SLAS Commands
Commands for managing Shopper Login and API Security (SLAS) clients.
Global SLAS Flags
These flags are available on all SLAS commands:
| Flag | Environment Variable | Description |
|---|---|---|
--tenant-id | SFCC_TENANT_ID | (Required) SLAS tenant ID (organization ID) |
Authentication
SLAS commands work out of the box using the CLI's built-in public client, which authenticates via browser login (implicit flow). No API client configuration is required for interactive use.
For automation or CI/CD, you can provide your own API client credentials.
Required Roles
| Auth Method | Role | Configured On |
|---|---|---|
| Built-in client (default) | SLAS Organization Administrator | Your user account |
| User Authentication | SLAS Organization Administrator | Your user account |
| Client Credentials | Sandbox API User | The API client |
The role must have a tenant filter configured for the organization you wish to manage.
Configuration
bash
# No configuration needed — opens browser for login
b2c slas client list --tenant-id abcd_123
# Or provide your own client ID
b2c slas client list --tenant-id abcd_123 --client-id xxx
# Client Credentials (for automation)
export SFCC_CLIENT_ID=my-client
export SFCC_CLIENT_SECRET=my-secret
b2c slas client list --tenant-id abcd_123For complete setup instructions, see the Authentication Guide.
b2c slas token
Get a SLAS shopper access token for testing APIs.
Usage
bash
b2c slas token --tenant-id <TENANT_ID> --site-id <SITE_ID>Flags
| Flag | Environment Variable | Description | Required |
|---|---|---|---|
--tenant-id | SFCC_TENANT_ID | SLAS tenant ID (organization ID) | Yes |
--site-id | SFCC_SITE_ID | Site/channel ID | Yes* |
--slas-client-id | SFCC_SLAS_CLIENT_ID | SLAS client ID (auto-discovered if omitted) | No |
--slas-client-secret | SFCC_SLAS_CLIENT_SECRET | SLAS client secret (omit for public clients) | No |
--short-code | SFCC_SHORTCODE | SCAPI short code | Yes |
--redirect-uri | Redirect URI | No | |
--shopper-login | Registered customer login | No | |
--shopper-password | Registered customer password (prompted interactively if omitted) | No |
* --site-id can be auto-discovered from the SLAS client configuration when using auto-discovery.
Flows
The command automatically selects the appropriate authentication flow:
| Scenario | Flow |
|---|---|
No --slas-client-secret | Public client PKCE (authorization_code_pkce) |
With --slas-client-secret | Private client (client_credentials) |
With --shopper-login | Registered customer login |
No --slas-client-id | Auto-discovers first public client via SLAS Admin API |
Examples
bash
# Guest token with auto-discovery (finds first public SLAS client)
b2c slas token --tenant-id abcd_123 --site-id RefArch
# Guest token with explicit public client (PKCE flow)
b2c slas token --slas-client-id my-client \
--tenant-id abcd_123 --short-code kv7kzm78 --site-id RefArch
# Guest token with private client (client_credentials flow)
b2c slas token --slas-client-id my-client --slas-client-secret sk_xxx \
--tenant-id abcd_123 --short-code kv7kzm78 --site-id RefArch
# Registered customer token
b2c slas token --tenant-id abcd_123 --site-id RefArch \
--shopper-login user@example.com --shopper-password secret
# JSON output (includes refresh token, expiry, usid, etc.)
b2c slas token --tenant-id abcd_123 --site-id RefArch --json
# Use token in a subsequent API call
TOKEN=$(b2c slas token --tenant-id abcd_123 --site-id RefArch)
curl -H "Authorization: Bearer $TOKEN" \
"https://kv7kzm78.api.commercecloud.salesforce.com/..."Output
- Normal mode: prints the raw access token to stdout (pipeable)
- JSON mode (
--json): returns full token details:
json
{
"accessToken": "...",
"refreshToken": "...",
"expiresIn": 1800,
"tokenType": "Bearer",
"usid": "...",
"customerId": "...",
"clientId": "...",
"siteId": "RefArch",
"isGuest": true
}Configuration
These values can also be set in dw.json:
json
{
"tenant-id": "abcd_123",
"short-code": "kv7kzm78",
"slas-client-id": "my-public-client",
"site-id": "RefArch"
}b2c slas client list
List SLAS clients for a tenant.
Usage
bash
b2c slas client list --tenant-id <TENANT_ID>Flags
| Flag | Description | Required |
|---|---|---|
--tenant-id | SLAS tenant ID (organization ID) | Yes |
Examples
bash
# List all SLAS clients for a tenant
b2c slas client list --tenant-id abcd_123
# Output as JSON
b2c slas client list --tenant-id abcd_123 --json
# Using environment variables
export SFCC_TENANT_ID=abcd_123
b2c slas client listOutput
Displays a list of SLAS clients with:
- Client ID
- Name
- Type (public/private)
- Channels
b2c slas client create
Create a new SLAS client.
Usage
bash
b2c slas client create [CLIENTID] --tenant-id <TENANT_ID> --channels <CHANNELS> --redirect-uri <URI>Arguments
| Argument | Description | Required |
|---|---|---|
CLIENTID | SLAS client ID (generates UUID if omitted) | No |
Flags
| Flag | Description | Default |
|---|---|---|
--tenant-id | SLAS tenant ID (organization ID) | Required |
--channels | Site IDs/channels (comma-separated) | Required |
--redirect-uri | Redirect URIs (comma-separated) | Required |
--name | Display name for the client | Auto-generated |
--scopes | OAuth scopes for the client (comma-separated) | |
--default-scopes | Use default shopper scopes | false |
--callback-uri | Callback URIs for passwordless login | |
--secret | Client secret (generated if omitted) | Auto-generated |
--public | Create a public client (default is private) | false |
--[no-]create-tenant | Automatically create tenant if it doesn't exist | true |
Examples
bash
# Create a private client with specific scopes
b2c slas client create --tenant-id abcd_123 \
--channels RefArch \
--scopes sfcc.shopper-products,sfcc.shopper-search \
--redirect-uri http://localhost:3000/callback
# Create a named client with custom ID
b2c slas client create my-client-id --tenant-id abcd_123 \
--name "My Application" \
--channels RefArch \
--scopes sfcc.shopper-products \
--redirect-uri http://localhost:3000/callback
# Create a public client
b2c slas client create --tenant-id abcd_123 \
--channels RefArch \
--default-scopes \
--redirect-uri http://localhost:3000/callback \
--public
# Output as JSON (useful for capturing the generated secret)
b2c slas client create --tenant-id abcd_123 \
--channels RefArch \
--default-scopes \
--redirect-uri http://localhost:3000/callback \
--jsonNotes
- If
--secretis not provided for a private client, one will be generated - The generated secret is only shown once during creation
- Use
--default-scopesfor common shopper API access scopes - By default, the tenant is automatically created if it doesn't exist. Use
--no-create-tenantto disable this behavior if you prefer to manage tenants separately
b2c slas client get
Get details of a SLAS client.
Usage
bash
b2c slas client get <CLIENTID> --tenant-id <TENANT_ID>Arguments
| Argument | Description | Required |
|---|---|---|
CLIENTID | SLAS client ID to retrieve | Yes |
Examples
bash
# Get client details
b2c slas client get my-client-id --tenant-id abcd_123
# Output as JSON
b2c slas client get my-client-id --tenant-id abcd_123 --jsonOutput
Displays detailed information about the client including:
- Client ID and name
- Type (public/private)
- Channels
- Scopes
- Redirect URIs
- Callback URIs
b2c slas client update
Update an existing SLAS client.
Usage
bash
b2c slas client update <CLIENTID> --tenant-id <TENANT_ID> [FLAGS]Arguments
| Argument | Description | Required |
|---|---|---|
CLIENTID | SLAS client ID to update | Yes |
Flags
| Flag | Description |
|---|---|
--tenant-id | (Required) SLAS tenant ID |
--name | Update display name |
--secret | Rotate client secret |
--channels | Update channels (comma-separated) |
--scopes | Update scopes (comma-separated) |
--redirect-uri | Update redirect URIs (comma-separated) |
--callback-uri | Update callback URIs (comma-separated) |
--replace | Replace list values instead of appending |
Examples
bash
# Update client name
b2c slas client update my-client-id --tenant-id abcd_123 --name "New Name"
# Rotate client secret
b2c slas client update my-client-id --tenant-id abcd_123 --secret new-secret-value
# Add scopes (appends to existing)
b2c slas client update my-client-id --tenant-id abcd_123 --scopes sfcc.shopper-baskets
# Replace all scopes
b2c slas client update my-client-id --tenant-id abcd_123 \
--scopes sfcc.shopper-products,sfcc.shopper-baskets \
--replace
# Replace all channels
b2c slas client update my-client-id --tenant-id abcd_123 \
--channels RefArch,SiteGenesis \
--replaceNotes
- By default, list values (channels, scopes, URIs) are appended to existing values
- Use
--replaceto replace all values instead of appending - Secret rotation takes effect immediately
b2c slas client delete
Delete a SLAS client.
Usage
bash
b2c slas client delete <CLIENTID> --tenant-id <TENANT_ID>Arguments
| Argument | Description | Required |
|---|---|---|
CLIENTID | SLAS client ID to delete | Yes |
Examples
bash
# Delete a client
b2c slas client delete my-client-id --tenant-id abcd_123
# Output as JSON
b2c slas client delete my-client-id --tenant-id abcd_123 --jsonNotes
- Deletion is permanent and cannot be undone
- Active sessions using this client will be invalidated