Passwordless login is a way to verify a shopper’s identity without using a password. It offers protection against cyberattacks, such as phishing and brute-force password cracking. Passwordless login systems use authentication methods that are more secure than regular passwords, including magic links and one-time codes.
In this guide, you'll learn how to implement passwordless login in your website or app using the Shopper Login and API Access Service (SLAS).
To understand how passwordless login with SLAS works, let’s look at an overview of the process:
- The shopper requests a passwordless login.
- Your app calls the authorizePasswordlessCustomer endpoint and provides a callback URI.
- SLAS makes a HTTP POST request to your callback URI, including the shoppers contact information and a eight-digit passwordless token that can be used to authenticate the shopper.
- The app sends passwordless token to the shopper over email, SMS or another mechanism.
- The shopper provides the passwordless token to the app either by clicking a link or entering the it manually.
- Your app calls the getPasswordLessAccessToken endpoint to authenticate the shopper and get a SLAS access and refresh token.
- The access token can be used to make authorized requests on behalf of the shopper.
- A publicly accessible callback URL, such as an ECOM instance, Managed Runtime environment, or your own server. If you don't have a public callback URL, you can use a service like Webhook.site for testing purposes.
- A mechanism to share the passwordless token to the shopper, such as email or SMS.
- A SLAS private client configured to work with passwordless login.
If you haven’t already created a SLAS private client, follow the instructions in Authorization for Shopper APIs to create one and return to this guide. Only private clients can be used for passwordless login.
To configure a private client for passwordless login, follow these steps in the SLAS Admin UI:
- From the top navigation, click Clients.
- Click the Edit link next to the client ID that you created earlier.
- In the Scopes field, add
- In the Callback URL field, enter the callback URI that you prepared earlier.
Unlike the Redirect URL field, the Callback URL field doesn’t support wildcards. Always include the full URL for a callback, including the protocol.
Imagine you’re building passwordless login flow for a storefront hosted at
www.example.com. The shopper begins the flow by entering their username and requesting a passwordless login over email.
Request the authorizePasswordlessCustomer endpoint:
user_id parameter must be the shopper’s actual login credential,
profile.credentials.login. Although the login credential can be an email address, it is not guaranteed to be the same as
SLAS makes a HTTP POST request to the provided callback URI. The request body is a JSON payload:
It contains both an email address and a phone number that belongs to the customer. The value of
phone is set to the value of
phoneMobile in the B2C Commerce system. If
phoneMobile is not available, SLAS uses the value of
The value of
token is the passwordless token you can send to the shopper.
Your app should send the passwordless token to the shopper over email or SMS.
The token is good for up to ten minutes. If the token expires, you must restart the passwordless login flow.
The shopper must provide the passwordless token to your app, either by following a link or manually entering it.
Request the getPasswordLessAccessToken endpoint to exchange the passwordless token for an access token:
The access token (Shopper JWT) returned by SLAS can now be used to make calls to the Shopper APIs!
To use Passwordless Login with Storefront Reference Architecture (SFRA), you can use the community maintained PasswordLess Login cartridge.
To access the code, you need access to the Salesforce Commerce Cloud GitHub.