Trusted Agent Authorization

Trusted Agent on Behalf (TAOB) authorization allows an agent to perform actions on behalf of a registered shopper.

Consider the following scenario where trusted agent authorization is used to help a shopper:

  1. Lauren is a call center agent who helps shoppers with their orders.
  2. Tim is a shopper who contacts the call center. He wants to update the quantity of shirts in his order but is having difficulty doing it himself.
  3. Lauren logs in to Tim’s account on his behalf and goes through the items added in cart.
  4. Lauren successfully updates the quantity of shirts in Tim’s order.
  5. Tim is pleased with the Lauren’s help and completes his order.

This flow is specifically for Account Manager when it serves as the IDP for agents. For agents using a different IDP, consider using the SLAS Trusted System On-behalf (TSOB) call flow to provide the SLAS shopper JSON Web Token (JWT) in your custom agent solution.

The following diagram shows the typical API requests and responses used in the authorization flow for a trusted agent:

Associated diagram -medium

Now that you understand how the trusted agent on behalf feature works, you’re ready to start your own implementation by following the instructions in the rest of this guide.

In Business Manager, configure the following functional permissions for one or more agents in your organization: Login_On_Behalf and Create_Order_On_Behalf.

For detailed instructions, see the Business Manager Functional Permissions article on the B2C Commerce Infocenter.

  • Add the sfcc.ta_ext_on_behalf_of scope to your SLAS client
  • Set a redirect URI

The following commands demonstrate how to authorize a trusted agent using a public client.

When running the sample code provided, don’t forget to replace the placeholder values with actual values.

Start by requesting an authorization code for a trusted agent using getTrustedAgentAuthorizationToken:

The request redirects you to Account Manager for authentication. After a successful login, you are redirected to the address provided in the redirect_uri parameter of the previous request. When redirecting, the authorization code is included in the code query parameter.

Now request a trusted agent token using getTrustedAgentAccessToken. In the following command, replace jpsM6DNwzFtrUIZJDwyRihkRX1g with the actual authorization code:

Trusted agent tokens expire after 15 minutes and are not refreshable. To get a new token, restart the authorization flow.

Trusted agent tokens work with all SCAPI Shopper endpoints but are only supported by a subset of OCAPI Shop endpoints:

Required Business Manager RoleEndpointHTTP Methods
Create_Order_On_Behalf_Of/orders/**GET, POST, DELETE, PATCH, PUT
Create_Order_On_Behalf_Of/baskets/**POST, PUT, DELETE, PATCH, GET
Create_Order_On_Behalf_Of/customers/**GET, POST, PATCH, PUT
Create_Order_On_Behalf_Of/customers/*/addresses/*DELETE
Create_Order_On_Behalf_Of/customers/*/payment_instruments/*DELETE
Create_Order_On_Behalf_Of/customers/*/product_lists/**DELETE
Create_Order_On_Behalf_Of/gift_certificatePOST
Create_Order_On_Behalf_Of/customers/**GET, POST, PATCH
Create_Order_On_Behalf_Of/customer_lists/**GET, POST
Search_Orders/order_search/*POST
Handle_External_Orders/baskets/calculatePOST
Handle_External_Orders/baskets/shipping_methodsPOST

Calling non-supported OCAPI Shop endpoints results in a HTTP 403 user-access-forbidden response.

To call non-supported OCAPI Shop endpoints use a second token from getTrustedSystemAccessToken or getAccessToken.

If you receive the following response code, verify the SLAS configuration and Business Manager permissions: { "status_code": "403 FORBIDDEN", "message": "AM SSO Unauthorized!" }