Authentication Setup
This guide covers setting up authentication for the B2C CLI, including Account Manager API clients, OCAPI permissions, and WebDAV access.
Overview
The CLI uses different authentication mechanisms depending on the operation:
| Operation | Auth Method | Setup Required |
|---|---|---|
| Code deploy, watch (file upload) | WebDAV (Basic Auth or OAuth) | WebDAV Access |
| Code list, activate, delete | OAuth + OCAPI | API Client + OCAPI |
| Jobs, Sites | OAuth + OCAPI | API Client + OCAPI |
| SCAPI commands (schemas, custom-apis, eCDN) | OAuth + SCAPI scopes | API Client + SCAPI Scopes |
| SLAS client management | OAuth | API Client with appropriate roles |
| ODS management | OAuth | API Client with Sandbox API User role |
| MRT commands | MRT API Key | MRT API Key |
TIP
Each CLI command page documents its specific authentication requirements. See the CLI Reference for details.
Account Manager API Client
Most CLI operations require an Account Manager API Client. This is configured in the Salesforce Commerce Cloud Account Manager.
Authentication Methods
The CLI supports two authentication methods:
| Method | When Used | Role Configuration |
|---|---|---|
| User Authentication | When only --client-id is provided (no secret) | Roles configured on your user account |
| Client Credentials | When both --client-id and --client-secret are provided | Roles configured on the API client |
User Authentication opens a browser for interactive login and uses roles assigned to your user account. This is ideal for development and manual operations.
Client Credentials uses the API client's secret for non-interactive authentication. This is ideal for CI/CD pipelines and automation.
Creating an API Client
- Log in to Account Manager
- Navigate to API Client in the left menu
- Click Add API Client
- Fill in the required fields:
- Display Name: A descriptive name (e.g., "B2C CLI")
- Password: A strong client secret (save this securely for Client Credentials auth)
- Configure the Token Endpoint Auth Method:
client_secret_postfor client credentials flow
Assigning Roles
Roles grant permission to perform specific operations. Roles are configured differently depending on your authentication method.
Understanding Roles and Tenant Filters
Most roles require a tenant filter that specifies which tenants/realms the role applies to. This is configured alongside the role assignment.
| Role | Operations | Notes |
|---|---|---|
Salesforce Commerce API | SCAPI commands (eCDN, schemas, custom-apis) | API Clients only. Requires tenant filter. |
Sandbox API User | ODS management, SLAS client management | Requires tenant filter with realm/org IDs. |
SLAS Organization Administrator | SLAS client management (user auth only) | User accounts only. Requires tenant filter. |
For Client Credentials (roles on API Client)
Under the API Client's Roles section:
- Add roles needed for your operations
- For each role, configure the tenant filter with the tenant IDs (e.g.,
zzxy_prd) or realm IDs you need to access
Important: The Salesforce Commerce API role is currently only available for API Clients, not user accounts.
For User Authentication (roles on User)
In Account Manager, navigate to your user account and add roles. Note that some operations require Client Credentials authentication.
Configuring Scopes
Under Allowed Scopes, add the following scopes based on your needs:
| Scope | Purpose |
|---|---|
mail | Required for user info in authentication flows |
roles | Critical - returns role information in the token |
tenantFilter | Critical - returns tenant access information in the token |
openid | Required for OpenID Connect |
For SCAPI commands, also add the relevant API scopes:
| Scope | Commands | Reference |
|---|---|---|
sfcc.cdn-zones | eCDN read operations | eCDN Commands |
sfcc.cdn-zones.rw | eCDN write operations | eCDN Commands |
sfcc.scapi-schemas | SCAPI schema browsing | SCAPI Schemas |
sfcc.custom-apis | Custom API status | Custom APIs |
Note: Do NOT add SALESFORCE_COMMERCE_API as a scope. This is a role, not a scope.
See the individual CLI command pages for complete scope requirements.
Configuring Tenant Filter
For ODS, SLAS, and SCAPI operations, your API client's roles must have a tenant filter configured:
- In Account Manager, go to the API Client settings
- Under each role (e.g.,
Salesforce Commerce API,Sandbox API User), find the Tenant Filter - Add the tenant IDs (e.g.,
zzxy_prd) or organization IDs you need to access
The tenant filter restricts which tenants/realms the role applies to.
Default Scopes
Under Default Scopes, set scopes that are automatically requested. Recommended configuration:
mail roles tenantFilter openidThese scopes ensure proper authentication and authorization for CLI operations.
Redirect URLs
For User Authentication (implicit flow), configure redirect URLs in your API client:
| Redirect URL | Purpose |
|---|---|
http://localhost:8080 | Required for B2C CLI user authentication |
https://admin.dx.commercecloud.salesforce.com/oauth2-redirect.html | Optional - enables ODS Swagger interface with same client |
Note: Redirect URLs are not required for API clients using only Client Credentials authentication.
OCAPI Configuration
For operations that interact with B2C Commerce instances (code deployment, jobs, sites), you need to configure OCAPI permissions on each instance.
Configuring OCAPI in Business Manager
- Log in to Business Manager
- Navigate to Administration > Site Development > Open Commerce API Settings
- Select the Data API type
- Add a configuration for your client ID
Example OCAPI Configuration
{
"_v": "24.5",
"clients": [
{
"client_id": "your-client-id",
"resources": [
{
"resource_id": "/code_versions",
"methods": ["get"],
"read_attributes": "(**)",
"write_attributes": "(**)"
},
{
"resource_id": "/code_versions/*",
"methods": ["get", "put", "patch", "delete"],
"read_attributes": "(**)",
"write_attributes": "(**)"
},
{
"resource_id": "/jobs/*/executions",
"methods": ["post"],
"read_attributes": "(**)",
"write_attributes": "(**)"
},
{
"resource_id": "/jobs/*/executions/*",
"methods": ["get"],
"read_attributes": "(**)",
"write_attributes": "(**)"
},
{
"resource_id": "/job_execution_search",
"methods": ["post"],
"read_attributes": "(**)",
"write_attributes": "(**)"
},
{
"resource_id": "/sites",
"methods": ["get"],
"read_attributes": "(**)",
"write_attributes": "(**)"
},
{
"resource_id": "/sites/*",
"methods": ["get"],
"read_attributes": "(**)",
"write_attributes": "(**)"
}
]
}
]
}Minimal Configuration by Feature
Code management only:
{
"resource_id": "/code_versions",
"methods": ["get"]
},
{
"resource_id": "/code_versions/*",
"methods": ["get", "put", "patch", "delete"]
}Job execution only:
{
"resource_id": "/jobs/*/executions",
"methods": ["post"]
},
{
"resource_id": "/jobs/*/executions/*",
"methods": ["get"]
},
{
"resource_id": "/job_execution_search",
"methods": ["post"]
}Site listing only:
{
"resource_id": "/sites",
"methods": ["get"]
},
{
"resource_id": "/sites/*",
"methods": ["get"]
}SCAPI Authentication
SCAPI commands (eCDN, SCAPI schemas, custom APIs) require OAuth authentication with specific roles and scopes.
Required Setup
- Role: Assign the
Salesforce Commerce APIrole to your API client with appropriate tenant filter - Scopes: Add required SCAPI scopes to your API client's Allowed Scopes
Scopes by Command
| Command | Required Scope | Reference |
|---|---|---|
b2c scapi schemas list/get | sfcc.scapi-schemas | SCAPI Schemas |
b2c scapi custom status | sfcc.custom-apis | Custom APIs |
b2c ecdn (read operations) | sfcc.cdn-zones | eCDN |
b2c ecdn (write operations) | sfcc.cdn-zones.rw | eCDN |
The CLI automatically requests these scopes. Your API client must have them in the Allowed Scopes list.
TIP
For detailed authentication requirements including specific scopes for each command, see the individual CLI command reference pages.
Configuration
# Set credentials
export SFCC_CLIENT_ID=my-client
export SFCC_CLIENT_SECRET=my-secret
export SFCC_TENANT_ID=zzxy_prd
export SFCC_SHORTCODE=kv7kzm78
# Example: List SCAPI schemas
b2c scapi schemas listWebDAV Access
WebDAV is required for file upload operations (code deploy, code watch, webdav commands).
Option A: Basic Authentication (Recommended)
Use your Business Manager username and a WebDAV access key. This provides better performance for file operations.
- In Business Manager, go to Administration > Organization > Users
- Select your user
- Generate or view your WebDAV Access Key
See Configure WebDAV File Access for detailed instructions.
export SFCC_USERNAME=your-bm-username
export SFCC_PASSWORD=your-webdav-access-keyOption B: OAuth-based WebDAV
If you prefer to use OAuth credentials for WebDAV (instead of basic auth), you must configure WebDAV Client Permissions:
- Log in to Business Manager
- Navigate to Administration > Organization > WebDAV Client Permissions
- Add a JSON configuration for your API client ID:
{
"clients": [
{
"client_id": "your-client-id",
"permissions": [
{ "path": "/cartridges", "operations": ["read_write"] },
{ "path": "/impex", "operations": ["read_write"] },
{ "path": "/logs", "operations": ["read_write"] }
]
}
]
}Common paths for CLI operations:
| Path | Operations |
|---|---|
/cartridges | Code deployment |
/impex | Site import/export |
/logs | Log file access |
/catalogs/<catalog-id> | Catalog file access |
/libraries/<library-id> | Content library access |
Note: This configuration is only needed when using OAuth for WebDAV. It is not required when using basic authentication with username/access key.
Managed Runtime API Key
MRT commands use a separate API key system.
Getting an MRT API Key
- Log in to the Managed Runtime dashboard
- Navigate to Account Settings > API Keys
- Click Create API Key
- Copy and save the key securely (it's only shown once)
Configuring the API Key
# Environment variable
export SFCC_MRT_API_KEY=your-mrt-api-key
# Or in ~/.mobify config file
echo '{"api_key": "your-mrt-api-key"}' > ~/.mobifyQuick Start Example
Here's a complete example for setting up CLI access:
1. Create API Client in Account Manager
- Log in to Account Manager
- Navigate to API Client > Add API Client
- Configure:
- Display Name:
B2C CLI - Password: Generate a strong secret (save securely)
- Roles:
Salesforce Commerce API- add tenant filter with your tenant IDsSandbox API User- if using ODS (add tenant filter)
- Allowed Scopes:
mail roles tenantFilter openid sfcc.cdn-zones - Default Scopes:
mail roles tenantFilter openid - Redirect URLs:
http://localhost:8080(for user authentication)
- Display Name:
2. Configure OCAPI (for code list/activate/delete, jobs, sites)
Add the JSON configuration shown in OCAPI Configuration to enable code version and job APIs.
3. Configure WebDAV Access (for code deploy/watch, webdav commands)
Either:
- Use your BM username + WebDAV access key (recommended), or
- Configure WebDAV Client Permissions for OAuth
4. Set Environment Variables
# OAuth credentials
export SFCC_CLIENT_ID=your-client-id
export SFCC_CLIENT_SECRET=your-client-secret
# Instance (for OCAPI commands)
export SFCC_SERVER=your-instance.demandware.net
# SCAPI (for eCDN, schemas, custom-apis)
export SFCC_TENANT_ID=zzxy_prd
export SFCC_SHORTCODE=kv7kzm78
# WebDAV (if using BM credentials)
export SFCC_USERNAME=your-bm-username
export SFCC_PASSWORD=your-webdav-access-key5. Test the Configuration
# Test OAuth + OCAPI
b2c code list
# Test WebDAV
b2c webdav ls --root=cartridges
# Test SCAPI
b2c scapi schemas listTroubleshooting
"Unauthorized" errors
- Verify your client ID and secret are correct
- Check that OCAPI is configured for your client ID
- Ensure the API client has the required roles
"Forbidden" on WebDAV operations
- Check WebDAV Client Permissions in Business Manager
- Verify your WebDAV access key is correct
- Ensure the folder you're accessing is permitted
"Invalid scope" errors
- Add the required scopes to your API client's Allowed Scopes
- For SCAPI commands, ensure the relevant
sfcc.*scopes are in Allowed Scopes - Verify Default Scopes includes
mail roles tenantFilter openid
Next Steps
- Configuration - Learn about CLI configuration options
- CLI Reference - Browse available commands