Authorization Scopes Catalog
Scopes control which B2C Commerce endpoints a token can access, and define the permissions and actions that a token can perform, ensuring that only authorized operations are allowed.
Scopes are formatted as sfcc.{{family}}[.rw]. The optional .rw suffix indicates read and write permissions.
To assign scopes to tokens and configure them based on your storefront needs:
- Understand the capabilities of your storefront and what shoppers can do.
- Determine the API families with which your storefront needs to interact and the specific actions needed: Shopper APIs, SCAPI Admin APIs, and SLAS Admin APIs.
- Identify the required scopes using the following tables.
- For security reasons, limit the scopes to the minimum that you need.
- Optimize the size of your JWT. Scopes make up a large portion of the SLAS JWT, and in many cases, this SLAS token is stored as a cookie and is passed back-and-forth in both requests and responses.
- For each selected scope, configure the specific permissions to avoid redundancy. If you include the
-rwversion for a scope, avoid using the read-only counterpart, as it is redundant, and can make the token unnecessarily bulky. - Make sure to only include scopes for the applicable API family. For example, do not include SCAPI Admin API scopes in a SLAS JWT.
- For each selected scope, configure the specific permissions to avoid redundancy. If you include the
- Configure your token with the correct scopes:
- To configure tokens so that they can be passed to the Shopper APIs, see Authorization for Shopper APIs.
- To configure tokens so that they can be passed to the SCAPI Admin APIs, see Authorization for Admin APIs.
- To use scopes with Custom APIs, see Custom API Authentication and Authorization.
- Save and test. Save the token configuration and test it to ensure that it works as expected. Use the token in API calls to verify that it has the correct permissions and that it can perform the required actions.
By default, the following SLAS scopes are assigned:
These scopes are only useful inside of a SLAS JWT.
To configure tokens with the correct scopes so that they can be passed to the Shopper APIs, see Authorization for Shopper APIs.
| Scope | API Family | API Name | Purpose |
|---|---|---|---|
| sfcc.shopper-baskets-orders | Checkout | Shopper Baskets | Read baskets and orders from a shopper perspective. |
| sfcc.shopper-baskets-orders.rw | Checkout | Shopper Baskets | The client app can create, read, update, and delete an order, including information such as shipping or tax information. |
| sfcc.shopper-categories | Product | Shopper Products | Read categories to be displayed on a storefront for shoppers. |
| sfcc.shopper-context.rw | Shopper | Shopper Context | Create, read, update, and delete Shopper Context. |
| sfcc.shopper-custom-objects.{object-type} | Custom Object | Shopper Custom Objects | Read custom object information. Access can be restricted at the {object-type} level. This extends the standard objects provided by B2C Commerce. |
| sfcc.shopper-customers.login | Customer | Shopper Customers | Log in a shopper. |
| sfcc.shopper-customers.register | Customer | Shopper Customers | Register a shopper. |
| sfcc.shopper-experience | Experience | Shopper Experience | Read pages created in Page Designer. |
| sfcc.shopper-gift-certificates | Pricing | Shopper Gift Certificates | Read gift certificates from a shopper perspective. |
| sfcc.shopper-myaccount | Customer | Shopper Customers | Read all data in a shopper account. |
| sfcc.shopper-myaccount.addresses | Customer | Shopper Customers | Read shopper addresses. |
| sfcc.shopper-myaccount.addresses.rw | Customer | Shopper Customers | Create, read, update, and delete addresses in a shopper account. |
| sfcc.shopper-myaccount.baskets | Customer | Shopper Customers | Read a shopper’s baskets. |
| sfcc.shopper-myaccount.orders | Customer | Shopper Customers | Read a shopper’s orders. |
| sfcc.shopper-myaccount.paymentinstruments | Customer | Shopper Customers | Read a shopper’s payment instruments. |
| sfcc.shopper-myaccount.paymentinstruments.rw | Customer | Shopper Customers | Create, read, update, and delete payment instruments in a shopper account. |
| sfcc.shopper-myaccount.productlists | Customer | Shopper Customers | Read wishlists associated with a shopper account. |
| sfcc.shopper-myaccount.productlists.rw | Customer | Shopper Customers | Create, read, update, and delete wishlists associated with a shopper account. |
| sfcc.shopper-myaccount.rw | Customer | Shopper Customers | Create, read, update, and delete all data in a shopper account. |
| sfcc.shopper-product-search | Search | Shopper Search | Enable search for products and product suggestions. |
| sfcc.shopper-productlists | Customer | Shopper Customers | Read public product lists or wishlists. |
| sfcc.shopper-products | Product | Shopper Products | Read products merchandized and available to be sold on a particular site. |
| sfcc.shopper-promotions | Pricing | Shopper Promotions | Read promotions from a shopper perspective. |
| sfcc.shopper-seo | Site | Shopper SEO | Read SEO-related information. |
| sfcc.shopper-stores | Store | Shopper Stores | Search for and read details on stores. |
These scopes are only useful inside of an Account Manager JWT.
To configure tokens with the correct scopes so that they can be passed to the SCAPI Admin APIs, see Authorization for Admin APIs.
| Scope | API Family | API Name | Purpose |
|---|---|---|---|
| sfcc.catalogs | Product | Catalogs | Read catalog information. |
| sfcc.catalogs.rw | Product | Catalogs | Create, read, update, and delete catalogs. |
| sfcc.cdn-zones | CDN Zones | CDN Zones | Read information related to CDN Zones. |
| sfcc.cdn-zones.rw | CDN Zones | CDN Zones | Create, read, update, and delete information related to CDN Zones. |
| sfcc.customerlists | Customer | Customers | Read customer list associated with a site. |
| sfcc.customerlists.rw | Customer | Customers | Create, read, update, and delete customer lists associated with a site. |
| sfcc.gift-certificates | Pricing | Gift Certificates | Read gift certificates. |
| sfcc.gift-certificates.rw | Pricing | Gift Certificates | Create, read, update, and delete gift certificates. |
| sfcc.inventory.availability | Inventory | Inventory Availability | Read availability. Account Manager Authentication. |
| sfcc.inventory.availability.rw | Inventory | Inventory Availabilit | Create, read, update, and delete availability. Account Manager Authentication. |
| sfcc.inventory.impex-graphs | Inventory | Inventory Impex | Read location graph exports. Account Manager Authentication. |
| sfcc.inventory.impex-inventory | Inventory | Inventory Impex | Read inventory exports. Account Manager Authentication. |
| sfcc.inventory.impex-inventory.rw | Inventory | Inventory Impex | Read inventory imports. Account Manager Authentication. |
| sfcc.inventory.reservations | Inventory | Inventory Reservation | Read reservation information. Account Manager Authentication. |
| sfcc.inventory.reservations.rw | Inventory | Inventory Reservation | Create, read, update, and delete reservations. Account Manager Authentication. |
| sfcc.orders | Checkout | Orders | List and view orders from a management perspective. |
| sfcc.orders.rw | Checkout | Orders | Create, read, update, and delete an existing order, for example, with a status update. |
| sfcc.preferences | Configuration | Preferences | Retrieve site and environment-specific settings. |
| sfcc.cors-preferences.rw | Configuration | CORS | Create, read, update, and delete Cross-Origin Resource Sharing (CORS) preferences. |
| sfcc.products | Product | Products | Read products assigned to a catalog. |
| sfcc.products.rw | Product | Products | Create, read, update, and delete products from a catalog. |
| sfcc.promotions | Pricing | Promotions | Read assignments. |
| sfcc.promotions | Pricing | Promotions | Read campaigns. |
| sfcc.promotions | Pricing | Promotions | Read coupons. |
| sfcc.promotions | Pricing | Promotions | Read promotions. |
| sfcc.promotions.rw | Pricing | Promotions | Create, read, update, or delete assignments. |
| sfcc.promotions.rw | Pricing | Promotions | Create, read, update, or delete campaigns. |
| sfcc.promotions.rw | Pricing | Promotions | Create, read, update, or delete coupons. |
| sfcc.promotions.rw | Pricing | Promotions | Create, read, update, or delete promotions. |
| sfcc.source-codes | Pricing | Source Code Groups | Read source codes. |
| sfcc.source-codes.rw | Pricing | Source Code Groups | Create, read, update, or delete source codes. |
| Scope | API Family | API Name | Purpose |
|---|---|---|---|
| sfcc.pwdless_login | Shopper | Shopper Login | Allow users with an eCom profile to request a token by email that can be used to log in without a password even when their identity provider (Salesforce) is unavailable. |
| sfcc.session_bridge | Shopper | Shopper Login | Allow session bridging. |
| sfcc.ta_ext_on_behalf_of | Shopper | Shopper Login | Call trusted agent endpoints. |
| sfcc.ts_ext_on_behalf_of | Shopper | Shopper Login | Call trusted system endpoints. |
Here's an example set of scopes required for a shopping application (like a PWA Kit storefront):