This follows the authorization code grant flow as defined by the OAuth 2.1 standard. It also uses a proof key for code exchange (PKCE).
For PKCE values:
code_verifier string is a random string used for the /token endpoint request.code_challenge is an encoded version of the code_verifier string using an SHA-256 hash.The request must include a basic authorization header that contains a Base64 encoded version of the following string: <shopperUserID>:<shopperPassword>.
Required parameters: code_challenge, channel_id, client_id, and redirect_uri.
Optional parameters: usid.
The SLAS /login endpoint redirects back to the redirect URI and returns an authorization code.
Calls to /login made with the same loginId and tenantId within 1 second result in a conflict.
If you would like to get a raw Response object use the other authenticateCustomer function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type void.
This follows the authorization code grant flow as defined by the OAuth 2.1 standard. It also uses a proof key for code exchange (PKCE).
For PKCE values:
code_verifier string is a random string used for the /token endpoint request.code_challenge is an encoded version of the code_verifier string using an SHA-256 hash.The request must include a basic authorization header that contains a Base64 encoded version of the following string: <shopperUserID>:<shopperPassword>.
Required parameters: code_challenge, channel_id, client_id, and redirect_uri.
Optional parameters: usid.
The SLAS /login endpoint redirects back to the redirect URI and returns an authorization code.
Calls to /login made with the same loginId and tenantId within 1 second result in a conflict.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type void otherwise.
This is the first step of the OAuth 2.1 authorization code flow, in which a user can log in via federation to the IDP configured for the client. After successfully logging in, the user gets an authorization code via a redirect URI.
You can call this endpoint from the front channel (the browser).
If you would like to get a raw Response object use the other authorizeCustomer function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type void.
This is the first step of the OAuth 2.1 authorization code flow, in which a user can log in via federation to the IDP configured for the client. After successfully logging in, the user gets an authorization code via a redirect URI.
You can call this endpoint from the front channel (the browser).
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type void otherwise.
This endpoint allows customers to authenticate when their configured identity provider is inaccessible. It provides an alternative authentication path through passwordless login methods like email or SMS verification.
If you would like to get a raw Response object use the other authorizePasswordlessCustomer function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type string.
This endpoint allows customers to authenticate when their configured identity provider is inaccessible. It provides an alternative authentication path through passwordless login methods like email or SMS verification.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type string otherwise.
This is the second step of the OAuth 2.1 authorization code flow.
For a private client, an application is able to get an access token for the shopper through the back channel (a trusted server) by passing in the client credentials and the authorization code retrieved from the authorize endpoint.
For a guest user, get the shopper JWT access token and a refresh token. This is where a client appplication is able to get an access token for the guest user through the back channel (a trusted server) by passing in the client credentials.
For a public client using PKCE, an application passes a PKCE code_verifier that matches the code_challenge that was used to authorize the customer along with the authorization code.
When refreshing the access token with a private client ID and client secret, the refresh token is not regenerated. However, when refreshing the access token with a public client ID, the refresh token is always regenerated. The old refresh token is voided with every refresh call, so the refresh token on the client must be replaced to always store the new refresh token.
See the Body section for required parameters, including grant_type and others that depend on the value of grant_type.
Important: As of July 31, 2024*, SLAS requires the channel_id query parameter in token requests.
If you would like to get a raw Response object use the other getAccessToken function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type TokenResponse.
This is the second step of the OAuth 2.1 authorization code flow.
For a private client, an application is able to get an access token for the shopper through the back channel (a trusted server) by passing in the client credentials and the authorization code retrieved from the authorize endpoint.
For a guest user, get the shopper JWT access token and a refresh token. This is where a client appplication is able to get an access token for the guest user through the back channel (a trusted server) by passing in the client credentials.
For a public client using PKCE, an application passes a PKCE code_verifier that matches the code_challenge that was used to authorize the customer along with the authorization code.
When refreshing the access token with a private client ID and client secret, the refresh token is not regenerated. However, when refreshing the access token with a public client ID, the refresh token is always regenerated. The old refresh token is voided with every refresh call, so the refresh token on the client must be replaced to always store the new refresh token.
See the Body section for required parameters, including grant_type and others that depend on the value of grant_type.
Important: As of July 31, 2024*, SLAS requires the channel_id query parameter in token requests.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type TokenResponse otherwise.
The /jwks endpoint provides a JSON Web Key Set (JWKS) that includes current, past, and future public keys. These keys allow clients to validate the Shopper JSON Web Token (JWT) issued by SLAS, ensuring that no tampering with the token has occurred. Every SLAS JWT that is passed into SLAS, SCAPI, or OCAPI is always validated and is rejected if the signature validation does not match.
To optimize performance, the /jwks endpoint is limited to 25 calls per minute, so we recommended caching the JWKS keys and refresh them only when necessary, instead of making frequent requests. Typically, the JWKs endpoint can be used once per DAY.
For additional information on using JWKS, see https://developer.salesforce.com/docs/commerce/commerce-api/guide/slas-validate-jwt-with-jwks.html.
If you would like to get a raw Response object use the other getJwksUri function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type object.
The /jwks endpoint provides a JSON Web Key Set (JWKS) that includes current, past, and future public keys. These keys allow clients to validate the Shopper JSON Web Token (JWT) issued by SLAS, ensuring that no tampering with the token has occurred. Every SLAS JWT that is passed into SLAS, SCAPI, or OCAPI is always validated and is rejected if the signature validation does not match.
To optimize performance, the /jwks endpoint is limited to 25 calls per minute, so we recommended caching the JWKS keys and refresh them only when necessary, instead of making frequent requests. Typically, the JWKs endpoint can be used once per DAY.
For additional information on using JWKS, see https://developer.salesforce.com/docs/commerce/commerce-api/guide/slas-validate-jwt-with-jwks.html.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type object otherwise.
This endpoint issues a shopper JWT access token using a passwordless login token. It enables authentication flows where traditional username/password combinations are not required, supporting alternative authentication methods.
If you would like to get a raw Response object use the other getPasswordLessAccessToken function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type TokenResponse.
This endpoint issues a shopper JWT access token using a passwordless login token. It enables authentication flows where traditional username/password combinations are not required, supporting alternative authentication methods.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type TokenResponse otherwise.
This endpoint initiates the password reset process for a customer by requesting a password reset token. The token is delivered through the configured delivery mode (email, SMS, etc.) and can be used with the password/action endpoint to set a new password.
If you would like to get a raw Response object use the other getPasswordResetToken function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type void.
This endpoint initiates the password reset process for a customer by requesting a password reset token. The token is delivered through the configured delivery mode (email, SMS, etc.) and can be used with the password/action endpoint to set a new password.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type void otherwise.
For public client ID requests, you must set the grant_type to session_bridge.
For private client_id and secret, you must set the grant_type to client_credentials along with a basic authorization header.
DEPRECATED* - As of January 31, 2024, SLAS no longer supports the SESB dwsid parameter for guest users for session-bridge/token calls. We recommended you transition to using a SESB dwsgst token.
The dwsid is still needed for registered user session-bridge/token calls.
NOTE:* The registered customer Json Web Token (JWT) is available in B2C Commerce versions 25.4 and later.
If you would like to get a raw Response object use the other getSessionBridgeAccessToken function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type TokenResponse.
For public client ID requests, you must set the grant_type to session_bridge.
For private client_id and secret, you must set the grant_type to client_credentials along with a basic authorization header.
DEPRECATED* - As of January 31, 2024, SLAS no longer supports the SESB dwsid parameter for guest users for session-bridge/token calls. We recommended you transition to using a SESB dwsgst token.
The dwsid is still needed for registered user session-bridge/token calls.
NOTE:* The registered customer Json Web Token (JWT) is available in B2C Commerce versions 25.4 and later.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type TokenResponse otherwise.
If using a SLAS private client ID, you must also use an _sfdc_client_auth header.
The value of the _sfdc_client_auth header must be a Base64-encoded string. The string is composed of a SLAS private client ID and client secret, separated by a colon (:). For example, privateClientId:privateClientsecret becomes cHJpdmF0ZUNsaWVudElkOnByaXZhdGVDbGllbnRzZWNyZXQ= after Base64 encoding.
If you would like to get a raw Response object use the other getTrustedAgentAccessToken function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type TokenResponse.
If using a SLAS private client ID, you must also use an _sfdc_client_auth header.
The value of the _sfdc_client_auth header must be a Base64-encoded string. The string is composed of a SLAS private client ID and client secret, separated by a colon (:). For example, privateClientId:privateClientsecret becomes cHJpdmF0ZUNsaWVudElkOnByaXZhdGVDbGllbnRzZWNyZXQ= after Base64 encoding.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type TokenResponse otherwise.
This endpoint enables trusted agents (such as customer service representatives or merchants) to obtain authorization tokens that allow them to act on behalf of registered customers. This facilitates customer support scenarios where agents need secure access to customer accounts.
If you would like to get a raw Response object use the other getTrustedAgentAuthorizationToken function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type void.
This endpoint enables trusted agents (such as customer service representatives or merchants) to obtain authorization tokens that allow them to act on behalf of registered customers. This facilitates customer support scenarios where agents need secure access to customer accounts.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type void otherwise.
The SLAS client must have the sfcc.ts_ext_on_behalf_of scope to access this endpoint.
For trusted-system requests, you can use a basic authorization header that includes a SLAS private client ID and SLAS private client secret instead of the bearer token.
For trusted-system requests, you cannot use SLAS public client_ids.
If you would like to get a raw Response object use the other getTrustedSystemAccessToken function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type TokenResponse.
The SLAS client must have the sfcc.ts_ext_on_behalf_of scope to access this endpoint.
For trusted-system requests, you can use a basic authorization header that includes a SLAS private client ID and SLAS private client secret instead of the bearer token.
For trusted-system requests, you cannot use SLAS public client_ids.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type TokenResponse otherwise.
This endpoint returns identity information about the authenticated user in the form of OpenID Connect claims. It requires a valid access token and returns information such as user ID, name, email, and other identity attributes based on the scopes granted during authentication.
If you would like to get a raw Response object use the other getUserInfo function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type string.
This endpoint returns identity information about the authenticated user in the form of OpenID Connect claims. It requires a valid access token and returns information such as user ID, name, email, and other identity attributes based on the scopes granted during authentication.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type string otherwise.
This endpoint provides OpenID Connect discovery information in a standardized format. It allows clients to programmatically discover SLAS capabilities, including available endpoints, supported authentication flows, token signing algorithms, and other configuration details. This information helps clients integrate with the authentication service with minimal manual configuration.
If you would like to get a raw Response object use the other getWellknownOpenidConfiguration function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type string.
This endpoint provides OpenID Connect discovery information in a standardized format. It allows clients to programmatically discover SLAS capabilities, including available endpoints, supported authentication flows, token signing algorithms, and other configuration details. This information helps clients integrate with the authentication service with minimal manual configuration.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type string otherwise.
A basic auth header with Base64-encoded clientId:secret is required in the Authorization header, as well as an access token or refresh token. Use token_type_hint to help identify the token.
If you would like to get a raw Response object use the other introspectToken function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type TokenActionRequest.
A basic auth header with Base64-encoded clientId:secret is required in the Authorization header, as well as an access token or refresh token. Use token_type_hint to help identify the token.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type TokenActionRequest otherwise.
The shopper's access token and refresh token are revoked. If the shopper authenticated with a B2C Commerce (B2C Commerce) instance, the OCAPI JWT is also revoked. Call this endpoint for registered users that have logged in using SLAS. Do not use this endpoint for guest users.
Required header: Authorization header bearer token of the Shopper access token to log out.
Required parameters: refresh token, channel_id, and client.
If you would like to get a raw Response object use the other logoutCustomer function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type TokenResponse.
The shopper's access token and refresh token are revoked. If the shopper authenticated with a B2C Commerce (B2C Commerce) instance, the OCAPI JWT is also revoked. Call this endpoint for registered users that have logged in using SLAS. Do not use this endpoint for guest users.
Required header: Authorization header bearer token of the Shopper access token to log out.
Required parameters: refresh token, channel_id, and client.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type TokenResponse otherwise.
This endpoint allows a customer to set a new password using a valid password reset token. The customer must provide the token received from the password/reset endpoint along with the desired new password.
If you would like to get a raw Response object use the other resetPassword function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type void.
This endpoint allows a customer to set a new password using a valid password reset token. The customer must provide the token received from the password/reset endpoint along with the desired new password.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type void otherwise.
A basic auth header with Base64-encoded clientId:secret is required in the Authorization header, and the refresh token to be revoked is required in the body.
If you would like to get a raw Response object use the other revokeToken function.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
A promise of type TokenActionRequest.
A basic auth header with Base64-encoded clientId:secret is required in the Authorization header, and the refresh token to be revoked is required in the body.
Optional options: RequireParametersUnlessAllAreOptional<{ An object containing the options for this method.
Optional rawResponse: TSet to true to return entire Response object instead of DTO.
A promise of type Response if rawResponse is true, a promise of type TokenActionRequest otherwise.
Static Readonly apiStatic Readonly defaultStatic Readonly paramReadonly authenticateReadonly authenticateReadonly authorizeReadonly authorizeReadonly authorizeReadonly authorizeReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly getReadonly introspectReadonly introspectReadonly logoutReadonly logoutReadonly resetReadonly resetReadonly revokeReadonly revoke
Shopper Login
*# API Overview
The Shopper Login and API Access Service (SLAS) enables secure access to Commerce Cloud’s Shopper APIs for a wide range of headless commerce applications.
Important:* Before using this API, see Authorization for Shopper APIs in the Get Started guides and the more detailed SLAS guides for instructions on setting up a SLAS client, obtaining credentials, as well as flow and use case information.
For load shedding and rate limiting information, see Load Shedding and Rate Limiting.*
Simple example:
API Version: 0.0.33Last Updated: