B2C Commerce API Release Notes

Use B2C Commerce API (also known as Salesforce Commerce API or SCAPI) to build headless commerce experiences.

• For status updates and trust notifications, go to the B2C Commerce Status Page.
• For the general B2C Commerce release notes, go to Salesforce Help.
• To use the SDK to make your first call quickly, see the Quick Start.
• For details about auth, see Authorization.
• To learn about using B2C Commerce API, see the Guides.
• To learn about using correlation IDs, see Identifying Requests and Responses.
• To browse the API endpoints, use the left navigation. B2C Commerce API is broken into two main groups: Shopper APIs and Admin APIs. All Shopper API groups start with Shopper. For details about the differences, see Get Started.
• Note: All secrets and tokens are fictional and provided as placeholders only.

• Resilience improvements for the SCAPI CDN layer
• Update on encoding handling for special characters

• Holiday preparation: Improve visibility and stability
  • Improve header handling for resiliency

• Enhanced error handling for SLAS TSOB (Trusted System on Behalf) when IDP is B2C Commerce. For the first time call with a non-existing shopper ID, error code 400 is returned in place of the incorrect 409 error code. This change is specific to B2C IDP and does not impact TSOB using Okta or any other 3rd-party IDPs.
• Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
• In view of Salesforce wide Holiday moratorium, no planned SLAS releases during 11/6/2023 and 1/2/2024.
• Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and loginId=guest on the /session-bridge/token. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation.

• The Get URL Mapping API endpoint allows headless storefronts to support localized, user-friendly URLs based on URL rules set up in Business Manager. This endpoint helps you to increase your site traffic and improve site navigation. Get URL Mapping is in a new API named Shopper SEO. For more information, see URL Resolution and the Shopper SEO API reference.

• Use the Shopper Stores API to find details about stores. Shoppers can locate nearby stores for delivery or offline shopping. See the Shopper Stores API reference.

• Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and loginId=guest on the /session-bridge/token. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation.
• In view of Salesforce wide Holiday moratorium, no planned SLAS releases during 11/6/2023 and 1/2/2024.
• Addressed a bug in SLAS Session Bridge (SESB) functionality when a guest user transitions to registered user with the authorize (/authorize) flow.
• SLAS Admin UI validation and messaging for Shopper context API public client customers.
• SLAS Monitoring enhancements as part of Holiday readiness.
• SLAS now supports Last Name(family_name claim) as optional for Google IDP client.

• Shopper Orders Guest Order Lookup secured by SLAS Trusted System On Behalf Token is available now.

• The Order response document now contains an order view code that can be used to retrieve guest orders securely using the Guest Order Lookup endpoint. The order view code contains only URL-safe characters.

  Warning: Do not expose the order view code in the URL. The order view code can only be displayed to the shopper or sent as an email. Do not log the order view code in the code.

• Request header size optimizations
• Bugfix for shopper-search refinement parameter encoding

• Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and loginId=guest on the /session-bridge/token. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation.
• In view of Salesforce wide Holiday moratorium, there will not be any planned SLAS releases during 11/6/2023 and 1/2/2024.
• SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
• Fixed a bug related to Cache synchronization across SLAS PODs.
• Security library updates

• CustomerGroupIds is now supported in Shopper Context API.

• Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and loginId=guest on the /session-bridge/token. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation.
• Aligning with the Salesforce-wide Holiday moratorium, there are no planned SLAS releases between 11/6/2023 and 1/2/2024.
• SLAS now supports OIDC locales parameter on /authorize endpoint.
• Security Bug fixes

• Holiday preparation: Improve performance, visibility, and stability
  • Following the preview release from 08/30/2023 we are now releasing this feature and iinfrastructure update to production environments.
  • Affected PODs are all PODs that were not listed in the two releases from 09/27/2023 and 09/21/2023.
  • Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network.
  • Introduction of new custom query parameters: `c_`` can now be defined on SCAPI requests and is be routed end to end, Parameters are available in hooks for custom control logic.

• Holiday preparation: Improve visibility and stability
  • Updated infrastructure layers for SCAPI requests

• SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.

• Holiday preparation: Improve performance by enabling of caching
  • Affected PODs are: POD94, POD112, POD122, POD159, POD162, POD173, POD192, POD194, POD198, POD204, POD226

• Holiday preparation: Improve performance, visibility, and stability
  • Following the preview release from 08/30/2023 we are now releasing this feature update to production environments.
  • Affected PODs are: POD114, POD136, POD149, POD173, POD174, POD210, POD229, POD250, POD253, POD260
  • Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network.
  • Introduction of new custom query parameters: c_<yourparameter> can now be defined on SCAPI requests and is routed end to end. Parameters are available in hooks for custom control logic.
• CORS headers handling, ALL customers.
  • CORS headers like Origin are NOT interpreted any longer, to avoid CORS errors.
  • SCAPI currently does not support CORS.

• SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
• SLAS IDP authorize now enables merge shopper profile capability. We've extended registerIdentityProvider to support a new parameter loginMergeClaims. This parameter allows you to specify whether shopper accounts created via this IDP should be merged with existing accounts using one of those parameter values, preserving order history (amongst other things). Refer to the Merge Shopper Profiles User Guide and registerIdentityProvider.

• Following the preview release from 08/30/2023 we are now releasing this feature update to production environments.
• Affected PODs are: POD94, POD112, POD122, POD136, POD159, POD162, POD173, POD192, POD194, POD198, POD204, POD226, POD240, POD248, and POD253
• Holiday preparation: Improve performance, visibility, and stability
• Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network
• New custom query parameters: c_<yourparameter> can now be defined on SCAPI requests and will be routed end to end. Parameters are available in hooks for custom control logic.

• Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season
• SLAS Admin UI: Default IDP claims removed from UI map if they are not a Generic IDP
• Addressed a bug related to 3rd party logout on ECOM during SLAS /logout endpoint call https://developer.salesforce.com/docs/commerce/commerce-api/references/shopper-login?meta=logoutCustomer

• Security Updates

• Log Improvements

• Preview release to sandboxes only (SIG and ODS).

• Holiday preparation: Improve performance, visibility, and stability.

• Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network.

• Introduction of new custom query parameters: c\_<yourparameter> can now be defined on SCAPI requests and are routed end to end, and therefore available in hooks for custom control logic.

  We'd like all customers to verify your existing SCAPI implementation on sandboxes and report any issues back.

• Trust Notification
  • SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
  • Improvements to Trusted System on Behalf (TSOB) flow to be able to better handle simultaneous requests.
  • As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.

• productSearch now correctly handles storefront search filters and refinement values with the & character, and considers all terms in the refinement attribute before and after the &. Previously, the search filter and refinement parameter was incorrectly truncated, and requested refinements with the & character in the attribute name did not match the configured refinements in Business Manager.

• Security updates

• SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
• Addressed a limitation in SLAS Session Bridge (SESB) functionality when a guest user creates a cart, add products to the cart, and then login as a registered user WITH trusted system (TSOB) to merge the cart and it fails.
• Addressed a bug related to case sensitive login_id comparison for Session Bridge (SESB) token requests, where the casing of the login_id passed to getSessionBridgeAccessToken was different from the casing of the login_id in B2C Commerce.
• As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.

• Security Updates

• Addressed a limitation in plugin_slas integration with SLAS around Merge Cart for Guest to Registered flow.
• For the getSessionBridgeAccessToken endpoint, the returned TokenResponse now correctly includes the enc_user_id attribute.
• As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.

• Security Updates

• Increased timeout from 10 seconds to 25 seconds for incoming requests to Products data endpoints.

• Default IDP configuration allows for SSO/OIDC configuration with other IDPs outside the list of SLAS supported IDPs. Configuration can be performed via the Admin API or Admin UI. For more information, see Configure a Default IDP.
• Preferred IDP configuration cleanup and functionality added to Admin UI.
• As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way. Ideally, customers should be Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.

Certificate rotation for SCAPI logging and metrics infrastructure.

• One certificate pair per region: EUC1, USE1, APS2, and APN1

• Security Updates

• Logging Optimizations
• Security Updates

• SLAS Infrastructure and scale improvements.
• SLAS Admin UI improvements related to user search and get user statistics.
• Fixed logout implementation. SLAS to OCAPI calls no longer fail throwing (ClientAccessForbiddenException)[https://developer.salesforce.com/docs/commerce/commerce-api/references/shopper-login?meta=logoutCustomer].
• As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.

• Performance optimizations

• Optional query parameter locale, is now supported for mergeBasket, transferBasket and all delete endpoints in Shopper Orders and Shopper Baskets, with the exception of deleteBasket.
• PaymentCardSpec includes a new field securityCodeLength. This is available in the response for Shopper baskets - getPaymentMethodsForBasket and Shopper Orders- getPaymentMethodsForOrder endpoints.
• Coming soon: mergeBasket and transferBasket response will no longer include the property notes. Previously, this property was sent with an empty value in the response.
• Fix coming soon: mergeBasket will return an HTTP 409 error response no-source-basket-exception if the guest's basket has already been ordered. Previously, the ordered guest basket was merged with the new basket.

• Performance optimizations

• SLAS Infrastructure and scale improvements to handle higher transaction volume.

• productSearch now correctly handles storefront search queries with the & character and considers all terms before and after the &. Previously, the search query was incorrectly truncated before the & character and subsequent terms were missing in the query.

• SLAS /token endpoint includes refresh token time to live (TTL) claim, and the value is in seconds to be consistent with expires_in for the access_token TTL. For more information, see getAccessToken.

• Improved error handling to send clear 4xx messages on /revoke endpoint if a null token is provided. For more information, see revokeToken.

• SLAS Admin has enhanced validation in place to help customers create tenants in the correct region.

• Performance optimizations

• Performance optimizations

• Shopper Customers API and Customers API security updates.

• Updated configuration handling to improve performance.
• Update on metrics and logging to improve supportability.

• introspectToken returns more specific error messages on failures.
• authenticateCustomer and other endpoints which result in calls to a B2C Commerce instance return more specific error messages when that instance is down.
• To support native mobile apps, added support for custom scheme redirects based on Private-Use URI Scheme Redirection.

• Updated routing and mapping policies to prepare for future functionality.
• Security updates.

• Updated TokenResponse, extending the maximum size of idp_access_token to 8k bytes.
• getSessionBridgeAccessToken supports a new optional parameter dwsgst. Its value is a guest session signature created from Script API's Session.generateGuestSessionSignature(). Passing this parameter improves the performance of this API.
• Guest refresh tokens are now valid for 30 days. Previously, they were valid for 90 days.

• Updated the getTrustedAgentAccessToken endpoint to make the agent_id parameter optional.
• Updated the SLAS Admin UI with specific error messaging for issues with logging into Account Manager.
• Private clients now support grant_type=authorization_code in addition to grant_type=authorization_code_pkce.
• Removals of customer records in B2C Commerce are now synchronized with SLAS. If a customer record is deleted in B2C Commerce, this change is recognized by SLAS.

• NEW SLAS-Marketing Cloud SMS for Passwordless login is ready! See Passwordless Login with SMS to get started.
• resetPassword rejects weak passwords with an HTTP 400 error.
• getUserInfo supports names with special characters.
• getUserInfo supports Trusted System on Behalf of tokens.
• Credential Quality APIs deprecated and removed.
• Improved Guest Shopper validation to allow B2C Commerce IDP origin for session bridge.
• Session Bridge: fixed 500 server error on incorrect hint.
• SLAS Admin UI: Fixed issues related to Tenant ID format check at browser level.

• Shopper Baskets now supports the following SLAS Trusted-Agent-On-Behalf-only endpoints:
  • PUT /baskets/{basketId}/agent
  • PUT /baskets/{basketId}/storefront
  • POST baskets/{basketId}/price-adjustments
  • DELETE baskets/{basketId}/price-adjustments/{priceAdjustmentId}
  • PATCH baskets/{basketId}/price-adjustments/{priceAdjustmentId}
• The following new channel types are supported by Baskets and Orders apps: TikTok, SnapChat, Google, WhatsApp, and YouTube

• BOT Mitigation improvements: Reduced the time window from 2 seconds to 1 second for the same user login that returns Error 409.
• Fixed the issue around deletion of a user with different loginID and IDP, when the tenant and customerID remains the same.
• SLAS Tenant creation improvements to include region validation.
• SLAS Service Introducing Rate Limit of 25 TPM per tenant for JWKs and well-known endpoints.
• SLAS service redirect to customer’s registered callback URL on IDP errors and return Error 412 for refresh token calls.

• Trusted agent on behalf (TAOB): Client ID present check fix on /auth rather than /token.
• Guest SESB refresh bug fix.
• Improved IDP message errors back from third-party IDP.

• Shopper Context API update.

• Increase shopper authorization code size to accommodate larger code sent from Identity Providers.
• SLAS Admin UI fixes for tenant display post deletion and faster IDP creation.
• SLAS Admin: Client scope update fix.
• Trusted agent on behalf: additional redirect URI parameters for authorize are separated properly.

• Shopper-Experience API global rollout.

• Bug fixes:
  • Admin UI, client create claims fix
  • SESB fix for OCAPI calls
• Features:
  • Support for Active Directory Federated Service IDP

• The Shopper Context API is now generally available!
• Rate limit update to the rules endpoint in the Catalogs API.

• Update TrustedAgentOnBehalf support for Shopper Token policy.

• Support for Forgerock IDP.
• Trusted agent on behalf (TAOB) now supports Private ClientID flow. Changed the TAOB JWT token expiry from 30 to 15 minutes for PCI compliance.
• /jwks endpoint now returns 3 key IDs (past, current, and future KeyID).
• Reduced the Passwordless OTP - token length from 20 to 8 characters.
• Enhanced BOT mitigation strategy within SLAS.
• Fixed inconsistencies related to failed tokens.
• Session Bridge: Improved error messaging & guest support.
• SLAS no longer calls ecom, when a shopper account is locked.
• User cache refinements & Fixed cache inconsistencies after tenant key rotation.
• Addressed login ID inconsistencies for passwordless login.
• Fixed AppleIDP issue related to middle name.

• Rate limit increase for GET /customers/*(Shopper-Customers), see Rate Limits.

• Rate limit increase for GET /products-lists/{id}(Shopper-Customers), see Rate Limits.

• Rate limit increase for Orders API, see Rate Limits.
• Rate limit updates: API families have either a 5s tier or a 60s tier, see Rate Limits.

• Response compression has been introduced.
• The expand query parameter has been added for getProducts.

• Added support for correlation-id and x-correlation-id headers.

The scheduled deactivation of /customers/actions/login, /trusted-system/actions/login, and other related endpoints has been extended from mid-2022 to March 31st, 2023 for existing customers. These endpoints are still not available to new customers, and we still discourage existing customers from using them. Instead, we strongly recommend that you use the Shopper Login and API Access Service (SLAS) because it meets a higher standard for security and availability.

• Increased performance and response times through caching on the edge layer.
• Resources affected: /product, /category, and /product_search.
• Updates to the personalization handling ensure that personalized content is cached correctly.
• No action is required by developers to take advantage of this update.

• Replace SlasJWT-BearerSecurityScheme.BearerToken security scheme with CommerceCloudStandards.ShopperToken.