Passwordless Login with Email
Use the Shopper Login and API Access Service (SLAS) to send a registered shopper a one-time password (OTP) through email. No third-party integration is required for passwordless login with email.
- Prior login: A shopper must log in via SLAS at least one time before requesting a passwordless login.
- Registration: The shopper’s email must be registered with B2C Commerce.
- Volume limits: Sending emails for passwordless login counts towards your overall volume. The monthly quota limit for email mode for each
getPasswordResetToken,authorizePasswordlessCustomer,authorizeWebauthnRegistrationendpoint is 1,000 requests per non-production tenant instance. There’s also a maximum of 6 requests per user for every 10-minute window for theauthorizePasswordlessCustomerandauthorizeWebauthnRegistrationendpoint, and 3 requests per user for every 10-minute window for thegetPasswordResetTokenendpoint. - OTP Expiration: Generating a new OTP immediately invalidates any previously issued OTPs. The shopper must use the most recently generated code for passwordless login.
If you haven’t already created a SLAS private client, follow the instructions in Authorization for Shopper APIs to create one and return to this guide. Only private clients can be used for passwordless login.
To configure a private client for passwordless login, follow these steps in the SLAS Admin UI:
- From the top navigation, click Clients.
- Click the Edit link next to the client ID that you created earlier.
- In the Scopes field, add
sfcc.pwdless_login. - To use 6-digit OTPs, select Six Digit TOTP?. If unselected, the default OTP length is 8 digits. This setting can only be configured for an existing client.
- Save the client.
Shoppers receive passwordless login emails from an address that you specify in your site’s email sender. You can configure the email sender in the SLAS Admin UI:
- From the SLAS Admin UI, click Add Email Sender.
- In the Email Sender field, enter the email address that you want to use to send passwordless login emails. Make sure that you have access to the inbox for the email address that you enter.
You can reuse email addresses for multiple SLAS clients belonging to the same realm, but not across different realms.
- (Optional) To use this email sender as a fallback option for other channels or sites defined for the client, select Cross Channel. When selected, if an email OTP is sent for a site in the same client that has no association with any email sender, then this email sender will be used.
- Click Submit.
- After you create the email sender, an email provider for SLAS sends a verification email to the specified address. Check your inbox and follow the instructions in the verification email to finish setting up your email sender.
Make a PUT request to the registerPwdlessTemplate endpoint. Set the actionType parameter to PWDLESS_LOGIN and the templateType parameter to EMAIL. In the link parameter, you can use ${token}, ${name}, and ${user_id} substitutions. In the template parameter, you can use the above and the ${link} substitution.
Emails with OTP that use the SLAS APIs for authorizePasswordlessCustomer will use these templates to send emails to shoppers. To send emails for the authorizeWebauthnRegistration endpoint, you can configure an additional email template with actionType as WEBAUTHN_AUTHORIZE_USER.
Here’s an example request body for creating a password login email template:
Finally, set the mode in the body of the request to email when using passwordless login or password reset to consume the out-of-the-box email OTP feature.
Example:
If a shopper reports that an email wasn’t received, Log Center can provide insights into what happened.
- General Search: Query for “Email send from SLAS encountered an issue” in Log Center for your tenant ID. Ensure that the time Period includes the estimated email send time.
- Shopper-Specific Search: To look for a specific log event related to a shopper, you can use one of these options:
- Masked Email Address: Query for the masked shopper email address, of which a queryable form is usually the first three letters and an asterisk (for example, johndoe@gmail.com → query for
joh*) or the first letter and an asterisk (for example, joe@gmail.com → query forj*). - Correlation ID: If you’ve logged the correlation-Id when calling passwordless login for the shopper, you can directly search for the correlation ID in Log Center.
- Masked Email Address: Query for the masked shopper email address, of which a queryable form is usually the first three letters and an asterisk (for example, johndoe@gmail.com → query for
After finding the log event, examine the Type field to determine the issue:
| Type | Description | Diagnostic Information |
|---|---|---|
| Complaint | The email successfully reached the recipient's mail server, but the recipient marked the message as spam. | ComplaintFeedbackType gives feedback provided by the ISP. |
| Reject | Email wasn’t attempted to be delivered, typically because a virus was detected. | The reason field can provide more detail for the flag. |
| DeliveryDelay | The email couldn’t be immediately handed off to the recipient's mail server due to a temporary problem (for example., the recipient's inbox was full or the receiving server had a transient issue). | DiagnosticCode field provides more specific information if it exists. |
| Bounce | The email was permanently rejected (a hard bounce), typically meaning the mailbox address doesn’t exist. (Soft bounces are included when delivery attempts stop.) | DiagnosticCode field provides more specific information if it exists. |
Here’s an example of a DeliveryDelay event in Log Center.
