B2C Commerce API Release Notes

Use B2C Commerce API (also known as Salesforce Commerce API or SCAPI) to build headless commerce experiences.

  • For status updates and trust notifications, go to the B2C Commerce Status Page.
  • For the general B2C Commerce release notes, go to Salesforce Help.
  • To view the change policy, see: Change Policy.
  • To use the SDK to make your first call quickly, see the Quick Start.
  • For details about auth, see Authorization.
  • To learn about using B2C Commerce API, see the Guides.
  • To learn about using correlation IDs, see Identifying Requests and Responses.
  • To browse the API endpoints, use the left navigation. B2C Commerce API is broken into two main groups: Shopper APIs and Admin APIs. All Shopper API groups start with Shopper. For details about the differences, see Get Started.
  • Note: All secrets and tokens are fictional and provided as placeholders only.
  • Where possible, we changed noninclusive terms to align with our company value of Equality. We maintained certain terms to avoid any effect on customer implementations.
  • Completed rollout of stricter realm short code validation for SCAPI requests. Make sure you validate your used short codes in Business Manager: Administration > Site Development > Salesforce Commerce API Settings.
  • Added Hybrid Auth support for passwordless login.
  • Fully removed the deprecated x-correlation-id response header from all instance types. The header is replaced by the sfdc_correlation_id response header.
  • Non customer-facing infrastructure updates for SCAPI Metrics in Log Center. No customer impact is anticipated.
  • Added read-only mode system monitoring for internal SCAPI request validation to support upcoming OAS API definitions. No changes are made as a result of the request validation.
  • Updated the summary documentation for multiple APIs to ensure consistency and enhance clarity.
  • EU and US-East Regions:
    • SLAS now supports LINE as 3rd party IDP.
    • SLAS scale and performance improvements.
    • SLAS minor infrastructure updates.
    • SLAS /password/action endpoint now returns locale in the response.
    • Improved SLAS log integration with the Log Center.
    • Fixed an issue in the SLAS Admin client configuration (UI and API) to allow selection of the sfcc.orders scope.
    • Fixed a bug related to SLAS token management with the Do Not Track (DNT) setting.
    • For public clients, reuse of the same refresh_token is now prohibited. You must rotate the refresh token following the process outlined in Access Tokens and Refresh Tokens. To give SLAS customers time to make the necessary changes, we are strictly enforcing this restriction according to the following schedule:
      • For customers using the plugin-slas cartridge, upgrade to Plugin SLAS v7.4.1.
      • Beginning May 20th, 2025, Sandbox, Staging (STG), and Development (DEV) tenant_ids that reuse old refresh tokens will receive a 400 invalid refresh token error.
      • Beginning June 24th 2025, all Production (PRD) tenant_ids that reuse old refresh tokens will receive a 400 invalid refresh token error.
  • With B2C Commerce version 25.6:
  • AP2 and AP3 Regions:
    • Scale and performance improvements
    • SLAS minor infrastructure updates
    • For public clients, reuse of the same refresh_token is now prohibited. You must rotate the refresh token following the process outlined in Access Tokens and Refresh Tokens. For customers using the plugin-slas cartridge, upgrade to Plugin SLAS v7.4.1. To give SLAS customers time to make the necessary changes, we are strictly enforcing this restriction according to the following schedule:
      • Beginning 05/20/2025, Sandbox, Staging (STG), and Development (DEV) tenant_ids that reuse old refresh tokens will receive a 400 invalid refresh token error.
      • Beginning 06/24/2025, all Production (PRD) tenant_ids that reuse old refresh tokens will receive a 400 invalid refresh token error.
  • Rollout for AP3, EU, and US regions begins 05/13/2025 through 05/15/2025.
  • Completed SLAS scale and performance improvements. No customer impact anticipated.
  • SLAS /password/action endpoint now returns locale in the response.
  • Made improvements in the SLAS Logs integration with the Log Center.
  • Fixed an issue in the SLAS Admin client configuration (UI and API) to allow selection of the sfcc.orders scope.
  • Fixed a bug related to SLAS token management with the Do Not Track (DNT) setting.
  • For public clients, reuse of the same refresh_token is now prohibited. You must rotate the refresh token following the process outlined in Access Tokens and Refresh Tokens. To give SLAS customers time to make the necessary changes, we are strictly enforcing this restriction according to the following schedule:
    • For customers using the plugin-slas cartridge, upgrade to Plugin SLAS v7.4.1.
    • Beginning 05/20/2025, Sandbox, Staging (STG) and Development (DEV) tenant_ids that reuse old refresh tokens will receive a 400 invalid refresh token error.
    • Beginning 06/24/2025, all Production (PRD) tenant_ids that reuse old refresh tokens will receive a 400 invalid refresh token error.
  • SCAPI support for the custom Client IP Header and Hybrid Authentication is now enabled on all instances.
  • Performance improvements in API validation. No customer impact is anticipated.
  • Bug fixed for OPTIONS requests that previously failed with and HTTP 500 error response.

SCAPI support for the custom Client IP Header and Hybrid Authentication is now enabled on Sandbox and Development instances. Enablement on Staging and Production instances is being planned.

  • Stricter realm validation for SCAPI requests:
    • For additional security, SCAPI request realm IDs are now verified for correct short code assignment. If the realm ID does not match the short code, an HTTP error status code 404 is returned. You can use Business Manager to find the assigned short code for a realm.
    • As of 04/09/2025, stricter realm validation is enabled on all instance types, including Staging and Production. Make sure you validate your used short codes in Business Manager: Administration > Site Development > Salesforce Commerce API Settings.
  • Media type validation of SCAPI requests is enabled on all instance types.
  • SCAPI support for the custom Client IP Header and Hybrid Authentication is now enabled on Sandbox instances. Enablement on Development, Staging, and Production instances is being planned.
  • Performed required database updates. No customer impact is anticipated.
  • The Hybrid Authentication (Hybrid Auth) feature becomes available on customer environments according to the following deployment schedule. Hybrid Auth must be enabled by Salesforce on a given environment and configured in Business Manager for your site to receive the dwsid cookie from SLAS getAccessToken endpoint responses.
    • ODS: 04/09/2025
    • Development instances: 04/16/2025
    • All remaining instances, including Production: 04/23/2025
    • For more details, see the B2C Commerce Deployment schedule.
  • You can now view HTTP log entries with status codes 5xx in the Log Center, and filter them with the service type scapi.
  • Stricter realm validation for SCAPI requests:
    • For additional security, SCAPI request realm IDs are now verified for correct short code assignment. If the realm ID does not match the short code, an HTTP error status code 404 is returned. You can use Business Manager to find the assigned short code for a realm.
    • As of 03/27/2025, stricter realm validation is only enabled for Sandboxes and Development instances. Make sure you validate your used short codes on your Sandbox and Development instances in Business Manager: Administration > Site Development > Salesforce Commerce API Settings.
    • Rollout to Staging and Production instances is being planned.
  • Media type validation of SCAPI requests is enabled for Sandbox and Development instances. Rollout to Staging and Production instances is planned as the next enablement step.
  • SLAS Infrastructure Deployment:
    • During the deployment of required database updates, shoppers might experience elevated response times for less than one minute. Our internal simulations of production peak traffic resulted in several seconds of performance degradation.
  • B2C Commerce version 25.3:
  • B2C Commerce version 25.4:
    • The SCAPI Shopper Products GET /product/shopper-products/v1/organizations/{organizationId}/products/{id}?expand=promotions endpoint and the OCAPI GET /products/{id}/promotions endpoint now return promotions with the same sort criteria as the Script API default:
      • Exclusivity: GLOBAL exclusive promotions are considered first, followed by CLASS exclusive promotions, and NO exclusive promotions are considered last.
      • Rank: Sorted ascending
      • Promotion Class: PRODUCT promotions are considered first, followed by ORDER promotions, and SHIPPING promotions are considered last.
      • Discount type: Fixed price promotions are considered first, followed by free, amount-off, and percentage-off. Bonus product promotions are considered last.
      • Best discount: Sorted in descending order. For example, 30% off is considered before 20% off.
      • ID: Alphanumeric ascending.
  • B2C Commerce version 25.5:
    • Fixed a bug with SCAPI sfdc_verbose mode. With this fix, no exception occurs if a SCAPI hook script doesn’t return a status code.
  • Stricter realm validation for SCAPI requests:
    • For additional security, SCAPI request realm IDs are now verified for correct short code assignment. If the realm ID doesn't match the short code, an HTTP error status code 404 is returned. You can use Business Manager to find the assigned short code for a realm.
    • As of 03/19/2025, stricter realm validation is currently in preview and is only enabled for Sandboxes. Make sure you validate your used short codes on your Sandbox instances in Business Manager: Administration > Site Development > Salesforce Commerce API Settings.
    • Rollout to Development, Staging, and Production instances is being planned.
  • Custom APIs are now aligned with SCAPI Admin API endpoints with the following constraints:
    • The default timeout limit has been increased from 10 seconds to 60 seconds.
    • The maximum request body size has been increased from 5 MB to 20 MB.
    • Business Manager quota limits apply.
    • A SCAPI Admin API request is defined by the absence of the siteId query parameter. These requests must use AmOAuth2 as the security scheme.
  • System monitoring is performed in read-only mode for media type validation of SCAPI requests, but media type validation is not enforced.
  • Improved the SLAS Admin UI design and user experience.
  • The SLAS Admin UI now displays the login page after 15 minutes of user inactivity.
  • SLAS 404 and 5xx error logs are now available in the Log Center.
  • The channel_id (site) parameter is now required when requesting a guest access token with a grant_type of client_credentials. This change enhances security by preventing unauthorized access across different storefronts. Existing customers must update their implementation to include the channel_id parameter in the client credential call in guest flows. For details, see Guest Tokens.
    • The original schedule was 09/01/2024 for all sandbox tenants and 10/01/2024 for all other non-production tenants. We implemented this change for all non-production tenants starting February 10th, 2025. We have started enforcing the change for all production tenants effective 3/25/25.
  • With B2C Commerce version 25.3, hybrid authentication (Hybrid Auth) replaces Plugin SLAS. Hybrid Auth improves the performance and stability of hybrid storefronts by moving the feature directly into the B2C Commerce platform. For details, see Hybrid Authentication.
  • The channel_id (site) parameter is now required when requesting a guest access token with a grant_type of client_credentials. This change enhances security by preventing unauthorized access across different storefronts. Existing customers must update their implementation to include the channel_id parameter in the client credential call in guest flows. For details, see Guest Tokens.
    • The original schedule was 09/01/2024 for all sandbox tenants and 10/01/2024 for all other non-production tenants. We implemented this change for all non-production tenants starting 02/10/2025. We are going to strictly enforce the change for all production tenants starting 03/25/20.
  • Runtime version update for internal SCAPI supporting applications. No customer impact is anticipated.
  • Fixed a bug related to the Trusted System On Behalf (TSOB) endpoint returning an incorrect Customer ID when different client IDs are used.
  • SLAS [/authorize](https://developer.salesforce.com/docs/commerce/commerce-api/references/shopper-login?meta=authorizeCustomer) endpoint now supports custom query parameters for 3rd party IDP consumption. For details, see SLAS Identity Providers.
  • The channel_id (site) parameter is now required when requesting a guest access token with a grant_type of client_credentials. This change enhances security by preventing unauthorized access across different storefronts. Existing customers must update their implementation to include the channel_id parameter in the client credential call in guest flows. For details, see Guest Tokens.
    • The original schedule was 09/01/2024 for all sandbox tenants and 10/01/2024 for all other non-production tenants. We implemented this change for all non-production tenants starting 02/10/2025.
  • In preparation for the removal of the Account Manager SLAS_ORGANIZATION_ADMIN (Account Manager API Client) and SLAS_TRUSTED_AGENT_READ_ONLY & SLAS_TRUSTED_AGENT_READ_WRITE (Account Manager User) roles, these roles were removed from the SLAS code base. Because these roles were never made available for SLAS production use, no customer impact is anticipated.
  • API request path validation now identifies empty path segments and handles them consistently across various components.
  • Support added for CORS headers with ports.
  • Update to the 01/07/2025 correlation ID header announcement: The new sfdc_correlation_id response header for the SCAPI Correlation ID is now fully enabled for SCAPI on all instances:
    • On sandbox and development instances, the deprecated x-correlation-id response header is no longer returned.
    • On staging and production instances, the deprecated x-correlation-id response header is still available, but is subject to removal in a future release.
  • Security updates. No customer impact is anticipated.
  • With B2C Commerce version 25.2:
    • The Shopper Search and Shopper Products APIs now support Page Meta Tag Rules. You can create Page Meta Tags in Business Manager (Merchant Tools > SEO > Page Meta Tag Rules) using a rule-based approach to enhance storefront pages with unique meta tag content and increase the SEO value across Product List Pages (PLPs) and Product Detail Pages (PDPs). A new optional page_meta_tags expansion, which controls the inclusion of page meta tags rules, has been added to /product-search and /products.
  • With B2C Commerce version 25.2:
    • Fixed an issue with the createScapiRemoteInclude() script functionality when used in combination with a Shopper API. As an example, this led to a 500 exception during the use of the Shopper Baskets API.
  • SLAS 4xx Logs are now available in Log Center. Log information includes the correlationID, which you can use for end-to-end request tracking.
  • SLAS now supports custom query parameters for the /login endpoint.
  • SLAS now supports merging claims for Azure IDP.
  • The SLAS PasswordReset flow no longer requires PKCE. You can now make password reset requests using the new, optional hint query parameter instead of a Proof Key for Code Exchange (PKCE) code_challenge and code_verifier. For details, see Password Reset.
  • Fixed a /userinfo endpoint bug related to using a Google IDP.
  • Fixed a bug related to password reset support across different devices.
  • Improved error handling and validation to return more meaningful error messages for Auth0 IDP.
  • The channel_id (site) parameter is now required when requesting a guest access token with a grant_type of client_credentials. This change enhances security by preventing unauthorized access across different storefronts. Existing customers must update their implementation to include the channel_id parameter in the client credential call in guest flows. For details, see Guest Tokens.
    • The original schedule was 09/01/2024 for all sandbox tenants and 10/01/2024 for all other non-production tenants. We will now implement this change for all non-production tenants starting 02/10/2025.
  • As of 02/10/25, we are now strictly enforcing the documented rate limit of 25 requests per minute (RPM) for the /jwks endpoint.
  • In preparation for the removal of the SLAS_ORGANIZATION_ADMIN (Account Manager API-Client) and SLAS_TRUSTED_AGENT_READ_ONLY (Account Manager User) Account Manager roles, these roles were removed from the SLAS code base. Because these roles were never made available for SLAS production use, no customer impact is anticipated.
  • Additional performance improvements included.
  • API request path validation now identifies invalid path segments.
  • Support added for CORS headers with ports.
  • Update to the 01/07/2025 correlation ID header announcement: The sfdc_correlation_id response header for the SCAPI Correlation ID is now fully enabled for SCAPI on all instances:
    • On sandbox and development instances, the deprecated x-correlation-id RESPONSE header is no longer returned.
    • On staging and production instances, the deprecated x-correlation-id RESPONSE header is still available, but is subject to removal in a future release.
  • Security updates. No customer impact is anticipated.
  • Security updates. No customer impact is anticipated.
  • As of July 31 2024, to enhance security for the Shopper Login API Access Service (SLAS), a channel_id (site) parameter is now required when requesting a guest access token with a grant_type of client_credentials. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include the channel_id parameter in the client credential call in guest flows. For details, see Guest Tokens.
  • Server-Side Web-Tier Caching is now enabled for a select few realms in which it was previously disabled. For the list of cached APIs and other details, see Server-Side Web-Tier Caching.
  • Upgraded security infrastructure. No customer impact anticipated.
  • SLAS 4xx error logs are available in Log Center, which provides multiple benefits, including a single URL for all realms, up to 14 days of log data, and improved search capabilities. For details, see Shopper Login and API Access Service(SLAS) Overview.
  • Resolved a bug in the /login process when registered shoppers change their email and/or login ID multiple times. In this case, SLAS no longer triggers a 500 error.
  • SLAS Service Protection: As part of our bot mitigation strategy for the upcoming holiday season, we are introducing additional service protection:
    • A SLAS service protection mechanism to restrict bad actors or BOTs calling the same SLAS endpoint repeatedly using the same Unique Shopper ID (USID)) within a short span of time. This returns a 409 HTTP response.
  • To enhance security for the Shopper Login API Access Service (SLAS), a channel_id (site) parameter is now required when requesting a guest access token with a grant_type of client_credentials. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include the channel_id parameter in the client credential call in guest flows. For details, see Guest Tokens.
  • Server-Side Web-Tier Caching is now enabled for a select few realms in which it was previously disabled. For the list of cached APIs and other details, see Server-Side Web-Tier Caching.
  • With B2C Commerce version 24.10, the SLAS 4xx error logs are available in Log Center, which provides multiple benefits, including a single URL for all realms, up to 14 days of log data, and improved search capabilities. For details, see View SLAS Error Logs in Log Center.
  • By default, shopper tracking preferences are disabled for Trusted Agent on Behalf (TAOB) authorization, which means the Do Not Track dnt parameter is set to true. This differs from other SLAS token requests, for which the default dnt value is false.
  • SLAS Service Protection: As part of our bot mitigation strategy for the upcoming holiday season, we are introducing additional service protection:
    • A SLAS service protection mechanism to restrict bad actors or BOTs calling the same SLAS endpoint repeatedly using the same Unique Shopper ID (USID)) within a short span of time. This returns a 409 HTTP response.
  • To enhance security for the Shopper Login API Access Service (SLAS), a channel_id (site) parameter is now required when requesting a guest access token with a grant_type of client_credentials. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include the channel_id parameter in the client credential call in guest flows. For details, see Guest Tokens.
  • Server-Side Web-Tier Caching is now enabled for a select few realms in which it was previously disabled. For the list of cached APIs and other details, see Server-Side Web-Tier Caching.
  • Trusted Agent on Behalf (TAOB) authorization now allows an agent to perform actions on behalf of guest shoppers.
  • Refined documentation, including best practices and sample code for validating SLAS JWTs with JWKS, to simplify key management and enhance security.
  • SLAS Service Protection: As part of our bot mitigation strategy for the upcoming holiday season, we are introducing additional service protection:
    • A SLAS service protection mechanism to restrict bad actors or BOTs calling the same SLAS endpoint repeatedly using the same Unique Shopper ID (USID)) within a short span of time. This returns a 409 HTTP response.
    • SLAS Trusted System on Behalf (TSOB) logins will have the SAME service protection window of 3 seconds across all regions.
      • Beginning 10/02/2024 in the AP-Northeast-1 region and 10/09/2024 in the US-East-1 region, customers attempting to log in more than once through TSOB during a period of 3 seconds will receive a 409 HTTP error. No customer impact is anticipated. If you see an increase in 409 HTTP errors, open a support case.
      • No change for the SLAS AP-Southeast-2 and EU-Central-1 regions, which utilize the existing protection window of 3 seconds.
  • To enhance security for the Shopper Login API Access Service (SLAS), a channel_id (site) parameter is now required when requesting a guest access token with a grant_type of client_credentials. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include the channel_id parameter in the client credential call in guest flows. For details, see Guest Tokens.
  • Enhanced error handling for the /passwordless/login endpoint. The endpoint now returns a 404 error instead of a 502 error when no shopper is found.
  • SLAS Service Protection: As part of our bot mitigation strategy for the upcoming holiday season, we are introducing additional service protection:
    • A SLAS service protection mechanism to restrict bad actors or BOTs calling the same SLAS endpoint repeatedly using the same Unique Shopper ID (USID)) within a short span of time. This returns a 409 HTTP response.
    • SLAS Trusted System on Behalf (TSOB) logins will have the SAME service protection window of 3 seconds across all regions.
      • Beginning 10/02/2024 in the AP-Northeast-1 region and 10/09/2024 in the US-East-1 region, customers attempting to log in more than once through TSOB during a period of 3 seconds will receive a 409 HTTP error. No customer impact is anticipated. If you see an increase in 409 HTTP errors, open a support case.
      • No change for the SLAS AP-Southeast-2 and EU-Central-1 regions, which utilize the existing protection window of 3 seconds.
  • To enhance security for the Shopper Login API Access Service (SLAS), a channel_id (site) parameter is now required when requesting a guest access token with a grant_type of client_credentials. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include the channel_id parameter in the client credential call in guest flows. For details, see Guest Tokens.
  • Fixed a SLAS Admin UI bug to ensure the UserInfo URL value is not auto-populated with token information.
  • With B2C Commerce version 24.10, added performance and stability improvements in SCAPI caching, specifically for price/promotion calculations. No customer impact is anticipated.
  • Stability and visibility enhancements. No customer impact is anticipated.
  • SLAS Service Protection: As part of our bot mitigation strategy for the upcoming holiday season, we are introducing additional service protection:
    • A SLAS service protection mechanism to restrict bad actors or BOTs calling the same SLAS endpoint repeatedly using the same USID (Unique Shopper ID) within a short span of time. This returns a 409 HTTP response.
    • SLAS Trusted System on Behalf (TSOB) logins will have a service protection window of 3 seconds.
      • Beginning 10/02/2024 in the AP-Northeast-1 region and 10/09/2024 in the US-East-1 region, customers attempting to log in more than once through TSOB during a period of 3 seconds will receive a 409 HTTP error. No customer impact is anticipated. If you see an increase in 409 HTTP errors, open a support case.
      • No change is planned for the SLAS AP-Southeast-2 and EU-Central-1 regions, which are configured for 3 seconds.
  • To help you verify the authenticity of callback requests, SLAS provides a SlasCallbackToken (JWT) for each passwordless login and password reset callback that SLAS sends. For more details, see Verify the SLAS Password Action Callback.
  • To enhance security for the Shopper Login API Access Service (SLAS), a channel_id (site) parameter is now required when requesting a guest access token with a grant_type of client_credentials. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include the channel_id parameter in the client credential call in guest flows. For details, see Guest Tokens.
  • Fixed a JWT validation issue when special characters, especially colons(:) were used in the first name or last name.
  • Updated SLAS Infrastructure for holiday readiness.
  • To enhance security for the Shopper Login API Access Service (SLAS), a channel_id (site) parameter is now required when requesting a guest access token with a grant_type of client_credentials. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include the channel_id parameter in the client credential call in guest flows using the schedule in Guest Tokens.
  • CORS: Header Access-Control-Allow-Methods are no longer returned in SCAPI responses, but are returned for OPTIONS requests per HTTP specifications. No customer impact anticipated.
  • Security: Added the strict-transport-security header with a one year expiration. No customer impact anticipated.

With B2C Commerce version 24.9.1, added a read-only, optional hashedLogin field in the response as applicable for the following Shopper Customers API endpoints:

  • PATCH /customers/{customerId} (updateCustomer)
  • GET /customers/{customerId} (getCustomer)
  • POST /customers (registerCustomer)
  • Updated SLAS third-party library information for holiday readiness.
  • Addressed a limitation in the SLAS refresh token flow. If a public client logs in and then a private client logs in with the same USID, the public client refresh_token is now deleted and replaced.
  • Fixed a SLAS bug in the registered user third-party IDP login flow. When a guest USID is used and the login process does not complete, the access token now remains as a guest token until a successful registered user 3rd party IDP login occurs.
  • Improved Error Handling:
    • Refactored the idp/callback 503 error when the state is null to no longer return a 503 error. A 400 bad request error is now returned.
  • Updated the SLAS Admin UI to allow customers to access the UI through their short-code.
  • Fixed a rare and intermittent spike in SLAS response times.
  • For SCAPI calls using a SLAS JWT, added the Disable the Modification of the Issuer Date toggle to invalidate a customer JWT after a password change. When the toggle is set, a 401 InvalidAccessTokenException response code is returned when trying to use an existing request token after a password change. When the toggle is not set, the error response is only thrown if the time between the token issuer date and the password modification date exceeds 30 seconds.
  • Added infrastructure enhancements for new installation configurations. No customer impact anticipated.
  • In preparation for the holiday season, enabled cache infrastructure enhancements.
  • Upgraded security infrastructure. No customer impact anticipated.
  • Added response timeout handling for all instance types:
    • In preparation for the holiday season, documented timeouts are enforced on all instance types, including Production instances. Shopper APIs and Custom APIs must respond within 10 seconds, and Admin API requests must respond within 60 seconds. If a response to a SCAPI request exceeds the specified threshold, an HTTP 504 status code is returned. For details, see Error Response Codes.
    • See the Added response timeout handling for Sandbox instances release note for more details.
  • With B2C Commerce 24.8, you can set cache expiration for objects with a Validity Period for the Shopper Products getProduct and getCategory endpoints and the Campaigns getCampaign endpoint. For details, see Cache Expiration for Objects with a Validity Period.
  • HTTP2 protocol issues fixed when using CORS.
  • With B2C Commerce version 24.8:
    • Added support for Cross-Origin Resource Sharing (CORS). For details, see CORS in SCAPI and the CORS API.
    • For the Shopper Products getProduct and getCategory endpoints and the Campaigns getCampaign endpoint, you can now set a time window, called the Validity Period. The validity period is used for server-side cache expiration to prevent serving stale content. For additional details, see “Cache Expiration for Objects with a Validity Period” in Server-Side Web-Tier Caching.
  • To enhance security for the Shopper Login API Access Service (SLAS), a channel_id (site) parameter is now required when requesting a guest access token with a grant_type of client_credentials. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include the channel_id parameter in the client credential call in guest flows by 7/31/2024. For details, see Guest Tokens.
  • The total number of scopes is now limited to 85 entries, which is enforced in both the SLAS API and SLAS Admin UI.
  • Added client credentials to the POST body when refreshing an access_token from IDP. You can control this using a flag in the SLAS-IDP configuration. For details, refer to the documentation for the SLAS Admin IdentityProvider endpoint.

With B2C Commerce version 24.7.2:

  • Preferences API
    • Returns the value of the most recent custom preference ID version if the preference ID definition is changed.
  • SLAS infrastructure updated in preparation for the holiday season.
  • Server-Side Web-Tier Caching is automatically turned on for:
  • Internal infrastructure upgrades. No customer impact is anticipated.

With B2C Commerce version 24.7:

  • Collect Request Details for SCAPI requests by using the HTTP request header sfdc_verbose: true.
  • Merchants and developers can update the status of redeemed coupons using the new Coupons API redeemCoupon endpoint.
  • Use the SEO API to upload a custom sitemap and trigger the sitemap generation process. You can now combine your external routes with those in B2C Commerce in a single sitemap.
  • Shopper Context API
  • Checkout APIs
    • For Shopper Baskets v1 and v2 createBasket and updateBasket endpoints, the product line item quantity limit is now set to the API quota api.basket.productLineItemQuantity of 1000, and the API no longer returns a 400 Bad Request for values greater than 999.
    • In addition, the 999 product line item quantity limit on createOrders is removed, and the quantity set by this endpoint is now unlimited.

With B2C Commerce version 24.7.1:

  • Shopper Context API
  • The Shopper Customers API updateCustomer endpoint allows loginId to be updated if a valid current password is provided for the shopper.
  • Preferences API
    • When retrieving site and global preferences, the Preferences API first checks for custom settings, and if no custom settings exist, now instead returns the default settings in Business Manager.
  • SLAS Admin: Added validation for SLAS Client callback URLs to prevent the use of localhost or loopback addresses as host names in production environments.
  • Added SLAS resilience improvements for holiday readiness.
  • Server-Side Web-Tier Caching is enabled for all SCAPI customers who aren’t currently using the cached APIs and haven’t made production requests to any cached APIs in the last seven days. For the list of cached APIs and other details, see Server-Side Web-Tier Caching.
  • The siteId query parameter is no longer mandatory for custom API calls. If a site is not provided, the default site is the Business Manager site. For details, see Custom APIs.
  • With B2C Commerce version 24.5, the Shopper endpoint constraint for supporting trusted agent tokens on a specific subset of Shopper endpoints has been removed. For details, see Trusted Agent Authorization.
  • Internal infrastructure change: additional internal header introduced. No customer impact is anticipated.
  • With B2C Commerce version 24.6, the mergeBasket endpoint now merges the guest shopper’s shippingAddress and shippingMethod into the registered basket when the registered basket does not contain shippingAddress or shippingMethod.
  • The new Preferences API allows you to retrieve Site and Global preferences.
  • The Shopper Products API getCategories endpoint now provides the onlineSubCategoriesCount property.
  • Internal infrastructure upgrade and security updates. No customer impact is anticipated.
  • SLAS now allows shoppers to have multiple clients and authenticate on the same device with a single USID, provided the clients use their respective refresh_tokens to refresh their sessions.
  • SLAS IDP integration has enhanced error handling to return more meaningful error messages to the caller. No change in error code information.
  • The refined error message: “The Account is disabled” is returned for any user account disabled in B2C Commerce. No change in the error code.
  • Shopper Custom Object API scopes are now limited to 20 entries. This is now enforced in both SLAS API and SLAS Admin UI.
  • Enhanced SLAS internal error handling and log messages.

  • With B2C Commerce version 24.5, the Shopper Baskets API supports patching variations within product bundles in a single call. This enhancement provides:

    • More efficient and streamlined product bundle management, making it easier to update multiple variations within a bundle without the need for multiple API calls.
    • Increased productivity for developers managing complex product bundles.

    For details, see updateItemInBasket.

  • SLAS database performance improvements. No customer impact is anticipated.
  • SLAS internal infrastructure optimization. No customer impact is anticipated.
  • Internal infrastructure change for SCAPI contract validation. No customer impact is anticipated.
  • Removed obsolete code modules related to encoding issues. For encoding details, see URL Encoding of Special Characters.

With B2C Commerce 24.5, You can use external taxation mode with the Shopper Baskets API when hooks are enabled. For details, see External Taxation Documentation.

  • Optimization performed in internal infrastructure routing. No customer impact anticipated.

With B2C Commerce 24.4:

  • Added the Shopper Custom Objects API for retrieving Custom Objects. For details, see Shopper Custom Objects.
  • Added support for additional HTTP methods for Custom APIs. For details, see Custom APIs.
  • SCAPI: Routine maintenance of infrastructure. No customer impact is anticipated.
  • SLAS: Database and infrastructure updates. During the deployment period, shoppers might experience elevated response times for less than a minute.
  • Routine maintenance of infrastructure. No customer impact is anticipated.
  • Added response timeout handling for Sandbox instances:
    • If responding to a SCAPI request takes too long (60 seconds for Data API requests), an HTTP 504 status code is returned.
    • This is only enforced for requests to Sandbox instances, but will be rolled out to all instance types in the future.
    • For more information see Error Response Codes.
  • With B2C Commerce 24.3, updated the Orders API updateOrderStatus endpoint to support a new update status failed_with_reopen:
    • When an order is updated with the failed_with_reopen status, the order status is set to failed.
    • If the basket can be reopened, the API returns response code 201 with the reopened basket URL in the location header.
    • If the basket cannot be reopened, the API returns response code 204 with an empty location header.
  • With B2C Commerce 24.3, expanded the Shopper Search API productSearch endpoint to include additional parameters: productPromotions, imageGroups, priceRanges, and variants:
    • The corresponding expansion and query parameters are required in order to get the additional product data in the response. For details and best practices, refer to the Shopper Search API documentation.
  • Added the Customer API searchCustomerGroup endpoint, which searches for customer groups for the siteId.
  • Routine maintenance of infrastructure. No customer impact is anticipated.
  • During the maintenance window, shoppers might experience elevated response times.
  • For the latest B2C Commerce service status and deployment information, subscribe to Trust Center notifications.

  • This feature is generally available from B2C Commerce 24.2:

    • Updated getUrlMapping's response to include the optional property resourceSubType, which indicates whether the resolved object is a Page Designer content asset or a Content Slot asset. For more information, see the UrlMapping type reference.

  • These features are generally available from B2C Commerce 24.3:

    • Updated getUrlMapping to support URL redirects. For more information, see the URL Resolution guide.

    • Updated getUrlMapping to support these hooks: dw.shop.seo.url_mapping.beforeGET and dw.shop.seo.url_mapping.modifyGETResponse.

  • Custom Request Headers
    • Developers can send custom request headers that are passed and made available in server-side custom implementations.
    • The required pattern is: c\_{yourHeader}.
  • Update order now supports the ShopperTokenTsob security scheme.
  • Shopper Baskets v2 available with B2C Commerce 24.1
    • Provides support for temporary baskets. Temporary baskets can perform calculations to generate totals, line items, promotions, and item availability without affecting the shopper’s storefront cart. You can use these calculations for temporary basket checkout.
    • New Shopper Basket v2 response fields:
      • groupedTaxItems
      • taxRoundedAtGroup
      • temporaryBasket
    • Temporary basket use cases include:
      • A shopper wants to purchase an item without affecting their existing shopping cart, which contains items for an unrelated purchase:
        • A shopper selects an Apple Pay button for a product.
        • A shopper selects a reorder button for a product on an order history page.
        • A shopper selects an order button on a wish list page to purchase one or more items.
      • A merchant shares a link through social channels to purchase promotional items.
      • A customer support agent sends a Buy Now link with pre-set products to a shopper for self-checkout (no passing of payment details to support).
    • For additional details, see Shopper Baskets V2.

The dw.ocapi.shop.basket.beforePOST hook is no longer supported in Shopper Baskets V2 and is replaced by the dw.ocapi.shop.basket.beforePOST_v2 hook.
  • Stricter request header filtering is performed. Custom code must use custom request headers.
  • Identical CorrelationId information is no longer returned for independent requests.
  • Correct 503 status code is now returned during a site maintenance window.
  • During the maintenance window, shoppers might experience elevated response times.
  • For the latest B2C Commerce service status and deployment information, subscribe to Trust Center notifications.
  • Introduced new load shedding functionality that:
    • If the system reaches a load threshold, an HTTP 503 response is returned for a subset of API families.
    • Covers APIs not covered by rate limits that are considered non-critical, for example: endpoints related to search, products, and authentication. Load shedding is not used for checkout-related endpoints, such as Shopper Baskets and Shopper Orders, to ensure that shoppers can complete an in-progress checkout.
    • Includes additional HTTP response headers that allow you to understand the current system load: sfdc_load, which represents a load percentage with higher percentages indicating higher loads, and sfdc_load_status, which is a enum WARN|THROTTLE that helps you understand the relative health of the system.
  • Routing for /shopper-experience requests resulting in HTTP 500 errors.
  • Cleanup of deprecated infrastructure and configuration.
  • SLAS Admin UI: Added client name to the client list and detail pages.
  • SLAS API: Added support for the DoNotTrack (DNT) query parameter in token calls for headless customers. This is in preparation for a future SCAPI B2C Commerce rollout. Additional documentation will be provided.
  • SLAS to B2C Commerce Data consistency: Addressed a limitation around customer records synchronization between B2C Commerce and SLAS.
  • SLAS third-party IDP configuration is tolerant of missing idToken when refreshing third-party IDPs.
  • Security updates.

These features are generally available with B2C Commerce 24.3:

  • The select query parameter in the Product Search API endpoint filters the response payload by a specified field or set of fields. This allows you to focus on the data that's important to you and improve page loading speed.
  • Save time and improve product listing page (PLP) performance by using the enhanced Product Search API endpoint. Use the new optional expansion on the Product Search API endpoint to retrieve product metadata and avoid the use of additional API calls to Get Products. Use these features to provide the additional information needed to render your PLP:
    • Allowable value: promotions value in the expand query parameter
    • Query parameters: perPricebook, allImages, and allVariationProperties
    • Responses: productPromotions, imageGroups, priceRanges, tieredPrices, variants, and variationGroups

Salesforce Commerce Cloud now provides a new framework that enables you to write custom B2C commerce script code, such as controllers, and expose this functionality as a custom REST API endpoint under the SCAPI framework. Those custom API endpoints accept the same AuthN/AuthZ model as our Shopper and Admin APIs.

With the transition from Beta to General Availability (GA), future changes to B2C Commerce Custom APIs will follow our change policy.

If you are new to Custom APIs, see Custom APIs as a starting point.

  • New features (non-breaking changes) not included in the Beta:
  • If you particpated in the Custom APIs Beta, the transition to General Availability causes the following BREAKING changes. Review and update your code as needed:
    • Custom endpoints now require custom scopes. For details, see Scopes.
    • Storefront quota limits are now enforced. Review these limits and fix any errors. For details, see API Quotas. The quota limits relevant for Custom APIs are the ones marked as Storefront Limit.
    • We've added Circuit Breaker functionality that is similar to what exists for hooks to Custom APIs. This is a protective measure that blocks API requests when the error rate is too high. For details, see Circuit Breaker. B2C Commerce Custom APIs support HTTP GET requests as well as DELETE, HEAD, and OPTIONS. Future transaction support with POST, PUT, PATCH is being planned.
  • Custom rules allow you to control incoming traffic by setting up firewall policies based on various request parameters. These API endpoints expand on the existing functionality of firewall rules. With custom rules, you have complete control over the rule expression. We’ve also extended the list of allowed request field types and rule actions, which offer increased flexibility and allow you to create expressions that match your specific traffic needs.
  • Commerce Cloud B2C Commerce has migrated all existing firewall rules to a new custom rules CDN-API endpoint. All customers are directed to transition to using custom rules in place of firewall rules. The firewall rules are scheduled for deprecation. Complete the transition to custom firewall rules in place of firewall rules before February 1, 2024.
  • For additional details, see: eCDN Custom Rules
  • Cleanup of deprecated SCAPI migration code and configuration. These are nonbehavioral changes.
  • Resilience improvements for the SCAPI CDN layer
  • Improved error handling for TSOB(Trusted system on Behalf) for "customer not found" user scenarios.
  • Support added for using SAP Customer Data Cloud socialize REST endpoints.
  • IDP configuration now allows the IDP client credentials to be added to the POST body.
    • SLAS now supports OIDC client_secret_basic and client_secret_post for client authentication.
  • Updated the /introspect endpoint to include a “sub” claim in the response.
  • Improved validation in Session Bridge(SESB) flow by checking for the customer_id and failing the request if the customer is already registered.
  • Includes SLAS Admin UI and API fix to address the cache synchronization issue when a client is edited or deleted.
  • Minor fixes
  • Added new sfdc_maintenance header in SCAPI responses during maintenance windows
  • Resilience improvements for the SCAPI CDN layer
  • Update on encoding handling for special characters
  • Holiday preparation: Improve visibility and stability
    • Improve header handling for resiliency
  • Enhanced error handling for SLAS TSOB (Trusted System on Behalf) when IDP is B2C Commerce. For the first time call with a non-existing shopper ID, error code 400 is returned in place of the incorrect 409 error code. This change is specific to B2C IDP and does not impact TSOB using Okta or any other 3rd-party IDPs.
  • Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
  • In view of Salesforce wide Holiday moratorium, no planned SLAS releases during 11/6/2023 and 1/2/2024.
  • Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and loginId=guest on the /session-bridge/token. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation.
  • The Get URL Mapping API endpoint allows headless storefronts to support localized, user-friendly URLs based on URL rules set up in Business Manager. This endpoint helps you to increase your site traffic and improve site navigation. Get URL Mapping is in a new API named Shopper SEO. For more information, see URL Resolution and the Shopper SEO API reference.
  • Use the Shopper Stores API to find details about stores. Shoppers can locate nearby stores for delivery or offline shopping. See the Shopper Stores API reference.
  • Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and loginId=guest on the /session-bridge/token. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation.
  • In view of Salesforce wide Holiday moratorium, no planned SLAS releases during 11/6/2023 and 1/2/2024.
  • Addressed a bug in SLAS Session Bridge (SESB) functionality when a guest user transitions to registered user with the authorize (/authorize) flow.
  • SLAS Admin UI validation and messaging for Shopper context API public client customers.
  • SLAS Monitoring enhancements as part of Holiday readiness.
  • SLAS now supports Last Name(family_name claim) as optional for Google IDP client.

  • Shopper Orders Guest Order Lookup secured by SLAS Trusted System On Behalf Token is available now.

  • The Order response document now contains an order view code that can be used to retrieve guest orders securely using the Guest Order Lookup endpoint. The order view code contains only URL-safe characters.

    Warning: Do not expose the order view code in the URL. The order view code can only be displayed to the shopper or sent as an email. Do not log the order view code in the code.

  • Request header size optimizations
  • Bugfix for shopper-search refinement parameter encoding
  • Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and loginId=guest on the /session-bridge/token. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation.
  • In view of Salesforce wide Holiday moratorium, there will not be any planned SLAS releases during 11/6/2023 and 1/2/2024.
  • SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
  • Fixed a bug related to Cache synchronization across SLAS PODs.
  • Security library updates
  • CustomerGroupIds is now supported in Shopper Context API.
  • Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and loginId=guest on the /session-bridge/token. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation.
  • Aligning with the Salesforce-wide Holiday moratorium, there are no planned SLAS releases between 11/6/2023 and 1/2/2024.
  • SLAS now supports OIDC locales parameter on /authorize endpoint.
  • Security Bug fixes
  • Holiday preparation: Improve performance, visibility, and stability
    • Following the preview release from 08/30/2023 we are now releasing this feature and iinfrastructure update to production environments.
    • Affected PODs are all PODs that were not listed in the two releases from 09/27/2023 and 09/21/2023.
    • Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network.
    • Introduction of new custom query parameters: `c_`` can now be defined on SCAPI requests and is be routed end to end, Parameters are available in hooks for custom control logic.
  • Holiday preparation: Improve visibility and stability
    • Updated infrastructure layers for SCAPI requests
  • SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
  • Holiday preparation: Improve performance by enabling of caching
    • Affected PODs are: POD94, POD112, POD122, POD159, POD162, POD173, POD192, POD194, POD198, POD204, POD226
  • Holiday preparation: Improve performance, visibility, and stability
    • Following the preview release from 08/30/2023 we are now releasing this feature update to production environments.
    • Affected PODs are: POD114, POD136, POD149, POD173, POD174, POD210, POD229, POD250, POD253, POD260
    • Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network.
    • Introduction of new custom query parameters: c_<yourparameter> can now be defined on SCAPI requests and is routed end to end. Parameters are available in hooks for custom control logic.
    • CORS headers handling, ALL customers.
    • CORS headers like Origin are NOT interpreted any longer, to avoid CORS errors.
    • SCAPI currently does not support CORS.
  • SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
  • SLAS IDP authorize now enables merge shopper profile capability. We've extended registerIdentityProvider to support a new parameter loginMergeClaims. This parameter allows you to specify whether shopper accounts created via this IDP should be merged with existing accounts using one of those parameter values, preserving order history (amongst other things). Refer to the Merge Shopper Profiles User Guide and registerIdentityProvider.
  • Following the preview release from 08/30/2023 we are now releasing this feature update to production environments.
  • Affected PODs are: POD94, POD112, POD122, POD136, POD159, POD162, POD173, POD192, POD194, POD198, POD204, POD226, POD240, POD248, and POD253
  • Holiday preparation: Improve performance, visibility, and stability
  • Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network
  • New custom query parameters: c_<yourparameter> can now be defined on SCAPI requests and will be routed end to end. Parameters are available in hooks for custom control logic.
  • Security Updates
  • Log Improvements

  • Preview release to sandboxes only (SIG and ODS).

  • Holiday preparation: Improve performance, visibility, and stability.

  • Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network.

  • Introduction of new custom query parameters: c\_<yourparameter> can now be defined on SCAPI requests and are routed end to end, and therefore available in hooks for custom control logic.

    We'd like all customers to verify your existing SCAPI implementation on sandboxes and report any issues back.
  • Trust Notification
    • SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
    • Improvements to Trusted System on Behalf (TSOB) flow to be able to better handle simultaneous requests.
    • As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.
  • productSearch now correctly handles storefront search filters and refinement values with the & character, and considers all terms in the refinement attribute before and after the &. Previously, the search filter and refinement parameter was incorrectly truncated, and requested refinements with the & character in the attribute name did not match the configured refinements in Business Manager.
  • Security updates
  • SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
  • Addressed a limitation in SLAS Session Bridge (SESB) functionality when a guest user creates a cart, add products to the cart, and then login as a registered user WITH trusted system (TSOB) to merge the cart and it fails.
  • Addressed a bug related to case sensitive login_id comparison for Session Bridge (SESB) token requests, where the casing of the login_id passed to getSessionBridgeAccessToken was different from the casing of the login_id in B2C Commerce.
  • As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.
  • Security Updates
  • Addressed a limitation in plugin_slas integration with SLAS around Merge Cart for Guest to Registered flow.
  • For the getSessionBridgeAccessToken endpoint, the returned TokenResponse now correctly includes the enc_user_id attribute.
  • As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.
  • Security Updates
  • Increased timeout from 10 seconds to 25 seconds for incoming requests to Products data endpoints.
  • Default IDP configuration allows for SSO/OIDC configuration with other IDPs outside the list of SLAS supported IDPs. Configuration can be performed via the Admin API or Admin UI. For more information, see Configure a Default IDP.
  • Preferred IDP configuration cleanup and functionality added to Admin UI.
  • As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way. Ideally, customers should be Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.

Certificate rotation for SCAPI logging and metrics infrastructure.

  • One certificate pair per region: EUC1, USE1, APS2, and APN1
  • Security Updates
  • Logging Optimizations
  • Security Updates
  • SLAS Infrastructure and scale improvements.
  • SLAS Admin UI improvements related to user search and get user statistics.
  • Fixed logout implementation. SLAS to OCAPI calls no longer fail throwing ClientAccessForbiddenException.
  • As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.
  • Performance optimizations
  • Performance optimizations
  • SLAS Infrastructure and scale improvements to handle higher transaction volume.
  • productSearch now correctly handles storefront search queries with the & character and considers all terms before and after the &. Previously, the search query was incorrectly truncated before the & character and subsequent terms were missing in the query.

  • SLAS /token endpoint includes refresh token time to live (TTL) claim, and the value is in seconds to be consistent with expires_in for the access_token TTL. For more information, see getAccessToken.

  • Improved error handling to send clear 4xx messages on /revoke endpoint if a null token is provided. For more information, see revokeToken.

  • SLAS Admin has enhanced validation in place to help customers create tenants in the correct region.

  • Performance optimizations
  • Performance optimizations
  • Shopper Customers API and Customers API security updates.
  • Updated configuration handling to improve performance.
  • Update on metrics and logging to improve supportability.
  • introspectToken returns more specific error messages on failures.
  • authenticateCustomer and other endpoints which result in calls to a B2C Commerce instance return more specific error messages when that instance is down.
  • To support native mobile apps, added support for custom scheme redirects.
  • Updated routing and mapping policies to prepare for future functionality.
  • Security updates.
  • Updated the getTrustedAgentAccessToken endpoint to make the agent_id parameter optional.
  • Updated the SLAS Admin UI with specific error messaging for issues with logging into Account Manager.
  • Private clients now support grant_type=authorization_code in addition to grant_type=authorization_code_pkce.
  • Removals of customer records in B2C Commerce are now synchronized with SLAS. If a customer record is deleted in B2C Commerce, this change is recognized by SLAS.
  • NEW SLAS-Marketing Cloud SMS for Passwordless login is ready! See Passwordless Login with SMS to get started.
  • resetPassword rejects weak passwords with an HTTP 400 error.
  • getUserInfo supports names with special characters.
  • getUserInfo supports Trusted System on Behalf of tokens.
  • Credential Quality APIs deprecated and removed.
  • Improved Guest Shopper validation to allow B2C Commerce IDP origin for session bridge.
  • Session Bridge: fixed 500 server error on incorrect hint.
  • SLAS Admin UI: Fixed issues related to Tenant ID format check at browser level.
  • Shopper Baskets now supports the following SLAS Trusted-Agent-On-Behalf-only endpoints:
    • PUT /baskets/{basketId}/agent
    • PUT /baskets/{basketId}/storefront
    • POST baskets/{basketId}/price-adjustments
    • DELETE baskets/{basketId}/price-adjustments/{priceAdjustmentId}
    • PATCH baskets/{basketId}/price-adjustments/{priceAdjustmentId}
  • The following new channel types are supported by Baskets and Orders apps: TikTok, SnapChat, Google, WhatsApp, and YouTube
  • BOT Mitigation improvements: Reduced the time window from 2 seconds to 1 second for the same user login that returns Error 409.
  • Fixed the issue around deletion of a user with different loginID and IDP, when the tenant and customerID remains the same.
  • SLAS Tenant creation improvements to include region validation.
  • SLAS Service Introducing Rate Limit of 25 TPM per tenant for JWKs and well-known endpoints.
  • SLAS service redirect to customer’s registered callback URL on IDP errors and return Error 412 for refresh token calls.
  • Trusted agent on behalf (TAOB): Client ID present check fix on /auth rather than /token.
  • Guest SESB refresh bug fix.
  • Improved IDP message errors back from third-party IDP.
  • Increase shopper authorization code size to accommodate larger code sent from Identity Providers.
  • SLAS Admin UI fixes for tenant display post deletion and faster IDP creation.
  • SLAS Admin: Client scope update fix.
  • Trusted agent on behalf: additional redirect URI parameters for authorize are separated properly.
  • Shopper-Experience API global rollout.
  • Bug fixes:
    • Admin UI, client create claims fix
    • SESB fix for OCAPI calls
  • Features:
    • Support for Active Directory Federated Service IDP
  • The Shopper Context API is now generally available!
  • Rate limit update to the rules endpoint in the Catalogs API.
  • Update TrustedAgentOnBehalf support for Shopper Token policy.
  • Support for Forgerock IDP.
  • Trusted agent on behalf (TAOB) now supports Private ClientID flow. Changed the TAOB JWT token expiry from 30 to 15 minutes for PCI compliance.
  • /jwks endpoint now returns 3 key IDs (past, current, and future KeyID).
  • Reduced the Passwordless OTP - token length from 20 to 8 characters.
  • Enhanced BOT mitigation strategy within SLAS.
  • Fixed inconsistencies related to failed tokens.
  • Session Bridge: Improved error messaging & guest support.
  • SLAS no longer calls ecom, when a shopper account is locked.
  • User cache refinements & Fixed cache inconsistencies after tenant key rotation.
  • Addressed login ID inconsistencies for passwordless login.
  • Fixed AppleIDP issue related to middle name.
  • Rate limit increase for GET /customers/*(Shopper-Customers).
  • Rate limit increase for GET /products-lists/{id}(Shopper-Customers).
  • Rate limit increase for Orders API.
  • Rate limit updates: API families have either a 5s tier or a 60s tier.
  • Response compression has been introduced.
  • The expand query parameter has been added for getProducts.
  • Added support for correlation-id and x-correlation-id headers.

The scheduled deactivation of /customers/actions/login, /trusted-system/actions/login, and other related endpoints has been extended from mid-2022 to March 31st, 2023 for existing customers. These endpoints are still not available to new customers, and we still discourage existing customers from using them. Instead, we strongly recommend that you use the Shopper Login and API Access Service (SLAS) because it meets a higher standard for security and availability.

  • Increased performance and response times through caching on the edge layer.
  • Resources affected: /product, /category, and /product_search.
  • Updates to the personalization handling ensure that personalized content is cached correctly.
  • No action is required by developers to take advantage of this update.
  • Replace SlasJWT-BearerSecurityScheme.BearerToken security scheme with CommerceCloudStandards.ShopperToken.