Authorization Scopes Catalog
Scopes control which B2C Commerce endpoints a token can access and define the permissions and operations a token can perform, so that only authorized operations are allowed.
Scopes use the format sfcc.{family}[.rw]. The optional .rw suffix indicates read and write permissions.
To assign scopes to tokens and configure them based on your storefront needs:
- Understand the capabilities of your storefront and what shoppers can do.
- Determine the API families with which your storefront needs to interact and the specific actions needed: Shopper APIs, SCAPI Admin APIs, and SLAS Admin APIs.
- Identify the required scopes using the following tables.
- For security reasons, limit scopes to the minimum you need.
- Optimize the size of your JSON Web Token (JWT). Scopes make up a large portion of the SLAS JWT, and in many cases, this SLAS token is stored as a cookie and is passed back-and-forth in both requests and responses.
- To reduce JWT size, use the
sfcc.shopper-standardscope. For more information, see Standard Shopper Scope.For each selected scope, configure the specific permissions to avoid redundancy. If you include the
.rwversion for a scope, avoid using the read-only counterpart, as it's redundant and can make the token unnecessarily bulky. - Include only scopes for the applicable API family. For example, don't include SCAPI Admin API scopes in a SLAS JWT.
- Configure your token with the correct scopes:
- To configure tokens for use with the Shopper APIs, see Authorization for Shopper APIs.
- To configure tokens for use with the SCAPI Admin APIs, see Authorization for Admin APIs.
- To use scopes with Custom APIs, see Custom API Authentication and Authorization.
- Save the token configuration. To test it, make API calls. A successful call returns a
200response. A401or403response indicates a missing or incorrect scope.
By default, the following SLAS scopes are assigned:
These scopes are only useful inside a SLAS JWT.
To configure tokens for use with the Shopper APIs, see Authorization for Shopper APIs.
| Scope | API Family | API Name | Purpose |
|---|---|---|---|
| sfcc.shopper-agents.rw | Shopper | Shopper Agents | Initialize Shopper Agent session. |
| sfcc.shopper-baskets-orders | Checkout | Shopper Baskets | Read baskets and orders from a shopper perspective. |
| sfcc.shopper-baskets-orders.rw | Checkout | Shopper Baskets | Create, read, update, and delete an order, including shipping and tax information. |
| sfcc.shopper-categories | Product | Shopper Products | Read categories to be displayed on a storefront for shoppers. |
| sfcc.shopper-configurations | Configuration | Shopper Configurations | Retrieve global and site-specific configuration details. |
| sfcc.shopper-consents | Shopper | Shopper Consents | Read Shopper Consents. |
| sfcc.shopper-consents.rw | Shopper | Shopper Consents | Create, read, update, and delete Shopper Consents. |
| sfcc.shopper-context | Shopper | Shopper Context | Read Shopper Context. |
| sfcc.shopper-context.rw | Shopper | Shopper Context | Create, read, update, and delete Shopper Context. |
| sfcc.shopper-custom-objects | Custom Object | Shopper Custom Objects | Read all custom object information. |
| sfcc.shopper-custom-objects.{object-type} | Custom Object | Shopper Custom Objects | Read custom object information. Access can be restricted at the {object-type} level. This extends the standard objects provided by B2C Commerce. |
| sfcc.shopper-customers.login | Customer | Shopper Customers | Log in a shopper. |
| sfcc.shopper-customers.register | Customer | Shopper Customers | Register a shopper. |
| sfcc.shopper-experience | Experience | Shopper Experience | Read access for assets created in Page Designer. |
| sfcc.shopper-experience.contents | Experience | Shopper Experience | Read content assets available on a storefront. |
| sfcc.shopper-experience.folders | Experience | Shopper Experience | Read content folders used to organize storefront content assets. |
| sfcc.shopper-experience.pages | Experience | Shopper Experience | Read pages created in Page Designer. |
| sfcc.shopper-experience.qualifiers | Experience | Shopper Experience | Resolve qualifiers for customer groups, campaign promotions, and data binding contexts. |
| sfcc.shopper-gift-certificates | Pricing | Shopper Gift Certificates | Read gift certificates from a shopper perspective. |
| sfcc.shopper-myaccount | Customer | Shopper Customers | Read all data in a shopper account. |
| sfcc.shopper-myaccount.addresses | Customer | Shopper Customers | Read shopper addresses. |
| sfcc.shopper-myaccount.addresses.rw | Customer | Shopper Customers | Create, read, update, and delete addresses in a shopper account. |
| sfcc.shopper-myaccount.baskets | Customer | Shopper Customers | Read a shopper’s baskets. |
| sfcc.shopper-myaccount.orders | Customer | Shopper Customers | Read a shopper’s orders. |
| sfcc.shopper-myaccount.paymentinstruments | Customer | Shopper Customers | Read a shopper’s payment instruments. |
| sfcc.shopper-myaccount.paymentinstruments.rw | Customer | Shopper Customers | Create, read, update, and delete payment instruments in a shopper account. |
| sfcc.shopper-myaccount.productlists | Customer | Shopper Customers | Read wishlists associated with a shopper account. |
| sfcc.shopper-myaccount.productlists.rw | Customer | Shopper Customers | Create, read, update, and delete wishlists associated with a shopper account. |
| sfcc.shopper-myaccount.rw | Customer | Shopper Customers | Create, read, update, and delete all data in a shopper account. |
| sfcc.shopper-product-search | Search | Shopper Search | Search for products and product suggestions. |
| sfcc.shopper-productlists | Customer | Shopper Customers | Read public product lists or wishlists. |
| sfcc.shopper-products | Product | Shopper Products | Read products merchandised and available to be sold on a particular site. |
| sfcc.shopper-promotions | Pricing | Shopper Promotions | Read promotions from a shopper perspective. |
| sfcc.shopper-seo | Site | Shopper SEO | Read SEO-related information. |
| sfcc.shopper-stores | Store | Shopper Stores | Search for and read details on stores. |
These scopes are only useful inside an Account Manager JWT.
To configure tokens for use with the SCAPI Admin APIs, see Authorization for Admin APIs.
| Scope | API Family | API Name | Purpose |
|---|---|---|---|
| sfcc.catalogs | Product | Catalogs | Read catalog information. |
| sfcc.catalogs.rw | Product | Catalogs | Create, read, update, and delete catalogs. |
| sfcc.cdn-zones | CDN Zones | CDN Zones | Read information related to CDN Zones. |
| sfcc.cdn-zones.rw | CDN Zones | CDN Zones | Create, read, update, and delete information related to CDN Zones. |
| sfcc.consents | Customer | Consents | Read customer consent preferences. |
| sfcc.consents.rw | Customer | Consents | Create, read, update, and delete customer consent preferences. |
| sfcc.cors-preferences | Configuration | CORS Preferences | Read Cross-Origin Resource Sharing (CORS) preferences. |
| sfcc.cors-preferences.rw | Configuration | CORS Preferences | Create, read, update, and delete Cross-Origin Resource Sharing (CORS) preferences. |
| sfcc.custom-apis | DX | Custom APIs | Read resolved Custom API endpoints and their registration status (active/not_registered), including error reasons for failed registrations. |
| sfcc.custom-apis.rw | DX | Custom APIs | Read endpoints and perform admin-level management actions for Custom APIs (read/write when available). |
| sfcc.customergroups | Customer | Customer Groups | Read customer groups. |
| sfcc.customergroups.rw | Customer | Customer Groups | Create, read, update, and delete customer groups. |
| sfcc.customerlists | Customer | Customers | Read customer list associated with a site. |
| sfcc.customerlists.rw | Customer | Customers | Create, read, update, and delete customer lists associated with a site. |
| sfcc.experiences | Experience | Experiences | Read merchandiser experiences. |
| sfcc.experiences.rw | Experience | Experiences | Create, read, update, and delete merchandiser experiences. |
| sfcc.gift-certificates | Pricing | Gift Certificates | Read gift certificates. |
| sfcc.gift-certificates.rw | Pricing | Gift Certificates | Create, read, update, and delete gift certificates. |
| sfcc.granular-replications | Administration | Replications | Read replication information. |
| sfcc.granular-replications.rw | Administration | Replications | Create, read, update, and delete replications. |
| sfcc.inventory-lists | Inventory | Inventory Lists | Read inventory lists. |
| sfcc.inventory-lists.rw | Inventory | Inventory Lists | Create, read, update, and delete inventory lists. |
| sfcc.inventory.availability | Inventory | Inventory Availability | Read availability. Account Manager Authentication. |
| sfcc.inventory.availability.rw | Inventory | Inventory Availability | Create, read, update, and delete availability. Account Manager Authentication. |
| sfcc.inventory.impex-graphs | Inventory | Inventory Impex | Read location graph exports. Account Manager Authentication. |
| sfcc.inventory.impex-inventory | Inventory | Inventory Impex | Read inventory exports. Account Manager Authentication. |
| sfcc.inventory.impex-inventory.rw | Inventory | Inventory Impex | Read inventory imports. Account Manager Authentication. |
| sfcc.inventory.reservations | Inventory | Inventory Reservation | Read reservation information. Account Manager Authentication. |
| sfcc.inventory.reservations.rw | Inventory | Inventory Reservation | Create, read, update, and delete reservations. Account Manager Authentication. |
| sfcc.jobs | Administration | Jobs | Read job information. |
| sfcc.jobs.rw | Administration | Jobs | Create, read, update, and delete jobs. |
| sfcc.object-definitions | Configuration | Object Definitions | Read object definitions. |
| sfcc.object-definitions.rw | Configuration | Object Definitions | Create, read, update, and delete object definitions. |
| sfcc.orders | Checkout | Orders | Read orders from a management perspective. |
| sfcc.orders.rw | Checkout | Orders | Create, read, update, and delete an existing order, for example, with a status update. |
| sfcc.preferences | Configuration | Preferences | Read site and environment-specific settings. |
| sfcc.price-books | Pricing | Price Books | Read price books. |
| sfcc.price-books.rw | Pricing | Price Books | Create, read, update, and delete price books. |
| sfcc.products | Product | Products | Read products assigned to a catalog. |
| sfcc.products.rw | Product | Products | Create, read, update, and delete products from a catalog. |
| sfcc.promotions | Pricing | Promotions | Read campaigns, coupons, promotions, and assignments. |
| sfcc.promotions.rw | Pricing | Promotions | Create, read, update, and delete campaigns, coupons, promotions, and assignments. |
| sfcc.roles | Administration | Roles | Read roles. |
| sfcc.roles.rw | Administration | Roles | Create, read, update, and delete roles. |
| sfcc.scapi-schemas | DX | SCAPI Schemas | Read SCAPI schema registry. |
| sfcc.scripts | DX | Scripts | Read scripts. |
| sfcc.scripts.rw | DX | Scripts | Create, read, update, and delete scripts. |
| sfcc.seo | Site | SEO | Read SEO configurations. |
| sfcc.seo.rw | Site | SEO | Create, read, update, and delete SEO configurations. |
| sfcc.sites | Configuration | Sites | Read site information. |
| sfcc.sites.rw | Configuration | Sites | Create, read, update, and delete site information. |
| sfcc.source-codes | Pricing | Source Code Groups | Read source codes. |
| sfcc.source-codes.rw | Pricing | Source Code Groups | Create, read, update, and delete source codes. |
| sfcc.store-redirect-mappings | Site | Store Redirect Mappings | Read store redirect mappings. |
| sfcc.store-redirect-mappings.rw | Site | Store Redirect Mappings | Create, read, update, and delete store redirect mappings. |
| sfcc.stores | Store | Stores | Read store information. |
| sfcc.timeouts | Configuration | Timeouts | Read timeout configuration. |
| sfcc.timeouts.rw | Configuration | Timeouts | Create, read, update, and delete timeout configuration. |
| sfcc.users | Administration | Users | Read user information. |
| sfcc.users.rw | Administration | Users | Create, read, update, and delete users. |
| Scope | API Family | API Name | Purpose |
|---|---|---|---|
| sfcc.pwdless_login | Shopper | Shopper Login | Allow users with a B2C Commerce profile to request a token by email that can be used to log in without a password even when their identity provider (Salesforce) is unavailable. |
| sfcc.session_bridge | Shopper | Shopper Login | Allow session bridging. |
| sfcc.ta_ext_on_behalf_of | Shopper | Shopper Login | Call trusted agent endpoints. |
| sfcc.ts_ext_on_behalf_of | Shopper | Shopper Login | Call trusted system endpoints. |
| sfcc.shopper-mcpagent | Shopper | Shopper Login | Allow access to the B2C Commerce Model Context Protocol (MCP) Shopper Service from an AI Agent, for example, Claude or ChatGPT. |
Here's an example set of scopes required for a shopping application (such as a PWA Kit storefront):