Shopper Login (SLAS) Overview
The Shopper Login and API Access Service (SLAS) enables secure access to the Shopper APIs of the B2C Commerce API and the Open Commerce API.
To make authorized requests to SLAS, each application must be associated with one or more SLAS clients. Each SLAS client is registered to a single SLAS tenant and each SLAS tenant is associated with a single B2C Commerce instance.
If an application cannot securely store a client secret, it’s considered a public client and if it can store client secret, it’s considered a private client.
The following table summarizes which client types are used by the most common types of applications:
| Application | Client Type |
|---|---|
| Single-page web app (for example, a PWA Kit storefront) | Public client |
| Mobile app (Android or iOS) | Public client |
| Traditional full stack web app | Private client |
| Browser-based application or mobile app with a backend-for-frontend (BFF) | Private client |
The SLAS API is based on grant types defined by the OAuth 2.0 standard.
The grant type used for an access token request depends on the type of SLAS client (public or private) and the shopper’s authentication method.
Most SLAS clients request access tokens with the Get access token endpoint and receive a Shopper token.
Trusted systems use the Get trusted system access token endpoint and receive a ShopperTsob token. The ShopperTsob token has additional capabilities so that trusted systems can make requests on behalf of users.
The following table summarizes the different grant types and token types used by each type of SLAS client and user authentication method.
| SLAS Client | Authentication Method | Grant Type | Token |
|---|---|---|---|
| Public | None (guest user) | authorization_code_pkce | Shopper |
| Public | Registered user (federated login) | authorization_code_pkce | Shopper |
| Public | Registered user (B2C Commerce login) | authorization_code_pkce | Shopper |
| Private | None (guest user) | client_credentials | Shopper |
| Private | Registered user (federated login) | authorization_code | Shopper |
| Private | Registered user (B2C Commerce login) | authorization_code_pkce | Shopper |
| Private | Trusted system on behalf of (TSOB) user | client_credentials | ShopperTsob |
The Admin APIs use Account Manager instead of SLAS for access control—and the SLAS Admin API is no exception. To use the SLAS Admin API and its associated UI, your Account Manager account must have the SLAS Organization Administrator role and the correct filters for your B2C Commerce instances.
If you haven’t already, set up your public SLAS clients or private SLAS clients by following the instructions in Authorization for Shopper APIs in the Get Started guides.
After setting up your SLAS clients, see the SLAS guides that cover how to use both the main SLAS API and the SLAS Admin API:
- Public SLAS Client Use Cases (main SLAS API)
- Private SLAS Client Use Cases (main SLAS API)
- SLAS Identity Providers (SLAS Admin API)
For more technical details on the capabilities of the SLAS APIs, explore the API specifications in the Reference section: