](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/5f9b348d598ad92ddf670da42e944b204395bdc8/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L274)

Invalidates the cached access token, forcing re-authentication on next request.

#### Returns

`void`

#### Implementation of

[`AuthStrategy`](../interfaces/AuthStrategy.md).[`invalidateToken`](../interfaces/AuthStrategy.md#invalidatetoken)

***

### withAdditionalScopes()

> **withAdditionalScopes**(`additionalScopes`): `JwtOAuthStrategy`

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:247](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/5f9b348d598ad92ddf670da42e944b204395bdc8/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L247)

Creates a new JwtOAuthStrategy with additional scopes merged in.
Used by clients that have specific scope requirements.

#### Parameters

##### additionalScopes

`string`[]

Scopes to add to this strategy's existing scopes

#### Returns

`JwtOAuthStrategy`

A new JwtOAuthStrategy instance with merged scopes