Newer Version Available
Headless Login: Send an Authorization Request
To configure headless login, set up the Authorization Code and Credentials Flow. This
Postman example walks you through the Authorization Code and Credentials Flow with a single-page
app.
| Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience |
| Available in: Enterprise, Unlimited, and Developer Editions |
-
From the Headless Identity API Demo folder in Postman, select Username Password
Login - Authorize.
Note the location of the POST request. It’s the /services/oauth2/authorize endpoint on your Experience Cloud site.
-
To see the headers, click Headers. The authorization POST request
includes these headers and values.
- An Auth-Request-Type header set to Named-User
- An Authorization header with the value Basic <username:password>, which contains the Base64-encoded username and password value
-
Update the Authorization header.
- In a text editor, paste the username that you registered during headless registration.
- After the username, enter a colon, and then paste the password that you registered, such as username:password.
- Base64-encode the resulting value. For example, if you Base64-encode the string username:password, you get dXNlcm5hbWU6cGFzc3dvcmQ=.
- In Postman, paste this value into the Authorization header to replace <username:password>.
-
To see the request body, click Body. The authorization request for
registration includes these parameters.
- response_type—The type of response you want to receive. For this example, it’s set to code_credentials.
- client_id—The external client app consumer key
- redirect_uri—The external client app callback URL, which points to the OAuth 2.0 echo endpoint on your Experience Cloud site
-
To send the request to Headless Login API, click Send.
Salesforce validates the user credentials and returns a 302 redirect to a preconfigured URL containing the authorization code. Salesforce then automatically sends the redirect response to the redirect URL. The echo endpoint extracts the code and other parameters from the 302 redirect and returns them to your app in JSON format. Here’s an example response in Postman.
1{ 2 "code": "aPrxCdr***************", 3 "sfdc_community_url": "https://MyExperienceCloudSite.my.site.com", 4 "sfdc_community_id": "0DBXXXXXXXXXXXXXXXX" 5}