B2C Commerce API Release Notes

Use B2C Commerce API (also known as Salesforce Commerce API or SCAPI) to build headless commerce experiences.

  • For status updates and trust notifications, go to the B2C Commerce Status Page.
  • For the general B2C Commerce release notes, go to Salesforce Help.
  • To use the SDK to make your first call quickly, see the Quick Start.
  • For details about auth, see Authorization.
  • To learn about using B2C Commerce API, see the Guides.
  • To learn about using correlation IDs, see Identifying Requests and Responses.
  • To browse the API endpoints, use the left navigation. B2C Commerce API is broken into two main groups: Shopper APIs and Admin APIs. All Shopper API groups start with Shopper. For details about the differences, see Get Started.
  • Note: All secrets and tokens are fictional and provided as placeholders only.

  • Modified TokenResponse, extending the attribute idp_access_token size to 8k bytes: See TokenResponse.

  • SLAS Session Bridge - signed guest sessions is now GA!

    We have extended getSessionBridgeAccessToken with a new parameter dwsgst, which is a guest session signature generated from Script API's Session.generateGuestSessionSignature(). See getSessionBridgeAccessToken.

  • SLAS Infrastructure and scale improvements handle higher transaction volume for the upcoming holiday season.

    Guest refresh tokens are now good for 30 days.

  • Updated the getTrustedAgentAccessToken endpoint to make the agent_id parameter optional.
  • Updated the SLAS Admin UI with specific error messaging for issues with logging into Account Manager.
  • Private clients now support grant_type=authorization_code in addition to grant_type=authorization_code_pkce.
  • Removals of customer records in B2C Commerce are now synchronized with SLAS. If a customer record is deleted in B2C Commerce, this change is recognized by SLAS.
  • Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
  • NEW SLAS-Marketing Cloud SMS for Passwordless login is ready! See Passwordless Login with SMS to get started.
  • resetPassword rejects weak passwords with an HTTP 400 error.
  • getUserInfo supports names with special characters.
  • getUserInfo supports Trusted System on Behalf of tokens.
  • Credential Quality APIs deprecated and removed.
  • Improved Guest Shopper validation to allow B2C Commerce IDP origin for session bridge.
  • Session Bridge: fixed 500 server error on incorrect hint.
  • SLAS Admin UI: Fixed issues related to Tenant ID format check at browser level.
  • Shopper Baskets now supports the following SLAS Trusted-Agent-On-Behalf-only endpoints:
    • PUT /baskets/{basketId}/agent
    • PUT /baskets/{basketId}/storefront
    • POST baskets/{basketId}/price-adjustments
    • DELETE baskets/{basketId}/price-adjustments/{priceAdjustmentId}
    • PATCH baskets/{basketId}/price-adjustments/{priceAdjustmentId}
  • The following new channel types are supported by Baskets and Orders apps: TikTok, SnapChat, Google, WhatsApp, and YouTube
  • BOT Mitigation improvements: Reduced the time window from 2 seconds to 1 second for the same user login that returns Error 409.
  • Fixed the issue around deletion of a user with different loginID and IDP, when the tenant and customerID remains the same.
  • SLAS Tenant creation improvements to include region validation.
  • SLAS Service Introducing Rate Limit of 25 TPM per tenant for JWKs and well-known endpoints.
  • SLAS service redirect to customer’s registered callback URL on IDP errors and return Error 412 for refresh token calls.
  • Trusted agent on behalf (TAOB): Client ID present check fix on /auth rather than /token.
  • Guest SESB refresh bug fix.
  • Improved IDP message errors back from third-party IDP.
  • Increase shopper authorization code size to accommodate larger code sent from Identity Providers.
  • SLAS Admin UI fixes for tenant display post deletion and faster IDP creation.
  • SLAS Admin: Client scope update fix.
  • Trusted agent on behalf: additional redirect URI parameters for authorize are separated properly.
  • Shopper-Experience API global rollout.
  • Bug fixes:
    • Admin UI, client create claims fix
    • SESB fix for OCAPI calls
  • Features:
    • Support for Active Directory Federated Service IDP
  • The Shopper Context API is now generally available!
  • Rate limit update to the rules endpoint in the Catalogs API.
  • Update TrustedAgentOnBehalf support for Shopper Token policy.
  • Support for Forgerock IDP.
  • Trusted agent on behalf (TAOB) now supports Private ClientID flow. Changed the TAOB JWT token expiry from 30 to 15 minutes for PCI compliance.
  • /jwks endpoint now returns 3 key IDs (past, current, and future KeyID).
  • Reduced the Passwordless OTP - token length from 20 to 8 characters.
  • Enhanced BOT mitigation strategy within SLAS.
  • Fixed inconsistencies related to failed tokens.
  • Session Bridge: Improved error messaging & guest support.
  • SLAS no longer calls ecom, when a shopper account is locked.
  • User cache refinements & Fixed cache inconsistencies after tenant key rotation.
  • Addressed login ID inconsistencies for passwordless login.
  • Fixed AppleIDP issue related to middle name.
  • Rate limit increase for GET /customers/*(Shopper-Customers), see Rate Limits.
  • Rate limit increase for GET /products-lists/{id}(Shopper-Customers), see Rate Limits.
  • Rate limit increase for Orders API, see Rate Limits.
  • Rate limit updates: API families have either a 5s tier or a 60s tier, see Rate Limits.
  • Response compression has been introduced.
  • The expand query parameter has been added for getProducts.
  • Added support for correlation-id and x-correlation-id headers.

The scheduled deactivation of /customers/actions/login, /trusted-system/actions/login, and other related endpoints has been extended from mid-2022 to March 31st, 2023 for existing customers. These endpoints are still not available to new customers, and we still discourage existing customers from using them. Instead, we strongly recommend that you use the Shopper Login and API Access Service (SLAS) because it meets a higher standard for security and availability.

  • Increased performance and response times through caching on the edge layer.
  • Resources affected: /product, /category, and /product_search.
  • Updates to the personalization handling ensure that personalized content is cached correctly.
  • No action is required by developers to take advantage of this update.
  • Replace SlasJWT-BearerSecurityScheme.BearerToken security scheme with CommerceCloudStandards.ShopperToken.