Shopper Login (SLAS) Overview

The Shopper Login and API Access Service (SLAS) enables secure access to the Shopper APIs of the B2C Commerce API and the Open Commerce API.

To make authorized requests to SLAS, each application must be associated with one or more SLAS clients. Each SLAS client is registered to a single SLAS tenant and each SLAS tenant is associated with a single B2C Commerce instance.

If an application cannot securely store a client secret, it’s considered a public client and if it can store client secret, it’s considered a private client.

The following table summarizes which client types are used by the most common types of applications:

ApplicationClient Type
Single-page web app (for example, a PWA Kit storefront)Public client
Mobile app (Android or iOS)Public client
Traditional full stack web appPrivate client
Browser-based application or mobile app with a backend-for-frontend (BFF)Private client

The SLAS API is based on grant types defined by the OAuth 2.0 standard.

The grant type used for an access token request depends on the type of SLAS client (public or private) and the shopper’s authentication method.

Most SLAS clients request access tokens with the Get access token endpoint and receive a Shopper token.

Trusted systems use the Get trusted system access token endpoint and receive a ShopperTsob token. The ShopperTsob token has additional capabilities so that trusted systems can make requests on behalf of users.

The following table summarizes the different grant types and token types used by each type of SLAS client and user authentication method.

SLAS ClientAuthentication MethodGrant TypeToken
PublicNone (guest user)authorization_code_pkceShopper
PublicRegistered user (federated login)authorization_code_pkceShopper
PublicRegistered user (B2C Commerce login)authorization_code_pkceShopper
PrivateNone (guest user)client_credentialsShopper
PrivateRegistered user (federated login)authorization_codeShopper
PrivateRegistered user (B2C Commerce login)authorization_code_pkceShopper
PrivateTrusted system on behalf of (TSOB) userclient_credentialsShopperTsob

The Admin APIs use Account Manager instead of SLAS for access control—and the SLAS Admin API is no exception. To use the SLAS Admin API and its associated UI, your Account Manager account must have the SLAS Organization Administrator role and the correct filters for your B2C Commerce instances.

If you haven’t already, set up your public SLAS clients or private SLAS clients by following the instructions in Authorization for Shopper APIs in the Get Started guides.

After setting up your SLAS clients, see the SLAS guides that cover how to use both the main SLAS API and the SLAS Admin API:

For more technical details on the capabilities of the SLAS APIs, explore the API specifications in the Reference section: