Headless Registration JavaScript Examples

Use these high-level examples to understand how to implement headless registration for a single-page app.

Authorization Request

The authorization request for headless registration is similar to the request for headless login, but instead of passing the username and password in the header, you pass in the request identifier and OTP. The request also contains a few additional headers that aren’t required for headless login. Here’s an example.
1// Make a POST Request to Authorize
2  client = new XMLHttpRequest();
3  client.open("POST", expDomain + authorizationURI, true);
4  client.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
5  
6  //Headers for registration variation of the Code and Credentials flow
7  client.setRequestHeader("Auth-Request-Type", "user-registration");
8  client.setRequestHeader("Auth-Verification-Type", verificationMethod);
9  //Request identifier is returned from the /init/registration endpoint, and requestCredential is the OTP sent in the email or SMS.
10  client.setRequestHeader("Authorization", "Basic " + btoa(requestIdentifier + ':' + requestCredential));
11  
12  //Request Body
13  requestBody = "response_type=code_credentials&client_id=" +  clientId + "&redirect_uri=" + callbackURL; 
14  
15  // Add State
16  if (state != null) {
17    requestBody = requestBody + '&state=' + storeState(state); 
18  }
19  
20  // Add Scopes
21  if (scopes != null) {
22    requestBody = requestBody + '&scope=' + scopes; 
23  }
24  
25  // PKCE Enabled
26  requestBody = requestBody + "&code_challenge=" + generateCodeChallenge(); 
27  
28  // Send the Authorization Request
29  client.send(requestBody);
30  
31  // Handle the Authorization Response
32  client.onreadystatechange = function() {
33    if(this.readyState == 4) {
34      if (this.status == 200) {
35        //Auth Code has been returned, perform token exchange
36        tokenExchange(JSON.parse(client.response), null, authorizeType, uniqueVisitorId); 
37      } else {
38      onError("An Error Occured during Authorize", client.response); 
39      }
40    } 
41  }

Salesforce validates the request identifier and OTP and registers the user by calling the headless registration handler. When the user is created, Salesforce returns an authorization code response. You use a callback endpoint to extract the code and other parameters and return them to your app.

Token Exchange

When your app receives the authorization code, it exchanges the code for an access token. This part of the flow is identical to the token exchange in headless login.

1function tokenExchange(response, codeChallenge, authorizeType, uniqueVisitorId) {
2  // Get Values from Code Response
3  code = response.code;
4  stateIdentifier = response.state; 
5  baseURL = response.sfdc_community_url; 
6
7  state = null; 
8  // validate state if it was present
9  if (stateIdentifier != null) {
10    state = getState(stateIdentifier, true); 
11    if (state == null) {
12      onError("A state param was sent back but no state was found");
13      return; 
14    }
15  }
16
17  // Create Client
18  client = new XMLHttpRequest();
19  client.open("POST", expDomain + tokenURI, true);
20  client.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
21
22  // Build Request Body
23  requestBody = "code=" + code + "&grant_type=authorization_code&client_id=" + _this.clientId + "&redirect_uri=" + _this.callbackURL;
24
25  // Add PKCE
26  requestBody = requestBody + "&code_verifier=" + generateCodeVerifier(); 
27
28  // Send Request
29  client.send(requestBody);
30  client.onreadystatechange = function() {
31    if(this.readyState == 4) {
32      if (this.status == 200) {
33          //Access Tokens have been returned
34          console.log("Code and Credntial Flow, token response: ");
35          console.log(JSON.parse(client.response)); 
36        } else {
37          onError("An error occured during token exchange for " + authorizeType, client.response)
38        }  
39      }
40    }
41  }

The result is an access token that you can use to request user information and establish the user’s session.