B2C Commerce API Release Notes

Use B2C Commerce API (also known as Salesforce Commerce API or SCAPI) to build headless commerce experiences.

  • For status updates and trust notifications, go to the B2C Commerce Status Page.
  • For the general B2C Commerce release notes, go to Salesforce Help.
  • To view the change policy, see: Change Policy.
  • To use the SDK to make your first call quickly, see the Quick Start.
  • For details about auth, see Authorization.
  • To learn about using B2C Commerce API, see the Guides.
  • To learn about using correlation IDs, see Identifying Requests and Responses.
  • To browse the API endpoints, use the left navigation. B2C Commerce API is broken into two main groups: Shopper APIs and Admin APIs. All Shopper API groups start with Shopper. For details about the differences, see Get Started.
  • Note: All secrets and tokens are fictional and provided as placeholders only.
  • Where possible, we changed noninclusive terms to align with our company value of Equality. We maintained certain terms to avoid any effect on customer implementations.
  • SLAS Admin: Added validation for SLAS Client callback URLs to prevent the use of localhost or loopback addresses as host names in production environments.
  • Added SLAS resilience improvements for holiday readiness.
  • Server-Side Web-Tier Caching is enabled for all SCAPI customers who aren’t currently using the cached APIs and haven’t made production requests to any cached APIs in the last seven days. For the list of cached APIs and other details, see Server-Side Web-Tier Caching.
  • The siteId query parameter is no longer mandatory for custom API calls. If a site is not provided, the default site is the Business Manager site. For details, see Custom APIs.
  • With B2C Commerce version 24.5, the Shopper endpoint constraint for supporting trusted agent tokens on a specific subset of Shopper endpoints has been removed. For details, see Trusted Agent Authorization.
  • Internal infrastructure change: additional internal header introduced. No customer impact is anticipated.
  • With B2C Commerce version 24.6, the mergeBasket endpoint now merges the guest shopper’s shippingAddress and shippingMethod into the registered basket when the registered basket does not contain shippingAddress or shippingMethod.
  • The new Preferences API allows you to retrieve Site and Global preferences.
  • The Shopper Products API getCategories endpoint now provides the onlineSubCategoriesCount property.
  • Internal infrastructure upgrade and security updates. No customer impact is anticipated.
  • SLAS now allows shoppers to have multiple clients and authenticate on the same device with a single USID, provided the clients use their respective refresh_tokens to refresh their sessions.
  • SLAS IDP integration has enhanced error handling to return more meaningful error messages to the caller. No change in error code information.
  • The refined error message: “The Account is disabled” is returned for any user account disabled in B2C Commerce. No change in the error code.
  • Shopper Custom Object API scopes are now limited to 20 entries. This is now enforced in both SLAS API and SLAS Admin UI.
  • Enhanced SLAS internal error handling and log messages.
  • With B2C Commerce version 24.5, the Shopper Baskets API supports patching variations within product bundles in a single call. This enhancement provides:

    • More efficient and streamlined product bundle management, making it easier to update multiple variations within a bundle without the need for multiple API calls.
    • Increased productivity for developers managing complex product bundles.

    For details, see updateItemInBasket.

  • SLAS database performance improvements. No customer impact is anticipated.
  • SLAS internal infrastructure optimization. No customer impact is anticipated.
  • Internal infrastructure change for SCAPI contract validation. No customer impact is anticipated.
  • Removed obsolete code modules related to encoding issues. For encoding details, see URL Encoding of Special Characters.

With B2C Commerce 24.5, You can use external taxation mode with the Shopper Baskets API when hooks are enabled. For details, see External Taxation Documentation.

  • Optimization performed in internal infrastructure routing. No customer impact anticipated.

With B2C Commerce 24.4:

  • Added the Shopper Custom Objects API for retrieving Custom Objects. For details, see Shopper Custom Objects.
  • Added support for additional HTTP methods for Custom APIs. For details, see Custom APIs.
  • SCAPI: Routine maintenance of infrastructure. No customer impact is anticipated.
  • SLAS: Database and infrastructure updates. During the deployment period, shoppers might experience elevated response times for less than a minute.
  • Routine maintenance of infrastructure. No customer impact is anticipated.
  • Added response timeout handling for Sandbox instances:
    • If responding to a SCAPI request takes too long (60 seconds for Data API requests), an HTTP 504 status code is returned.
    • This is only enforced for requests to Sandbox instances, but will be rolled out to all instance types in the future.
    • For more information see Error Response Codes.
  • With B2C Commerce 24.3, updated the Orders API updateOrderStatus endpoint to support a new update status failed_with_reopen:
    • When an order is updated with the failed_with_reopen status, the order status is set to failed.
    • If the basket can be reopened, the API returns response code 201 with the reopened basket URL in the location header.
    • If the basket cannot be reopened, the API returns response code 204 with an empty location header.
  • With B2C Commerce 24.3, expanded the Shopper Search API productSearch endpoint to include additional parameters: productPromotions, imageGroups, priceRanges, and variants:
    • The corresponding expansion and query parameters are required in order to get the additional product data in the response. For details and best practices, refer to the Shopper Search API documentation.
  • Added the Customer API searchCustomerGroup endpoint, which searches for customer groups for the siteId.
  • Routine maintenance of infrastructure. No customer impact is anticipated.
  • During the maintenance window, shoppers might experience elevated response times.
  • For the latest B2C Commerce service status and deployment information, subscribe to Trust Center notifications.
  • This feature is generally available from B2C Commerce 24.2:

    • Updated getUrlMapping's response to include the optional property resourceSubType, which indicates whether the resolved object is a Page Designer content asset or a Content Slot asset. For more information, see the UrlMapping type reference.
  • These features are generally available from B2C Commerce 24.3:

    • Updated getUrlMapping to support URL redirects. For more information, see the URL Resolution guide.

    • Updated getUrlMapping to support these hooks: dw.shop.seo.url_mapping.beforeGET and dw.shop.seo.url_mapping.modifyGETResponse.

  • Custom Request Headers
    • Developers can send custom request headers that are passed and made available in server-side custom implementations.
    • The required pattern is: c\_{yourHeader}.
  • Update order now supports the ShopperTokenTsob security scheme.
  • Shopper Baskets v2 available with B2C Commerce 24.1
    • Provides support for temporary baskets. Temporary baskets can perform calculations to generate totals, line items, promotions, and item availability without affecting the shopper’s storefront cart. You can use these calculations for temporary basket checkout.
    • New Shopper Basket v2 response fields:
      • groupedTaxItems
      • taxRoundedAtGroup
      • temporaryBasket
    • Temporary basket use cases include:
      • A shopper wants to purchase an item without affecting their existing shopping cart, which contains items for an unrelated purchase:
        • A shopper selects an Apple Pay button for a product.
        • A shopper selects a reorder button for a product on an order history page.
        • A shopper selects an order button on a wish list page to purchase one or more items.
      • A merchant shares a link through social channels to purchase promotional items.
      • A customer support agent sends a Buy Now link with pre-set products to a shopper for self-checkout (no passing of payment details to support).
    • For additional details, see Shopper Baskets V2.

The dw.ocapi.shop.basket.beforePOST hook is no longer supported in Shopper Baskets V2 and is replaced by the dw.ocapi.shop.basket.beforePOST_v2 hook.

  • Stricter request header filtering is performed. Custom code must use custom request headers.
  • Identical CorrelationId information is no longer returned for independent requests.
  • Correct 503 status code is now returned during a site maintenance window.
  • During the maintenance window, shoppers might experience elevated response times.
  • For the latest B2C Commerce service status and deployment information, subscribe to Trust Center notifications.
  • Introduced new load shedding functionality that:
    • If the system reaches a load threshold, an HTTP 503 response is returned for a subset of API families.
    • Covers APIs not covered by rate limits that are considered non-critical, for example: endpoints related to search, products, and authentication. Load shedding is not used for checkout-related endpoints, such as Shopper Baskets and Shopper Orders, to ensure that shoppers can complete an in-progress checkout.
    • Includes additional HTTP response headers that allow you to understand the current system load: sfdc_load, which represents a load percentage with higher percentages indicating higher loads, and sfdc_load_status, which is a enum WARN|THROTTLE that helps you understand the relative health of the system.
  • Routing for /shopper-experience requests resulting in HTTP 500 errors.
  • Cleanup of deprecated infrastructure and configuration.
  • SLAS Admin UI: Added client name to the client list and detail pages.
  • SLAS API: Added support for the DoNotTrack (DNT) query parameter in token calls for headless customers. This is in preparation for a future SCAPI B2C Commerce rollout. Additional documentation will be provided.
  • SLAS to B2C Commerce Data consistency: Addressed a limitation around customer records synchronization between B2C Commerce and SLAS.
  • SLAS third-party IDP configuration is tolerant of missing idToken when refreshing third-party IDPs.
  • Security updates.

These features are generally available with B2C Commerce 24.3:

  • The select query parameter in the Product Search API endpoint filters the response payload by a specified field or set of fields. This allows you to focus on the data that's important to you and improve page loading speed.
  • Save time and improve product listing page (PLP) performance by using the enhanced Product Search API endpoint. Use the new optional expansion on the Product Search API endpoint to retrieve product metadata and avoid the use of additional API calls to Get Products. Use these features to provide the additional information needed to render your PLP:
    • Allowable value: promotions value in the expand query parameter
    • Query parameters: perPricebook, allImages, and allVariationProperties
    • Responses: productPromotions, imageGroups, priceRanges, tieredPrices, variants, and variationGroups

Salesforce Commerce Cloud now provides a new framework that enables you to write custom B2C commerce script code, such as controllers, and expose this functionality as a custom REST API endpoint under the SCAPI framework. Those custom API endpoints accept the same AuthN/AuthZ model as our Shopper and Admin APIs.

With the transition from Beta to General Availability (GA), future changes to B2C Commerce Custom APIs will follow our change policy.

If you are new to Custom APIs, see Custom APIs as a starting point.

  • New features (non-breaking changes) not included in the Beta:
  • If you particpated in the Custom APIs Beta, the transition to General Availability causes the following BREAKING changes. Review and update your code as needed:
    • Custom endpoints now require custom scopes. For details, see Scopes.
    • Storefront quota limits are now enforced. Review these limits and fix any errors. For details, see API Quotas. The quota limits relevant for Custom APIs are the ones marked as Storefront Limit.
    • We've added Circuit Breaker functionality that is similar to what exists for hooks to Custom APIs. This is a protective measure that blocks API requests when the error rate is too high. For details, see Circuit Breaker. B2C Commerce Custom APIs support HTTP GET requests as well as DELETE, HEAD, and OPTIONS. Future transaction support with POST, PUT, PATCH is being planned.
  • Custom rules allow you to control incoming traffic by setting up firewall policies based on various request parameters. These API endpoints expand on the existing functionality of firewall rules. With custom rules, you have complete control over the rule expression. We’ve also extended the list of allowed request field types and rule actions, which offer increased flexibility and allow you to create expressions that match your specific traffic needs.
  • Commerce Cloud B2C Commerce has migrated all existing firewall rules to a new custom rules CDN-API endpoint. All customers are directed to transition to using custom rules in place of firewall rules. The firewall rules are scheduled for deprecation. Complete the transition to custom firewall rules in place of firewall rules before February 1, 2024.
  • For additional details, see: eCDN Custom Rules
  • Cleanup of deprecated SCAPI migration code and configuration. These are nonbehavioral changes.
  • Resilience improvements for the SCAPI CDN layer
  • Improved error handling for TSOB(Trusted system on Behalf) for "customer not found" user scenarios.
  • Support added for using SAP Customer Data Cloud socialize REST endpoints.
  • IDP configuration now allows the IDP client credentials to be added to the POST body.
    • SLAS now supports OIDC client_secret_basic and client_secret_post for client authentication.
  • Updated the /introspect endpoint to include a “sub” claim in the response.
  • Improved validation in Session Bridge(SESB) flow by checking for the customer_id and failing the request if the customer is already registered.
  • Includes SLAS Admin UI and API fix to address the cache synchronization issue when a client is edited or deleted.
  • Minor fixes
  • Added new sfdc_maintenance header in SCAPI responses during maintenance windows
  • Resilience improvements for the SCAPI CDN layer
  • Update on encoding handling for special characters
  • Holiday preparation: Improve visibility and stability
    • Improve header handling for resiliency
  • Enhanced error handling for SLAS TSOB (Trusted System on Behalf) when IDP is B2C Commerce. For the first time call with a non-existing shopper ID, error code 400 is returned in place of the incorrect 409 error code. This change is specific to B2C IDP and does not impact TSOB using Okta or any other 3rd-party IDPs.
  • Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
  • In view of Salesforce wide Holiday moratorium, no planned SLAS releases during 11/6/2023 and 1/2/2024.
  • Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and loginId=guest on the /session-bridge/token. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation.
  • The Get URL Mapping API endpoint allows headless storefronts to support localized, user-friendly URLs based on URL rules set up in Business Manager. This endpoint helps you to increase your site traffic and improve site navigation. Get URL Mapping is in a new API named Shopper SEO. For more information, see URL Resolution and the Shopper SEO API reference.
  • Use the Shopper Stores API to find details about stores. Shoppers can locate nearby stores for delivery or offline shopping. See the Shopper Stores API reference.
  • Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and loginId=guest on the /session-bridge/token. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation.
  • In view of Salesforce wide Holiday moratorium, no planned SLAS releases during 11/6/2023 and 1/2/2024.
  • Addressed a bug in SLAS Session Bridge (SESB) functionality when a guest user transitions to registered user with the authorize (/authorize) flow.
  • SLAS Admin UI validation and messaging for Shopper context API public client customers.
  • SLAS Monitoring enhancements as part of Holiday readiness.
  • SLAS now supports Last Name(family_name claim) as optional for Google IDP client.
  • Shopper Orders Guest Order Lookup secured by SLAS Trusted System On Behalf Token is available now.

  • The Order response document now contains an order view code that can be used to retrieve guest orders securely using the Guest Order Lookup endpoint. The order view code contains only URL-safe characters.

    Warning: Do not expose the order view code in the URL. The order view code can only be displayed to the shopper or sent as an email. Do not log the order view code in the code.

  • Request header size optimizations
  • Bugfix for shopper-search refinement parameter encoding
  • Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and loginId=guest on the /session-bridge/token. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation.
  • In view of Salesforce wide Holiday moratorium, there will not be any planned SLAS releases during 11/6/2023 and 1/2/2024.
  • SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
  • Fixed a bug related to Cache synchronization across SLAS PODs.
  • Security library updates
  • CustomerGroupIds is now supported in Shopper Context API.
  • Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and loginId=guest on the /session-bridge/token. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation.
  • Aligning with the Salesforce-wide Holiday moratorium, there are no planned SLAS releases between 11/6/2023 and 1/2/2024.
  • SLAS now supports OIDC locales parameter on /authorize endpoint.
  • Security Bug fixes
  • Holiday preparation: Improve performance, visibility, and stability
    • Following the preview release from 08/30/2023 we are now releasing this feature and iinfrastructure update to production environments.
    • Affected PODs are all PODs that were not listed in the two releases from 09/27/2023 and 09/21/2023.
    • Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network.
    • Introduction of new custom query parameters: `c_`` can now be defined on SCAPI requests and is be routed end to end, Parameters are available in hooks for custom control logic.
  • Holiday preparation: Improve visibility and stability
    • Updated infrastructure layers for SCAPI requests
  • SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
  • Holiday preparation: Improve performance by enabling of caching
    • Affected PODs are: POD94, POD112, POD122, POD159, POD162, POD173, POD192, POD194, POD198, POD204, POD226
  • Holiday preparation: Improve performance, visibility, and stability
    • Following the preview release from 08/30/2023 we are now releasing this feature update to production environments.
    • Affected PODs are: POD114, POD136, POD149, POD173, POD174, POD210, POD229, POD250, POD253, POD260
    • Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network.
    • Introduction of new custom query parameters: c_<yourparameter> can now be defined on SCAPI requests and is routed end to end. Parameters are available in hooks for custom control logic.
    • CORS headers handling, ALL customers.
    • CORS headers like Origin are NOT interpreted any longer, to avoid CORS errors.
    • SCAPI currently does not support CORS.
  • SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
  • SLAS IDP authorize now enables merge shopper profile capability. We've extended registerIdentityProvider to support a new parameter loginMergeClaims. This parameter allows you to specify whether shopper accounts created via this IDP should be merged with existing accounts using one of those parameter values, preserving order history (amongst other things). Refer to the Merge Shopper Profiles User Guide and registerIdentityProvider.
  • Following the preview release from 08/30/2023 we are now releasing this feature update to production environments.
  • Affected PODs are: POD94, POD112, POD122, POD136, POD159, POD162, POD173, POD192, POD194, POD198, POD204, POD226, POD240, POD248, and POD253
  • Holiday preparation: Improve performance, visibility, and stability
  • Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network
  • New custom query parameters: c_<yourparameter> can now be defined on SCAPI requests and will be routed end to end. Parameters are available in hooks for custom control logic.
  • Security Updates
  • Log Improvements
  • Preview release to sandboxes only (SIG and ODS).

  • Holiday preparation: Improve performance, visibility, and stability.

  • Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network.

  • Introduction of new custom query parameters: c\_<yourparameter> can now be defined on SCAPI requests and are routed end to end, and therefore available in hooks for custom control logic.

    We'd like all customers to verify your existing SCAPI implementation on sandboxes and report any issues back.

  • Trust Notification
    • SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
    • Improvements to Trusted System on Behalf (TSOB) flow to be able to better handle simultaneous requests.
    • As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.
  • productSearch now correctly handles storefront search filters and refinement values with the & character, and considers all terms in the refinement attribute before and after the &. Previously, the search filter and refinement parameter was incorrectly truncated, and requested refinements with the & character in the attribute name did not match the configured refinements in Business Manager.
  • Security updates
  • SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
  • Addressed a limitation in SLAS Session Bridge (SESB) functionality when a guest user creates a cart, add products to the cart, and then login as a registered user WITH trusted system (TSOB) to merge the cart and it fails.
  • Addressed a bug related to case sensitive login_id comparison for Session Bridge (SESB) token requests, where the casing of the login_id passed to getSessionBridgeAccessToken was different from the casing of the login_id in B2C Commerce.
  • As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.
  • Security Updates
  • Addressed a limitation in plugin_slas integration with SLAS around Merge Cart for Guest to Registered flow.
  • For the getSessionBridgeAccessToken endpoint, the returned TokenResponse now correctly includes the enc_user_id attribute.
  • As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.
  • Security Updates
  • Increased timeout from 10 seconds to 25 seconds for incoming requests to Products data endpoints.
  • Default IDP configuration allows for SSO/OIDC configuration with other IDPs outside the list of SLAS supported IDPs. Configuration can be performed via the Admin API or Admin UI. For more information, see Configure a Default IDP.
  • Preferred IDP configuration cleanup and functionality added to Admin UI.
  • As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way. Ideally, customers should be Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.

Certificate rotation for SCAPI logging and metrics infrastructure.

  • One certificate pair per region: EUC1, USE1, APS2, and APN1
  • Security Updates
  • Logging Optimizations
  • Security Updates
  • SLAS Infrastructure and scale improvements.
  • SLAS Admin UI improvements related to user search and get user statistics.
  • Fixed logout implementation. SLAS to OCAPI calls no longer fail throwing (ClientAccessForbiddenException)[https://developer.salesforce.com/docs/commerce/commerce-api/references/shopper-login?meta=logoutCustomer].
  • As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.
  • Performance optimizations
  • Performance optimizations
  • SLAS Infrastructure and scale improvements to handle higher transaction volume.
  • productSearch now correctly handles storefront search queries with the & character and considers all terms before and after the &. Previously, the search query was incorrectly truncated before the & character and subsequent terms were missing in the query.
  • SLAS /token endpoint includes refresh token time to live (TTL) claim, and the value is in seconds to be consistent with expires_in for the access_token TTL. For more information, see getAccessToken.

  • Improved error handling to send clear 4xx messages on /revoke endpoint if a null token is provided. For more information, see revokeToken.

  • SLAS Admin has enhanced validation in place to help customers create tenants in the correct region.

  • Performance optimizations
  • Performance optimizations
  • Shopper Customers API and Customers API security updates.
  • Updated configuration handling to improve performance.
  • Update on metrics and logging to improve supportability.
  • Updated routing and mapping policies to prepare for future functionality.
  • Security updates.
  • Updated the getTrustedAgentAccessToken endpoint to make the agent_id parameter optional.
  • Updated the SLAS Admin UI with specific error messaging for issues with logging into Account Manager.
  • Private clients now support grant_type=authorization_code in addition to grant_type=authorization_code_pkce.
  • Removals of customer records in B2C Commerce are now synchronized with SLAS. If a customer record is deleted in B2C Commerce, this change is recognized by SLAS.
  • NEW SLAS-Marketing Cloud SMS for Passwordless login is ready! See Passwordless Login with SMS to get started.
  • resetPassword rejects weak passwords with an HTTP 400 error.
  • getUserInfo supports names with special characters.
  • getUserInfo supports Trusted System on Behalf of tokens.
  • Credential Quality APIs deprecated and removed.
  • Improved Guest Shopper validation to allow B2C Commerce IDP origin for session bridge.
  • Session Bridge: fixed 500 server error on incorrect hint.
  • SLAS Admin UI: Fixed issues related to Tenant ID format check at browser level.
  • Shopper Baskets now supports the following SLAS Trusted-Agent-On-Behalf-only endpoints:
    • PUT /baskets/{basketId}/agent
    • PUT /baskets/{basketId}/storefront
    • POST baskets/{basketId}/price-adjustments
    • DELETE baskets/{basketId}/price-adjustments/{priceAdjustmentId}
    • PATCH baskets/{basketId}/price-adjustments/{priceAdjustmentId}
  • The following new channel types are supported by Baskets and Orders apps: TikTok, SnapChat, Google, WhatsApp, and YouTube
  • BOT Mitigation improvements: Reduced the time window from 2 seconds to 1 second for the same user login that returns Error 409.
  • Fixed the issue around deletion of a user with different loginID and IDP, when the tenant and customerID remains the same.
  • SLAS Tenant creation improvements to include region validation.
  • SLAS Service Introducing Rate Limit of 25 TPM per tenant for JWKs and well-known endpoints.
  • SLAS service redirect to customer’s registered callback URL on IDP errors and return Error 412 for refresh token calls.
  • Trusted agent on behalf (TAOB): Client ID present check fix on /auth rather than /token.
  • Guest SESB refresh bug fix.
  • Improved IDP message errors back from third-party IDP.
  • Increase shopper authorization code size to accommodate larger code sent from Identity Providers.
  • SLAS Admin UI fixes for tenant display post deletion and faster IDP creation.
  • SLAS Admin: Client scope update fix.
  • Trusted agent on behalf: additional redirect URI parameters for authorize are separated properly.
  • Shopper-Experience API global rollout.
  • Bug fixes:
    • Admin UI, client create claims fix
    • SESB fix for OCAPI calls
  • Features:
    • Support for Active Directory Federated Service IDP
  • The Shopper Context API is now generally available!
  • Rate limit update to the rules endpoint in the Catalogs API.
  • Update TrustedAgentOnBehalf support for Shopper Token policy.
  • Support for Forgerock IDP.
  • Trusted agent on behalf (TAOB) now supports Private ClientID flow. Changed the TAOB JWT token expiry from 30 to 15 minutes for PCI compliance.
  • /jwks endpoint now returns 3 key IDs (past, current, and future KeyID).
  • Reduced the Passwordless OTP - token length from 20 to 8 characters.
  • Enhanced BOT mitigation strategy within SLAS.
  • Fixed inconsistencies related to failed tokens.
  • Session Bridge: Improved error messaging & guest support.
  • SLAS no longer calls ecom, when a shopper account is locked.
  • User cache refinements & Fixed cache inconsistencies after tenant key rotation.
  • Addressed login ID inconsistencies for passwordless login.
  • Fixed AppleIDP issue related to middle name.
  • Rate limit increase for GET /customers/*(Shopper-Customers).
  • Rate limit increase for GET /products-lists/{id}(Shopper-Customers).
  • Rate limit increase for Orders API.
  • Rate limit updates: API families have either a 5s tier or a 60s tier.
  • Response compression has been introduced.
  • The expand query parameter has been added for getProducts.
  • Added support for correlation-id and x-correlation-id headers.

The scheduled deactivation of /customers/actions/login, /trusted-system/actions/login, and other related endpoints has been extended from mid-2022 to March 31st, 2023 for existing customers. These endpoints are still not available to new customers, and we still discourage existing customers from using them. Instead, we strongly recommend that you use the Shopper Login and API Access Service (SLAS) because it meets a higher standard for security and availability.

  • Increased performance and response times through caching on the edge layer.
  • Resources affected: /product, /category, and /product_search.
  • Updates to the personalization handling ensure that personalized content is cached correctly.
  • No action is required by developers to take advantage of this update.
  • Replace SlasJWT-BearerSecurityScheme.BearerToken security scheme with CommerceCloudStandards.ShopperToken.