Configure a Hybrid Storefront with Hybrid Auth (PWA Kit)
Starting with B2C Commerce version 25.3, hybrid authentication (Hybrid Auth) replaces Plugin SLAS. Hybrid Auth keeps the SFRA/SiteGenesis session (dwsid) and SLAS authorization (JWT) synchronized across a storefront that spans PWA Kit (Composable Storefront) and platform-rendered routes.
This guide covers the PWA Kit / Composable Storefront implementation path on PWA Kit v3. It’s the path for new Hybrid Auth implementations—new customers must start on PWA Kit v3.
- For the shared, architecture-neutral setup (Business Manager Hybrid Auth settings, SLAS session bridging, Shopper Context, Do-Not-Track synchronization, and basket merge), see Shared Hybrid Auth Setup.
- Building a Storefront Next hybrid storefront instead? See Use Storefront Next in a Hybrid Implementation.
- Maintaining an existing PWA Kit v2.x project that isn’t moving to v3 yet? See Hybrid Auth Implementation with PWA Kit v2.x.
Build your PWA Kit site with:
commerce-sdk-react@4.0.0or later- Progressive Web App (PWA) Kit version 3.12 or later
For details, see Get Started with Composable Storefront.
Before configuring PWA Kit, complete the Shared Hybrid Auth Setup:
- Create a SLAS client (public or private) and add the
sfcc.session_bridgescope. - Enable Hybrid Auth in Business Manager (Merchant Tools > Select Site > Site Preferences > Hybrid Auth Settings) using the same SLAS client ID.
- (Optional) Enable Shopper Context and Do-Not-Track synchronization.
- Remove
plugin_slasfrom the cartridge path if you previously used Plugin SLAS.
After you complete the shared setup, configure your PWA Kit project with the following steps.
Do either of these:
- Create a Retail React App with a SLAS public or private client configuration:
- Run the generator command in a terminal window:
npx @salesforce/pwa-kit-create-app my-hybrid-storefront. - Select The Retail app using your own B2C Commerce instance and follow the terminal instructions.
- Run the generator command in a terminal window:
- Or generate a Retail React App with a preset configuration, then change the SLAS client ID to your public or private client after generation:
- Follow the steps in the Quick Start.
- Use a SLAS public or private client.
- Make sure the SLAS client used for Hybrid Auth includes the
sfcc.session_bridgescope.
In app/components/_app-config/index.jsx (or overrides/app/components/_app-config/index.jsx if you use template extensibility), find the CommerceApiProvider component and uncomment the hybridAuthEnabled prop:
Do not set this prop for hybrid storefronts that still use Plugin SLAS. Enable it only for sites that use Hybrid Auth.
By default, PWA Kit uses the History API for navigation. When a shopper clicks a link made with a React Router component, it triggers a soft navigation to the component matching the path in app/routes.jsx. To link to a non-PWA Kit page (one powered by SFRA, for example), remove any route matching that URL pathname from app/routes.jsx.
- If your PWA Kit project was generated with version 3.x of the Retail React App template using template extensibility, override the
overrides/app/routes.jsxfile to filter out links to non-PWA Kit pages using JavaScript. For an example override that filters out/cartand/checkout, see this public gist. - Update the PWA catch-all route (
/*) inapp/routes.jsx. In this example, the PWA<PageNotFound />component is replaced with a redirect to the default origin:
As part of Hybrid Auth, SLAS token calls include the dwsid in the Set-Cookie response header. Make sure the Set-Cookie headers from SLAS API calls are respected and the cookies are set in the browser.
If you use the Commerce Cloud React SDK with the Composable Storefront, this cookie handling is done for you with PWA Kit v3.9 and later. If your site uses commerce-sdk-react, upgrade to @salesforce/commerce-sdk-react@4.0.0 or later.
When Hybrid Auth is enabled, SLAS /oauth2/token requests contain a session-bridged dwsid using the Set-Cookie header in the response. In Managed Runtime, enable cookie passthrough:
- Log in to Managed Runtime Admin.
- Navigate to your project and environment.
- Select Environment Settings.
- Scroll to the Advanced section and select Edit.
- Enable the switch next to Cookies.
- Scroll back to the Advanced section and select Update.
- Wait for your storefront bundle to redeploy.
Route top-of-funnel pages (home /, category /category, product /product) to your PWA Kit storefront on Managed Runtime (MRT), and route transactional routes (such as /cart and /checkout) to SFRA/SiteGenesis.
- To configure eCDN routing rules, see CDN Routing Rules for Hybrid Implementations.
- To compare route split patterns, see the Hybrid Storefront Routing Matrix (PWA Kit).
- (Optional) Get analytics with Einstein Activities for Hybrid Implementations.
Applies to: PWA Kit
On-demand sandbox (ODS) instances include an embedded CDN (eCDN), so configure hybrid routing on ODS the same way you do on a Primary Instance Group (PIG) instance—through the eCDN UI in Business Manager—rather than with the local hybrid proxy. This lets you validate hybrid behavior in a deployed environment that mirrors production routing.
- Deploy your PWA Kit bundle to a Managed Runtime environment connected to the ODS instance.
- Complete the shared Hybrid Auth setup and the PWA Kit configuration steps above (Steps 1–5).
- Configure eCDN origin routing rules for the ODS zone using the Business Manager UI. Route top-of-funnel pages (home, category, product, search) to Managed Runtime, and keep transactional routes (such as
/cartand/checkout) on SFRA/SiteGenesis. For the UI steps, see CDN Routing Rules for Hybrid Implementations. - Verify routing and cookie/session behavior as described in Verify Your Hybrid Auth Setup.
Use eCDN—not the hybrid proxy—on ODS instances. Reserve the hybrid proxy for local development on localhost.
Applies to: PWA Kit
For local development on localhost, eCDN isn’t available, so use a reverse proxy instead. The PWA Kit hybrid proxy feature is available starting in PWA Kit v3.14 in the pwa-kit-runtime package.
Enable hybrid proxy for local development only. On PIG and ODS instances, use eCDN to direct requests to the PWA Kit Composable Storefront or SFRA/SiteGenesis store. Don’t enable hybrid proxy on PIG or ODS instances: because hybrid proxy sets localAllowCookies: true, it can cause security issues on deployed instances.
Follow these steps to enable hybrid proxy locally.
-
Upgrade the
pwa-kit-runtimepackage dependency to v3.14.0 or later. -
Configure the
hybridProxyvalue in your Composable Storefrontssr.jsfor a server-side reverse proxy:localAllowCookies: truehybridProxy.enabled: truehybridProxy.sfccOrigin: [your SFCC store]
-
Update
default.jsto configure client-side routing:- Update
app.commerceAPI.parametersto point to the correct Commerce API SIG instance. - Add
app.enableHybrid: trueso that you can toggle hybrid mode on and off. - Add a proxy config for the
dwrestaticpath:
- Update
-
In
app/components/_app-config/index.jsx, uncommenthybridAuthEnabled(see Step 2). Don’t set this flag for hybrid storefronts that still use Plugin SLAS. -
Update
app/routes.jsxto exclude routes from PWA Kit so that the matching pages render on SFRA/SiteGenesis. This example removes the/cartand/checkoutroutes from the PWA Kit store and uses the catch-all*route to trigger server-side rendering of the proxied SFRA/SiteGenesis cart and checkout pages. For reference, see this public gist.
For environment-specific differences (PIG, ODS, localhost), see Hybrid Auth Environments and Routing.
- Go to your storefront using the vanity domain configured in eCDN.
- Navigate to a page on SFRA/SiteGenesis.
- Open browser Developer Tools and inspect cookies. Confirm these cookies are set:
cc-nx-g_{Site_ID}: Guest refresh tokendwsid: B2C Commerce session IDusid: SLAS customer IDcc-at_{Site_ID}: SLAS access token (appears only when the user lands on an SFRA page; not seen when navigating from a PWA Kit page to an SFRA page)
- Navigate to any PWA Kit page and verify:
cc-nx-g_{SiteID}is unchanged.dwsidis unchanged.usid_{SiteID}is unchanged.cc-at_{SiteID}is no longer present, because PWA Kit consumes it and moves the access token tolocalStorage. Confirm theaccesstoken{SiteID}value inlocalStoragematches the originalcc-at_{SiteID}cookie.
- In Developer Tools, switch to the Network tab.
- Add an item to the cart on PWA Kit.
- Inspect the SCAPI Add to Cart request. In Request Headers, confirm the
sfdc_dwsidheader is set to thedwsidcookie value. This header is required to keep hybrid storefront behavior stable at production scale when traffic is distributed across multiple app servers. If you’re not using PWA Kit, set this header from your headless application whenever thedwsidcookie is available.
You might observe a 302 redirect if a session has expired (while retaining a valid refresh token in the cc-nx* or cc-nx-g* cookies) or if a refresh token is invalid. This is expected. Make sure your implementation follows these redirects.
The following table compares PWA Kit feature support for Plugin SLAS versus Hybrid Auth.
| Feature Name | Supported in PWA Kit w. Plugin SLAS | Supported in PWA Kit w. Hybrid Auth | Notes |
|---|---|---|---|
| SiteGenesis | N | Y | |
| Third Party IDPs and Social Login | N | Y |
|
| Passwordless Login | N | N | Hybrid storefronts don’t support passwordless login. See Implement Passwordless Login. |
| SLAS Private Clients | Y | Y | |
| SLAS Public Clients | Y | Y | |
| SLAS Trusted System (TSOB) | N | Y | |
| Script API “Remember Me” functionality | N | N/A
| |
| PWA Kit Version 2.x | Y | Y |
|
| PWA Kit Version 3.x | Y | Y |
|
| Do Not Track (DNT) | N | Y | You must perform specific steps to enable and synchronize DNT. See Step 8: Enable or Disable Do-Not-Track Synchronization. |
| Shopper Context | N | Y |
|
| Controller exclusion | Y | N | In Hybrid Auth, there is no need to exclude any controllers. |
| Cookie setting customization | Y, via customization | N/A | In Hybrid Auth, unlike Plugin SLAS, you no longer have access to the cookie object and can no longer override cookie settings. |
| Agent/Order On Behalf Of (OOBO) | N | Y | Starting with B2C Commerce version 26.1, Agent/OOBO is supported out of the box in Hybrid Auth with PWA Kit when using the Customer Service Center in Business Manager. If your site uses a third-party cartridge for Agent/OOBO, make sure that you perform testing in a local environment before deploying to your live site. |