Headless Identity Implementation Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
What Is Headless Identity?
Complete Prerequisites for Headless Identity
Set Up an Authentication Provider for Single Sign-On
Set Up an Experience Cloud Site for Headless Identity
Set Up a Connected App for Headless Identity
Create an OAuth-Enabled Connected App
Configure Connected App Policies
Get Your Consumer Key
Use Postman to Work with Headless Identity APIs
JavaScript Examples for Headless Identity APIs
PDF

Create an OAuth-Enabled Connected App

Create your connected app for headless identity, add the required scopes, and enable the Authorization Code and Credentials flow at the app level.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Available in: Enterprise, Unlimited, and Developer Editions

  1. From Setup, in the Quick Find box, enter App, and then select App Manager.
  2. Click New Connected App.
  3. Enter a name for your connected app, such as Headless Demo App.
    The API Name autofills based on the name that you enter.
  4. For Contact Email, enter your email address.
  5. Under API (Enable OAuth Settings), select Enable OAuth Settings.
  6. For Callback URL, enter https://MyExperienceCloudSite.my.site.com/services/oauth2/echo, where https://MyExperienceCloudSite.my.site.com is your Experience Cloud site domain.
    This URL points to the Salesforce OAuth 2.0 echo endpoint on your Experience Cloud site. The echo endpoint handles the code extraction step for headless login and headless registration, which saves you the work of writing and hosting your own code extraction endpoint. It returns the authorization code and other parameters from the 302 redirect as a JSON object that you can easily parse.
  7. Add the Manage user data via APIs (api) and Access unique user identifiers (openid) scopes to Selected OAuth scopes.
  8. Deselect the Require Secret for Web Server Flow and Require Secret for Refresh Token Flow settings.
    Because this example is focused on single-page apps, which can’t keep information private, you must deselect these settings for security.
  9. Select Enable Authorization Code and Credentials Flow.
    Enabling the flow exposes another setting to require user credentials in the POST body of your authorization request. Leave this setting deselected—again, your app can’t keep this information secret.
  10. Save your connected app settings.

Now that you have an OAuth-enabled connected app, you can get your consumer key and consumer secret.