Newer Version Available
Headless Login JavaScript Examples
Use these high-level examples to understand how to implement headless login for a
single-page app.
Authorization Request
The Authorization Code and Credentials Flow enables users to log in with a username and password. A core concept of this flow is making an authorization request to Headless Login API. This client-side JavaScript example shows you how to send an authorization request.
1// Make a POST Request to Authorize
2 client = new XMLHttpRequest();
3 client.open("POST", expDomain + authorizationURI, true);
4 client.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
5
6 //Headers for the Username and Password Code and Cred Flow
7 client.setRequestHeader("Auth-Request-Type", "Named-User");
8 client.setRequestHeader("Authorization", "Basic " + btoa(username + ':' + password));
9
10 //Request Body
11 requestBody = "response_type=code_credentials&client_id=" + clientId + "&redirect_uri=" + callbackURL;
12
13 // Add State
14 if (state != null) {
15 requestBody = requestBody + '&state=' + storeState(state);
16 }
17
18 // Add Scopes
19 if (scopes != null) {
20 requestBody = requestBody + '&scope=' + scopes;
21 }
22
23 // PKCE Enabled
24 requestBody = requestBody + "&code_challenge=" + generateCodeChallenge();
25
26 // Send the Authorization Request
27 client.send(requestBody);
28
29 // Handle the Authorization Response
30 client.onreadystatechange = function() {
31 if(this.readyState == 4) {
32 if (this.status == 200) {
33 //Auth Code has been returned, perform token exchange
34 tokenExchange(JSON.parse(client.response), null, authorizeType, uniqueVisitorId);
35 } else {
36 onError("An Error Occured during Authorize", client.response);
37 }
38 }
39 }Token Exchange
After receiving the authorization request, Salesforce validates the username and password and returns an authorization code. The app then calls the token endpoint to exchange the code for an access token. This client-side JavaScript example shows the token exchange.
1function tokenExchange(response, codeChallenge, authorizeType, uniqueVisitorId) {
2 // Get Values from Code Response
3 code = response.code;
4 stateIdentifier = response.state;
5 baseURL = response.sfdc_community_url;
6
7 state = null;
8 // validate state if it was present
9 if (stateIdentifier != null) {
10 state = getState(stateIdentifier, true);
11 if (state == null) {
12 onError("A state param was sent back but no state was found");
13 return;
14 }
15 }
16
17 // Create Client
18 client = new XMLHttpRequest();
19 client.open("POST", expDomain + tokenURI, true);
20 client.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
21
22 // Build Request Body
23 requestBody = "code=" + code + "&grant_type=authorization_code&client_id=" + _this.clientId + "&redirect_uri=" + _this.callbackURL;
24
25 // Add PKCE
26 requestBody = requestBody + "&code_verifier=" + generateCodeVerifier();
27
28 // Send Request
29 client.send(requestBody);
30 client.onreadystatechange = function() {
31 if(this.readyState == 4) {
32 if (this.status == 200) {
33 //Access Tokens have been returned
34 console.log("Code and Credntial Flow, token response: ");
35 console.log(JSON.parse(client.response));
36 } else {
37 onError("An error occured during token exchange for " + authorizeType, client.response)
38 }
39 }
40 }
41}The result is an access token that you can use to request user information and establish the user’s session.