Passwordless Login

Passwordless login is a way to verify a shopper’s identity without using a password. It offers protection against cyberattacks, such as phishing and brute-force password cracking. Passwordless login systems use authentication methods that are more secure than regular passwords, including magic links and one-time codes.

In this guide, you'll learn how to implement passwordless login in your website or app using the Shopper Login and API Access Service (SLAS).

Only existing customers can access some of the links on this page. Visit Salesforce Commerce Cloud GitHub Repositories and Access for information about how to get access to the Commerce Cloud repositories.

To understand how passwordless login with SLAS works, let’s look at an overview of the process.

The shopper must have an existing B2C Commerce or third-party IDP account, and must log in with a username and password prior to using passwordless login.

Passwordless Login Process Diagram

  1. The shopper opens the app and logs in.
  2. The shopper requests a passwordless login.
  3. Your app calls the authorizePasswordlessCustomer endpoint and provides a callback URI.
  4. SLAS makes a HTTP POST request to your callback URI, including the shoppers contact information and a eight-digit passwordless token that can be used to authenticate the shopper.
  5. The app sends passwordless token to the shopper over email, SMS or another mechanism.
  6. The shopper provides the passwordless token to the app either by clicking a link or entering the it manually.
  7. Your app calls the getPasswordLessAccessToken endpoint to authenticate the shopper and get a SLAS access and refresh token.
  8. The access token can be used to make authorized requests on behalf of the shopper.
  1. A publicly accessible callback URL, such as an B2C Commerce instance, Managed Runtime environment, or your own server. If you don't have a public callback URL, you can use a service like for testing purposes.
  2. A mechanism to share the passwordless token to the shopper, such as email or SMS.
  3. A SLAS private client configured to work with passwordless login.

Include a secret value, such as an unguessable query string parameter, in your callback URL to validate that requests are from the SLAS web service.

If you haven’t already created a SLAS private client, follow the instructions in Authorization for Shopper APIs to create one and return to this guide. Only private clients can be used for passwordless login.

To configure a private client for passwordless login, follow these steps in the SLAS Admin UI:

  1. From the top navigation, click Clients.
  2. Click the Edit link next to the client ID that you created earlier.
  3. In the Scopes field, add sfcc.pwdless_login.
  4. In the Callback URL field, enter the callback URI that you prepared earlier.

Unlike the Redirect URL field, the Callback URL field doesn’t support wildcards. Always include the full URL for a callback, including the protocol.

Imagine you’re building passwordless login flow for a storefront hosted at The shopper begins the flow by entering their username and requesting a passwordless login over email.

Request the authorizePasswordlessCustomer endpoint:

The user_id parameter must be the shopper’s actual login credential, profile.credentials.login. Although the login credential can be an email address, it is not guaranteed to be the same as

SLAS makes a HTTP POST request to the provided callback URI. The request body is a JSON payload:

It contains both an email address and a phone number that belongs to the customer. The value of phone is set to the value of phoneMobile in the B2C Commerce system. If phoneMobile is not available, SLAS uses the value of phoneHome or phoneBusiness instead.

The value of token is the passwordless token you can send to the shopper.

Your callback must validate that the secret value is present in the requested URL.

Your app should send the passwordless token to the shopper over email or SMS.

The token is good for up to ten minutes. If the token expires, you must restart the passwordless login flow.

The shopper must provide the passwordless token to your app, either by following a link or manually entering it.

Request the getPasswordLessAccessToken endpoint to exchange the passwordless token for an access token:

The access token (Shopper JWT) returned by SLAS can now be used to make calls to the Shopper APIs!

To use Passwordless Login with Storefront Reference Architecture (SFRA), you can use the community maintained PasswordLess Login cartridge.