OCAPI Session Bridge

To allow seamless interaction between OCAPI and your session-based storefront we offer the OCAPI session bridge. It allows you to obtain a JWT for a session and vice versa without having to reauthenticate the customer.

Technically the bridge consists of two resources:

  1. Request a JWT for a session via /customers/auth resource.

  2. Request a session for a JWT via /sessions resource.

Obtain JWT 

To obtain a JWT for a guest or registered customer you have to pass a valid dwsid cookie to /customers/auth resource. You have to use "type":"session". If you haven't enabled the global security preference Enforce HTTPS, you must also pass a valid dwsecuretoken in the request. If successful, you get the JWT back as Authorization:Bearer response header.

The following sample shows how this approach works when the global security preference Enforce HTTPS isn't enabled and the dwsecuretoken is included in the request.

REQUEST:
POST /dw/shop/v24_5/customers/auth
Host: example.com
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Content-Type: application/json
x-dw-client-id: [your_own_client_id]
Cookie: dwsid=pATvWUO3KSdt-Kmcy-8-RsxKnoO4BMDwoec7ACVlW6tZNnhaOL7gt7mHqL-h7QYn5TyE61z0DeSMCqxngsWeHw==;
        dwsecuretoken_9727b83e8e864fa4b6902a37bc70a12d=5Kx5-2P7jj5WoxeTiWwHNBJ6QV39Io5SNA==;

{
  "type" : "session"
}

RESPONSE:
HTTP/1.1 200 OK
Content-Length:124
Authorization:Bearer eyJfdiI6IjXXXXXX.eyJfdiI6IjEiLCJleHAXXXXXXX.-d5wQW4c4O4wt-Zkl7_fiEiALW1XXXX
Content-Type:application/json;charset=UTF-8

{
   "_v" : "24.5",
   "_type" : "customer",
   "auth_type" : "guest",
   "customer_id" : "abdtkZzH6sqInJGIHNR1yUw90A",
   "preferred_locale" : "default"
}

When the global security preference Enforce HTTPS is enabled, the request would be similar to this example, which doesn't include a dwsecuretoken:

REQUEST:
POST /dw/shop/v24_5/customers/auth
Host: example.com
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Content-Type: application/json
x-dw-client-id: [your_own_client_id]
Cookie: dwsid=pATvWUO3KSdt-Kmcy-8-RsxKnoO4BMDwoec7ACVlW6tZNnhaOL7gt7mHqL-h7QYn5TyE61z0DeSMCqxngsWeHw==

{
  "type" : "session"
}

Note: There’s no tight coupling between session and JWT. You get different tokens for multiple requests with the same session. Therefore, you should make only one call per session.

For more details see /customers/auth resource.

Obtain Session 

To obtain a session for a guest or registered customer you have to pass a valid JWT to /sessions resource. The JWT has to be passed as Authorization:Bearer request header. If successful, you get the session cookies back.

If you haven't enabled the global security preference Enforce HTTPS, the response includes a Set-Cookie header for a dwsecuretoken. The Set-Cookie header for a dwsecuretoken isn't included in the response if the global security preference Enforce HTTPS is enabled.

The following sample shows how this approach works when the global security preference Enforce HTTPS isn't enabled and the dwsecuretoken is included as a Set-Cookie header in the response.

REQUEST:
POST /dw/shop/v24_5/sessions HTTP/1.1
Host: example.com
x-dw-client-id: [your_own_client_id]
Authorization: Bearer eyJfdiI6IjXXXXXX.eyJfdiI6IjEiLCJleHAXXXXXXX.-d5wQW4c4O4wt-Zkl7_fiEiALW1XXXX

RESPONSE:
HTTP/1.1 204 NO CONTENT
Set-Cookie : dwsecuretoken_a85a5236a2e852d714eb6f1585efb61c=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT;
Set-Cookie : dwsid=eXv5R3FZGI4BBfbK1Opk5s1mJ-41Aw7ZuaMKxeye5xa16fJMX--AnNkXsvmakbi1UZSzP1zoPmUILgoom1_jKg==;
Set-Cookie : dwanonymous_a85a5236a2e852d714eb6f1585efb61c=bdjalnzmfrkJ0FtYliwud5db67; Max-Age=15552000;
Cache-Control: max-age=0,no-cache,no-store,must-revalidate

When the global security preference Enforce HTTPS is enabled, the response would be similar to this example, which doesn't include a Set-Cookie header for a dwsecuretoken.

REQUEST:
POST /dw/shop/v24_5/customers/auth
Host: example.com
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Content-Type: application/json
x-dw-client-id: [your_own_client_id]
Cookie: dwsid=pATvWUO3KSdt-Kmcy-8-RsxKnoO4BMDwoec7ACVlW6tZNnhaOL7gt7mHqL-h7QYn5TyE61z0DeSMCqxngsWeHw==

{
  "type" : "session"
}

Note: There’s no tight coupling between session and JWT. You get different sessions for multiple requests with the same JWT. Means, you should make only one call per JWT.

For more details see /sessions resource.

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Open Commerce API
Get Started with OCAPI
Hooks for Data API
Hooks for Shop API
Usage
API Explorer
Batch Requests
Best Practices
Caching
Client Application Identification
CORS (Cross-Origin Resource Sharing)
Customization
Custom Properties
Expansions
ExportDataUnitsConfiguration Document
ExportGlobalDataConfiguration Document
ExportSitesConfiguration Document
Filtering
Flash
Global Exceptions
Global HTTP Headers
Hook Circuit Breaker
HTTP Methods
HTTP Status Codes and Faults
HTTP Versions
Images
Jobs: Global
Jobs: System
JSONP
JWT
Localization
Metadata
OAuth 2.0
OCAPI Settings
Optimistic Locking
Pagination
Property Selection
Queries
Resource Data Formats
Resource States
SearchIndexUpdateConfiguration Document
Session Bridge
SiteArchiveExportConfiguration Document
SiteArchiveImportConfiguration Document
URL Syntax
Versioning and Deprecation Policy
Shop Baskets
Shop Categories
Shop Content
Shop Content Search
Shop Custom Objects
Shop Customers
Shop Folders
Shop Gift Certificate
Shop Order Search
Shop Orders
Shop Price Adjustment Limits
Shop Product Lists
Shop Product Search
Shop Products
Shop Promotions
Shop Search Suggestion
Shop Sessions
Shop Site
Shop Stores
Data A/B Test Search
Data A/B Tests
Data Alerts
Data Campaign Search
Data Campaigns
Data Cartridges
Data Catalog Search
Data Catalogs
Data Category Search
Data Code Versions
Data Coupon Redemption Search
Data Coupon Search
Data Coupons
Data Custom Object Definitions
Data Custom Objects
Data Custom Objects Search
Data Customer Group Search
Data Customer Groups
Data Customer Lists
Data Gift Certificate Search
Data Gift Certificates
Data Global Custom Objects
Data Global Locale Info
Data Global Preferences
Data Global Site Preferences
Data Inventory List Search
Data Inventory Lists
Data Job Execution Search
Data Jobs
Data Libraries
Data Locale Info
Data Log Requests
Data Metrics
Data OCAPI Configs
Data Orders
Data Permissions
Data Product Search
Data Products
Data Promotion Campaign Assignment Search
Data Promotion Search
Data Promotions
Data Recommender Names
Data Role Search
Data Roles
Data Settings
Data Site Preferences
Data Site Search
Data Sites
Data Slot Configuration Campaign Assignment Search
Data Slot Configuration Search
Data Slot Configurations
Data Slot Search
Data Slots
Data Sorting Rule Search
Data Source Code Group Search
Data Source Code Groups
Data Store Search
Data Stores
Data System Object Definition Search
Data System Object Definitions
Data User Search
Data Users
External Reference Content
B2C Commerce Developer Sandbox REST API

Attention!

Salesforce B2C Commerce suggests using the B2C Commerce API (SCAPI) instead of the Open Commerce API (OCAPI) for all new projects or any major refactoring work. For details, refer to Why Use SCAPI Instead of OCAPI.