B2C Commerce API Release Notes
Use B2C Commerce API (also known as Salesforce Commerce API or SCAPI) to build headless commerce experiences.
- For status updates and trust notifications, go to the B2C Commerce Status Page.
- For the general B2C Commerce release notes, go to Salesforce Help.
- To view the change policy, see: Change Policy.
- To use the SDK to make your first call quickly, see the Quick Start.
- For details about auth, see Authorization.
- To learn about using B2C Commerce API, see the Guides.
- To learn about using correlation IDs, see Identifying Requests and Responses.
- To browse the API endpoints, use the left navigation. B2C Commerce API is broken into two main groups: Shopper APIs and Admin APIs. All Shopper API groups start with Shopper. For details about the differences, see Get Started.
- Note: All secrets and tokens are fictional and provided as placeholders only.
- Where possible, we changed noninclusive terms to align with our company value of Equality. We maintained certain terms to avoid any effect on customer implementations.
- Server-Side Web-Tier Caching is now enabled for a select few realms in which it was previously disabled. For the list of cached APIs and other details, see Server-Side Web-Tier Caching.
- Upgraded security infrastructure. No customer impact anticipated.
- SLAS 4xx error logs are available in Log Center, which provides multiple benefits, including a single URL for all realms, up to 14 days of log data, and improved search capabilities. For details, see Shopper Login and API Access Service(SLAS) Overview.
- Resolved a bug in the
/login
process when registered shoppers change their email and/or login ID multiple times. In this case, SLAS no longer triggers a 500 error. - SLAS Service Protection: As part of our bot mitigation strategy for the upcoming holiday season, we are introducing additional service protection:
- A SLAS service protection mechanism to restrict bad actors or BOTs calling the same SLAS endpoint repeatedly using the same Unique Shopper ID (USID)) within a short span of time. This returns a 409 HTTP response.
- To enhance security for the Shopper Login API Access Service (SLAS), a
channel_id
(site) parameter is now required when requesting a guest access token with agrant_type
ofclient_credentials
. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include thechannel_id
parameter in the client credential call in guest flows. For details, see Guest Tokens.
- Server-Side Web-Tier Caching is now enabled for a select few realms in which it was previously disabled. For the list of cached APIs and other details, see Server-Side Web-Tier Caching.
- With B2C Commerce version 24.10, the SLAS 4xx error logs are available in Log Center, which provides multiple benefits, including a single URL for all realms, up to 14 days of log data, and improved search capabilities. For details, see View SLAS Error Logs in Log Center.
- By default, shopper tracking preferences are disabled for Trusted Agent on Behalf (TAOB) authorization, which means the Do Not Track
dnt
parameter is set totrue
. This differs from other SLAS token requests, for which the defaultdnt
value isfalse
. - SLAS Service Protection: As part of our bot mitigation strategy for the upcoming holiday season, we are introducing additional service protection:
- A SLAS service protection mechanism to restrict bad actors or BOTs calling the same SLAS endpoint repeatedly using the same Unique Shopper ID (USID)) within a short span of time. This returns a 409 HTTP response.
- To enhance security for the Shopper Login API Access Service (SLAS), a
channel_id
(site) parameter is now required when requesting a guest access token with agrant_type
ofclient_credentials
. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include thechannel_id
parameter in the client credential call in guest flows. For details, see Guest Tokens.
- Server-Side Web-Tier Caching is now enabled for a select few realms in which it was previously disabled. For the list of cached APIs and other details, see Server-Side Web-Tier Caching.
- Trusted Agent on Behalf (TAOB) authorization now allows an agent to perform actions on behalf of guest shoppers.
- Refined documentation, including best practices and sample code for validating SLAS JWTs with JWKS, to simplify key management and enhance security.
- SLAS Service Protection: As part of our bot mitigation strategy for the upcoming holiday season, we are introducing additional service protection:
- A SLAS service protection mechanism to restrict bad actors or BOTs calling the same SLAS endpoint repeatedly using the same Unique Shopper ID (USID)) within a short span of time. This returns a 409 HTTP response.
- SLAS Trusted System on Behalf (TSOB) logins will have the SAME service protection window of 3 seconds across all regions.
- Beginning 10/02/2024 in the AP-Northeast-1 region and 10/09/2024 in the US-East-1 region, customers attempting to log in more than once through TSOB during a period of 3 seconds will receive a 409 HTTP error. No customer impact is anticipated. If you see an increase in 409 HTTP errors, open a support case.
- No change for the SLAS AP-Southeast-2 and EU-Central-1 regions, which utilize the existing protection window of 3 seconds.
- To enhance security for the Shopper Login API Access Service (SLAS), a
channel_id
(site) parameter is now required when requesting a guest access token with agrant_type
ofclient_credentials
. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include thechannel_id
parameter in the client credential call in guest flows. For details, see Guest Tokens.
- Enhanced error handling for the
/passwordless/login
endpoint. The endpoint now returns a 404 error instead of a 502 error when no shopper is found. - SLAS Service Protection: As part of our bot mitigation strategy for the upcoming holiday season, we are introducing additional service protection:
- A SLAS service protection mechanism to restrict bad actors or BOTs calling the same SLAS endpoint repeatedly using the same Unique Shopper ID (USID)) within a short span of time. This returns a 409 HTTP response.
- SLAS Trusted System on Behalf (TSOB) logins will have the SAME service protection window of 3 seconds across all regions.
- Beginning 10/02/2024 in the AP-Northeast-1 region and 10/09/2024 in the US-East-1 region, customers attempting to log in more than once through TSOB during a period of 3 seconds will receive a 409 HTTP error. No customer impact is anticipated. If you see an increase in 409 HTTP errors, open a support case.
- No change for the SLAS AP-Southeast-2 and EU-Central-1 regions, which utilize the existing protection window of 3 seconds.
- To enhance security for the Shopper Login API Access Service (SLAS), a
channel_id
(site) parameter is now required when requesting a guest access token with agrant_type
ofclient_credentials
. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include thechannel_id
parameter in the client credential call in guest flows. For details, see Guest Tokens.
- Fixed a SLAS Admin UI bug to ensure the
UserInfo
URL value is not auto-populated with token information.
- With B2C Commerce version 24.10, added performance and stability improvements in SCAPI caching, specifically for price/promotion calculations. No customer impact is anticipated.
- Stability and visibility enhancements. No customer impact is anticipated.
- SLAS Service Protection: As part of our bot mitigation strategy for the upcoming holiday season, we are introducing additional service protection:
- A SLAS service protection mechanism to restrict bad actors or BOTs calling the same SLAS endpoint repeatedly using the same USID (Unique Shopper ID) within a short span of time. This returns a 409 HTTP response.
- SLAS Trusted System on Behalf (TSOB) logins will have a service protection window of 3 seconds.
- Beginning 10/02/2024 in the AP-Northeast-1 region and 10/09/2024 in the US-East-1 region, customers attempting to log in more than once through TSOB during a period of 3 seconds will receive a 409 HTTP error. No customer impact is anticipated. If you see an increase in 409 HTTP errors, open a support case.
- No change is planned for the SLAS AP-Southeast-2 and EU-Central-1 regions, which are configured for 3 seconds.
- To help you verify the authenticity of callback requests, SLAS provides a
SlasCallbackToken
(JWT) for each passwordless login and password reset callback that SLAS sends. For more details, see Verify the SLAS Password Action Callback. - To enhance security for the Shopper Login API Access Service (SLAS), a
channel_id
(site) parameter is now required when requesting a guest access token with agrant_type
ofclient_credentials
. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include thechannel_id
parameter in the client credential call in guest flows. For details, see Guest Tokens.
- Fixed a JWT validation issue when special characters, especially colons(:) were used in the first name or last name.
- Updated SLAS Infrastructure for holiday readiness.
- To enhance security for the Shopper Login API Access Service (SLAS), a
channel_id
(site) parameter is now required when requesting a guest access token with agrant_type
ofclient_credentials
. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include thechannel_id parameter
in the client credential call in guest flows using the schedule in Guest Tokens.
- CORS: Header
Access-Control-Allow-Methods
are no longer returned in SCAPI responses, but are returned forOPTIONS
requests per HTTP specifications. No customer impact anticipated. - Security: Added the
strict-transport-security
header with a one year expiration. No customer impact anticipated.
With B2C Commerce version 24.9.1, added a read-only, optional hashedLogin
field in the response as applicable for the following Shopper Customers API endpoints:
PATCH /customers/{customerId} (updateCustomer)
GET /customers/{customerId} (getCustomer)
POST /customers (registerCustomer)
- Updated SLAS third-party library information for holiday readiness.
- Addressed a limitation in the SLAS refresh token flow. If a public client logs in and then a private client logs in with the same USID, the public client refresh_token is now deleted and replaced.
- Fixed a SLAS bug in the registered user third-party IDP login flow. When a guest USID is used and the login process does not complete, the access token now remains as a guest token until a successful registered user 3rd party IDP login occurs.
- Improved Error Handling:
- Refactored the idp/callback 503 error when the state is null to no longer return a 503 error. A 400 bad request error is now returned.
- Updated the SLAS Admin UI to allow customers to access the UI through their short-code.
- Fixed a rare and intermittent spike in SLAS response times.
- For SCAPI calls using a SLAS JWT, added the
Disable the Modification of the Issuer Date
toggle to invalidate a customer JWT after a password change. When the toggle is set, a 401InvalidAccessTokenException
response code is returned when trying to use an existing request token after a password change. When the toggle is not set, the error response is only thrown if the time between the token issuer date and the password modification date exceeds 30 seconds.
- Added infrastructure enhancements for new installation configurations. No customer impact anticipated.
- In preparation for the holiday season, enabled cache infrastructure enhancements.
- Upgraded security infrastructure. No customer impact anticipated.
- Added response timeout handling for all instance types:
- In preparation for the holiday season, documented timeouts are enforced on all instance types, including Production instances. Shopper APIs and Custom APIs must respond within 10 seconds, and Admin API requests must respond within 60 seconds. If a response to a SCAPI request exceeds the specified threshold, an HTTP 504 status code is returned. For details, see Error Response Codes.
- See the Added response timeout handling for Sandbox instances release note for more details.
- With B2C Commerce 24.8, you can set cache expiration for objects with a Validity Period for the Shopper Products getProduct and getCategory endpoints and the Campaigns getCampaign endpoint. For details, see Cache Expiration for Objects with a Validity Period.
- HTTP2 protocol issues fixed when using CORS.
- With B2C Commerce version 24.8:
- Added support for Cross-Origin Resource Sharing (CORS). For details, see CORS in SCAPI and the CORS API.
- For the Shopper Products getProduct and getCategory endpoints and the Campaigns getCampaign endpoint, you can now set a time window, called the Validity Period. The validity period is used for server-side cache expiration to prevent serving stale content. For additional details, see “Cache Expiration for Objects with a Validity Period” in Server-Side Web-Tier Caching.
- To enhance security for the Shopper Login API Access Service (SLAS), a
channel_id
(site) parameter is now required when requesting a guest access token with agrant_type
ofclient_credentials
. This change prevents unauthorized access across different storefronts. Existing customers must update their implementation to include thechannel_id
parameter in the client credential call in guest flows by 7/31/2024. For details, see Guest Tokens. - The total number of scopes is now limited to 85 entries, which is enforced in both the SLAS API and SLAS Admin UI.
- Added client credentials to the POST body when refreshing an
access_token
from IDP. You can control this using a flag in the SLAS-IDP configuration. For details, refer to the documentation for the SLAS Admin IdentityProvider endpoint.
With B2C Commerce version 24.7.2:
- Preferences API
- Returns the value of the most recent custom preference ID version if the preference ID definition is changed.
- SLAS infrastructure updated in preparation for the holiday season.
- Server-Side Web-Tier Caching is automatically turned on for:
- SBX and ODS instances
- PRD instances that don't use use hooks in Shopper Search API
productSearch
andgetSearchSuggestions
endpoints. For details, see: Server-Side Web-Tier Caching.
- Internal infrastructure upgrades. No customer impact is anticipated.
- Server-Side Web-Tier Caching is automatically turned on for all instances that don't use Shopper Search API
productSearch
andgetSearchSuggestions
endpoints on their PRD instances. For details, see Server-Side Web-Tier Caching.
With B2C Commerce version 24.7:
- Collect Request Details for SCAPI requests by using the HTTP request header
sfdc_verbose: true
. - Merchants and developers can update the status of redeemed coupons using the new Coupons API
redeemCoupon
endpoint. - Use the SEO API to upload a custom sitemap and trigger the sitemap generation process. You can now combine your external routes with those in B2C Commerce in a single sitemap.
- Shopper Context API
- Now provides geolocation capabilities. For details, see Shopper Geolocation.
- Checkout APIs
- For Shopper Baskets v1 and v2
createBasket
andupdateBasket
endpoints, the product line item quantity limit is now set to the API quotaapi.basket.productLineItemQuantity
of 1000, and the API no longer returns a 400 Bad Request for values greater than 999. - In addition, the 999 product line item quantity limit on createOrders is removed, and the quantity set by this endpoint is now unlimited.
- For Shopper Baskets v1 and v2
With B2C Commerce version 24.7.1:
- Shopper Context API
- Now requires a
siteId
to be passed. For details, see the Shopper Context Guide. - Constraints have been relaxed, and all SCAPI and OCAPI endpoints are now fully compatible with Shopper Context. For details, see Shopper Context Constraints.
- Now requires a
- The Shopper Customers API
updateCustomer
endpoint allowsloginId
to be updated if a valid current password is provided for the shopper. - Preferences API
- When retrieving site and global preferences, the Preferences API first checks for custom settings, and if no custom settings exist, now instead returns the default settings in Business Manager.
- SLAS Admin: Added validation for SLAS Client callback URLs to prevent the use of localhost or loopback addresses as host names in production environments.
- Added SLAS resilience improvements for holiday readiness.
- Server-Side Web-Tier Caching is enabled for all SCAPI customers who aren’t currently using the cached APIs and haven’t made production requests to any cached APIs in the last seven days. For the list of cached APIs and other details, see Server-Side Web-Tier Caching.
- The
siteId
query parameter is no longer mandatory for custom API calls. If a site is not provided, the default site is the Business Manager site. For details, see Custom APIs. - With B2C Commerce version 24.5, the Shopper endpoint constraint for supporting trusted agent tokens on a specific subset of Shopper endpoints has been removed. For details, see Trusted Agent Authorization.
- Internal infrastructure change: additional internal header introduced. No customer impact is anticipated.
- The Shopper Context API now requires a
siteId
for new customers. For details, see the Shopper Context Guide. - The following Script API methods are available to support SCAPI external taxation APIs with hooks:
- dw.order.LineItemCtnr#isExternallyTaxed: Returns true if the basket was created with taxMode = external.
- dw.order.TaxMgr#applyExternalTax: Applies externally set tax rates to the given basket. Use when
dw.order.LineItemCtnr#isExternallyTaxed
returns true. For details, see Extensibility via Hooks and updateItemsinBasket.
- With B2C Commerce version 24.6, the mergeBasket endpoint now merges the guest shopper’s
shippingAddress
andshippingMethod
into the registered basket when the registered basket does not containshippingAddress
orshippingMethod
.
- The new Preferences API allows you to retrieve Site and Global preferences.
- The Shopper Products API getCategories endpoint now provides the
onlineSubCategoriesCount
property. - Internal infrastructure upgrade and security updates. No customer impact is anticipated.
- SLAS now allows shoppers to have multiple clients and authenticate on the same device with a single USID, provided the clients use their respective
refresh_tokens
to refresh their sessions. - SLAS IDP integration has enhanced error handling to return more meaningful error messages to the caller. No change in error code information.
- The refined error message: “The Account is disabled” is returned for any user account disabled in B2C Commerce. No change in the error code.
- Shopper Custom Object API scopes are now limited to 20 entries. This is now enforced in both SLAS API and SLAS Admin UI.
- Enhanced SLAS internal error handling and log messages.
-
With B2C Commerce version 24.5, the Shopper Baskets API supports patching variations within product bundles in a single call. This enhancement provides:
- More efficient and streamlined product bundle management, making it easier to update multiple variations within a bundle without the need for multiple API calls.
- Increased productivity for developers managing complex product bundles.
For details, see updateItemInBasket.
- SLAS database performance improvements. No customer impact is anticipated.
- SLAS internal infrastructure optimization. No customer impact is anticipated.
- The following Shopper Baskets (v1 and v2) endpoints are deprecated and are no longer supported:
- Internal infrastructure change for SCAPI contract validation. No customer impact is anticipated.
- Removed obsolete code modules related to encoding issues. For encoding details, see URL Encoding of Special Characters.
With B2C Commerce 24.5, You can use external taxation mode with the Shopper Baskets API when hooks are enabled. For details, see External Taxation Documentation.
- You can now use the Script API response object to set custom response headers. For details, see Custom Headers.
- Update on encoding handling for special characters. For details, see URL Encoding of Special Characters.
- Optimization performed in internal infrastructure routing. No customer impact anticipated.
- SLAS now supports merging user profile attributes for the Apple IDP.
With B2C Commerce 24.4:
- Added the Shopper Custom Objects API for retrieving Custom Objects. For details, see Shopper Custom Objects.
- Added support for additional HTTP methods for Custom APIs. For details, see Custom APIs.
- SCAPI: Routine maintenance of infrastructure. No customer impact is anticipated.
- SLAS: Database and infrastructure updates. During the deployment period, shoppers might experience elevated response times for less than a minute.
- Routine maintenance of infrastructure. No customer impact is anticipated.
- Added response timeout handling for Sandbox instances:
- If responding to a SCAPI request takes too long (60 seconds for Data API requests), an HTTP 504 status code is returned.
- This is only enforced for requests to Sandbox instances, but will be rolled out to all instance types in the future.
- For more information see Error Response Codes.
- With B2C Commerce 24.3, updated the Orders API updateOrderStatus endpoint to support a new update status
failed_with_reopen
:- When an order is updated with the
failed_with_reopen
status, the order status is set tofailed
. - If the basket can be reopened, the API returns response code 201 with the reopened basket URL in the location header.
- If the basket cannot be reopened, the API returns response code 204 with an empty location header.
- When an order is updated with the
- With B2C Commerce 24.3, expanded the Shopper Search API productSearch endpoint to include additional parameters:
productPromotions
,imageGroups
,priceRanges
, andvariants
:- The corresponding expansion and query parameters are required in order to get the additional product data in the response. For details and best practices, refer to the Shopper Search API documentation.
- Added the Customer API searchCustomerGroup endpoint, which searches for customer groups for the siteId.
- Routine maintenance of infrastructure. No customer impact is anticipated.
- During the maintenance window, shoppers might experience elevated response times.
- For the latest B2C Commerce service status and deployment information, subscribe to Trust Center notifications.
-
This feature is generally available from B2C Commerce 24.2:
- Updated getUrlMapping's response to include the optional property
resourceSubType
, which indicates whether the resolved object is a Page Designer content asset or a Content Slot asset. For more information, see the UrlMapping type reference.
- Updated getUrlMapping's response to include the optional property
-
These features are generally available from B2C Commerce 24.3:
-
Updated getUrlMapping to support URL redirects. For more information, see the URL Resolution guide.
-
Updated getUrlMapping to support these hooks:
dw.shop.seo.url_mapping.beforeGET
anddw.shop.seo.url_mapping.modifyGETResponse
.
-
- Custom Request Headers
- Developers can send custom request headers that are passed and made available in server-side custom implementations.
- The required pattern is:
c\_{yourHeader}
.
- Update order now supports the ShopperTokenTsob security scheme.
- Shopper Baskets v2 available with B2C Commerce 24.1
- Provides support for temporary baskets. Temporary baskets can perform calculations to generate totals, line items, promotions, and item availability without affecting the shopper’s storefront cart. You can use these calculations for temporary basket checkout.
- New Shopper Basket v2 response fields:
groupedTaxItems
taxRoundedAtGroup
temporaryBasket
- Temporary basket use cases include:
- A shopper wants to purchase an item without affecting their existing shopping cart, which contains items for an unrelated purchase:
- A shopper selects an Apple Pay button for a product.
- A shopper selects a reorder button for a product on an order history page.
- A shopper selects an order button on a wish list page to purchase one or more items.
- A merchant shares a link through social channels to purchase promotional items.
- A customer support agent sends a Buy Now link with pre-set products to a shopper for self-checkout (no passing of payment details to support).
- A shopper wants to purchase an item without affecting their existing shopping cart, which contains items for an unrelated purchase:
- For additional details, see Shopper Baskets V2.
The dw.ocapi.shop.basket.beforePOST
hook is no longer supported in Shopper Baskets V2 and is replaced by the dw.ocapi.shop.basket.beforePOST_v2
hook.
- Stricter request header filtering is performed. Custom code must use custom request headers.
- Identical
CorrelationId
information is no longer returned for independent requests. - Correct 503 status code is now returned during a site maintenance window.
- During the maintenance window, shoppers might experience elevated response times.
- For the latest B2C Commerce service status and deployment information, subscribe to Trust Center notifications.
- Introduced new load shedding functionality that:
- If the system reaches a load threshold, an HTTP 503 response is returned for a subset of API families.
- Covers APIs not covered by rate limits that are considered non-critical, for example: endpoints related to search, products, and authentication. Load shedding is not used for checkout-related endpoints, such as Shopper Baskets and Shopper Orders, to ensure that shoppers can complete an in-progress checkout.
- Includes additional HTTP response headers that allow you to understand the current system load:
sfdc_load
, which represents a load percentage with higher percentages indicating higher loads, andsfdc_load_status
, which is a enumWARN|THROTTLE
that helps you understand the relative health of the system.
- Routing for
/shopper-experience
requests resulting in HTTP 500 errors. - Cleanup of deprecated infrastructure and configuration.
- SLAS Admin UI: Added client name to the client list and detail pages.
- SLAS API: Added support for the
DoNotTrack
(DNT) query parameter in token calls for headless customers. This is in preparation for a future SCAPI B2C Commerce rollout. Additional documentation will be provided. - SLAS to B2C Commerce Data consistency: Addressed a limitation around customer records synchronization between B2C Commerce and SLAS.
- SLAS third-party IDP configuration is tolerant of missing
idToken
when refreshing third-party IDPs. - Security updates.
These features are generally available with B2C Commerce 24.3:
- The
select
query parameter in the Product Search API endpoint filters the response payload by a specified field or set of fields. This allows you to focus on the data that's important to you and improve page loading speed. - Save time and improve product listing page (PLP) performance by using the enhanced Product Search API endpoint. Use the new optional expansion on the Product Search API endpoint to retrieve product metadata and avoid the use of additional API calls to Get Products. Use these features to provide the additional information needed to render your PLP:
- Allowable value:
promotions
value in theexpand
query parameter - Query parameters:
perPricebook
,allImages
, andallVariationProperties
- Responses:
productPromotions
,imageGroups
,priceRanges
,tieredPrices
,variants
, andvariationGroups
- Allowable value:
Salesforce Commerce Cloud now provides a new framework that enables you to write custom B2C commerce script code, such as controllers, and expose this functionality as a custom REST API endpoint under the SCAPI framework. Those custom API endpoints accept the same AuthN/AuthZ model as our Shopper and Admin APIs.
With the transition from Beta to General Availability (GA), future changes to B2C Commerce Custom APIs will follow our change policy.
If you are new to Custom APIs, see Custom APIs as a starting point.
- New features (non-breaking changes) not included in the Beta:
- Added the RestResponseMgr Script API class to simplify writing custom APIs.
- Added support for local references of shared objects in the API contract.
- Added support for the
AmOauth2
method for Admin APIs. For details, see Custom API Authentication and Authorization.
- If you particpated in the Custom APIs Beta, the transition to General Availability causes the following BREAKING changes. Review and update your code as needed:
- Custom endpoints now require custom scopes. For details, see Scopes.
- Storefront quota limits are now enforced. Review these limits and fix any errors. For details, see API Quotas. The quota limits relevant for Custom APIs are the ones marked as
Storefront Limit
. - We've added Circuit Breaker functionality that is similar to what exists for hooks to Custom APIs. This is a protective measure that blocks API requests when the error rate is too high. For details, see Circuit Breaker. B2C Commerce Custom APIs support HTTP GET requests as well as DELETE, HEAD, and OPTIONS. Future transaction support with POST, PUT, PATCH is being planned.
- Custom rules allow you to control incoming traffic by setting up firewall policies based on various request parameters. These API endpoints expand on the existing functionality of firewall rules. With custom rules, you have complete control over the rule expression. We’ve also extended the list of allowed request field types and rule actions, which offer increased flexibility and allow you to create expressions that match your specific traffic needs.
- Commerce Cloud B2C Commerce has migrated all existing firewall rules to a new custom rules CDN-API endpoint. All customers are directed to transition to using custom rules in place of firewall rules. The firewall rules are scheduled for deprecation. Complete the transition to custom firewall rules in place of firewall rules before February 1, 2024.
- For additional details, see: eCDN Custom Rules
- Cleanup of deprecated SCAPI migration code and configuration. These are nonbehavioral changes.
- Resilience improvements for the SCAPI CDN layer
- Improved error handling for TSOB(Trusted system on Behalf) for "customer not found" user scenarios.
- Support added for using SAP Customer Data Cloud socialize REST endpoints.
- IDP configuration now allows the IDP client credentials to be added to the POST body.
- SLAS now supports OIDC client_secret_basic and client_secret_post for client authentication.
- Updated the
/introspect
endpoint to include a “sub” claim in the response. - Improved validation in Session Bridge(SESB) flow by checking for the
customer_id
and failing the request if the customer is already registered. - Includes SLAS Admin UI and API fix to address the cache synchronization issue when a client is edited or deleted.
- Minor fixes
- Added new
sfdc_maintenance
header in SCAPI responses during maintenance windows
- Resilience improvements for the SCAPI CDN layer
- Update on encoding handling for special characters
- Holiday preparation: Improve visibility and stability
- Improve header handling for resiliency
- Enhanced error handling for SLAS TSOB (Trusted System on Behalf) when IDP is B2C Commerce. For the first time call with a non-existing shopper ID, error code 400 is returned in place of the incorrect 409 error code. This change is specific to B2C IDP and does not impact TSOB using Okta or any other 3rd-party IDPs.
- Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
- In view of Salesforce wide Holiday moratorium, no planned SLAS releases during 11/6/2023 and 1/2/2024.
- Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and
loginId=guest
on the/session-bridge/token
. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation.
- The Get URL Mapping API endpoint allows headless storefronts to support localized, user-friendly URLs based on URL rules set up in Business Manager. This endpoint helps you to increase your site traffic and improve site navigation. Get URL Mapping is in a new API named Shopper SEO. For more information, see URL Resolution and the Shopper SEO API reference.
- Use the Shopper Stores API to find details about stores. Shoppers can locate nearby stores for delivery or offline shopping. See the Shopper Stores API reference.
- Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and
loginId=guest
on the/session-bridge/token
. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation. - In view of Salesforce wide Holiday moratorium, no planned SLAS releases during 11/6/2023 and 1/2/2024.
- Addressed a bug in SLAS Session Bridge (SESB) functionality when a guest user transitions to registered user with the authorize (/authorize) flow.
- SLAS Admin UI validation and messaging for Shopper context API public client customers.
- SLAS Monitoring enhancements as part of Holiday readiness.
- SLAS now supports Last Name(family_name claim) as optional for Google IDP client.
-
Shopper Orders Guest Order Lookup secured by SLAS Trusted System On Behalf Token is available now.
-
The Order response document now contains an order view code that can be used to retrieve guest orders securely using the Guest Order Lookup endpoint. The order view code contains only URL-safe characters.
Warning: Do not expose the order view code in the URL. The order view code can only be displayed to the shopper or sent as an email. Do not log the order view code in the code.
- Request header size optimizations
- Bugfix for shopper-search refinement parameter encoding
- Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and
loginId=guest
on the/session-bridge/token
. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation. - In view of Salesforce wide Holiday moratorium, there will not be any planned SLAS releases during 11/6/2023 and 1/2/2024.
- SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
- Fixed a bug related to Cache synchronization across SLAS PODs.
- Security library updates
CustomerGroupIds
is now supported in Shopper Context API.
- Deprecation Notice: After January 31st, 2024, merchants will no longer be able to use the DWSID parameter and
loginId=guest
on the/session-bridge/token
. Beyond this timeline, accessing this API returns a 404 error and prevents your guest shoppers access to your storefront. For more information, see Shopper Login and API Access Service(SLAS) Session Bridge DWSID GUEST Deprecation. - Aligning with the Salesforce-wide Holiday moratorium, there are no planned SLAS releases between 11/6/2023 and 1/2/2024.
- SLAS now supports OIDC locales parameter on /authorize endpoint.
- Security Bug fixes
- Holiday preparation: Improve performance, visibility, and stability
- Following the preview release from 08/30/2023 we are now releasing this feature and iinfrastructure update to production environments.
- Affected PODs are all PODs that were not listed in the two releases from 09/27/2023 and 09/21/2023.
- Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network.
- Introduction of new custom query parameters: `c_
`` can now be defined on SCAPI requests and is be routed end to end, Parameters are available in hooks for custom control logic.
- Holiday preparation: Improve visibility and stability
- Updated infrastructure layers for SCAPI requests
- SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
- Holiday preparation: Improve performance by enabling of caching
- Affected PODs are: POD94, POD112, POD122, POD159, POD162, POD173, POD192, POD194, POD198, POD204, POD226
- Holiday preparation: Improve performance, visibility, and stability
- Following the preview release from 08/30/2023 we are now releasing this feature update to production environments.
- Affected PODs are: POD114, POD136, POD149, POD173, POD174, POD210, POD229, POD250, POD253, POD260
- Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network.
- Introduction of new custom query parameters:
c_<yourparameter>
can now be defined on SCAPI requests and is routed end to end. Parameters are available in hooks for custom control logic. - CORS headers handling, ALL customers.
- CORS headers like Origin are NOT interpreted any longer, to avoid CORS errors.
- SCAPI currently does not support CORS.
- SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
- SLAS IDP authorize now enables merge shopper profile capability. We've extended
registerIdentityProvider
to support a new parameterloginMergeClaims
. This parameter allows you to specify whether shopper accounts created via this IDP should be merged with existing accounts using one of those parameter values, preserving order history (amongst other things). Refer to the Merge Shopper Profiles User Guide andregisterIdentityProvider
.
- Following the preview release from 08/30/2023 we are now releasing this feature update to production environments.
- Affected PODs are: POD94, POD112, POD122, POD136, POD159, POD162, POD173, POD192, POD194, POD198, POD204, POD226, POD240, POD248, and POD253
- Holiday preparation: Improve performance, visibility, and stability
- Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network
- New custom query parameters:
c_<yourparameter>
can now be defined on SCAPI requests and will be routed end to end. Parameters are available in hooks for custom control logic.
- Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season
- SLAS Admin UI: Default IDP claims removed from UI map if they are not a Generic IDP
- Addressed a bug related to 3rd party logout on ECOM during SLAS /logout endpoint call https://developer.salesforce.com/docs/commerce/commerce-api/references/shopper-login?meta=logoutCustomer
- Security Updates
- Log Improvements
-
Preview release to sandboxes only (SIG and ODS).
-
Holiday preparation: Improve performance, visibility, and stability.
-
Updated infrastructure layers and routing rules for SCAPI requests to use fewer hops in the network.
-
Introduction of new custom query parameters:
c\_<yourparameter>
can now be defined on SCAPI requests and are routed end to end, and therefore available in hooks for custom control logic.We'd like all customers to verify your existing SCAPI implementation on sandboxes and report any issues back.
- Trust Notification
- SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
- Improvements to Trusted System on Behalf (TSOB) flow to be able to better handle simultaneous requests.
- As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.
- productSearch now correctly handles storefront search filters and refinement values with the
&
character, and considers all terms in the refinement attribute before and after the&
. Previously, the search filter and refinement parameter was incorrectly truncated, and requested refinements with the&
character in the attribute name did not match the configured refinements in Business Manager.
- Security updates
- SLAS Infrastructure and scale improvements to handle higher transaction volume for the upcoming holiday season.
- Addressed a limitation in SLAS Session Bridge (SESB) functionality when a guest user creates a cart, add products to the cart, and then login as a registered user WITH trusted system (TSOB) to merge the cart and it fails.
- Addressed a bug related to case sensitive
login_id
comparison for Session Bridge (SESB) token requests, where the casing of thelogin_id
passed togetSessionBridgeAccessToken
was different from the casing of thelogin_id
in B2C Commerce. - As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.
- Security Updates
- Addressed a limitation in
plugin_slas
integration with SLAS around Merge Cart for Guest to Registered flow. - For the
getSessionBridgeAccessToken
endpoint, the returnedTokenResponse
now correctly includes theenc_user_id attribute
. - As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.
- Security Updates
- Increased timeout from 10 seconds to 25 seconds for incoming requests to Products data endpoints.
- Default IDP configuration allows for SSO/OIDC configuration with other IDPs outside the list of SLAS supported IDPs. Configuration can be performed via the Admin API or Admin UI. For more information, see Configure a Default IDP.
- Preferred IDP configuration cleanup and functionality added to Admin UI.
- As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way. Ideally, customers should be Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.
Certificate rotation for SCAPI logging and metrics infrastructure.
- One certificate pair per region: EUC1, USE1, APS2, and APN1
- Security Updates
- Logging Optimizations
- Security Updates
- SLAS Infrastructure and scale improvements.
- SLAS Admin UI improvements related to user search and get user statistics.
- Fixed logout implementation. SLAS to OCAPI calls no longer fail throwing (ClientAccessForbiddenException)[https://developer.salesforce.com/docs/commerce/commerce-api/references/shopper-login?meta=logoutCustomer].
- As part of our efforts to scale the SLAS service for the upcoming holiday volume, temporarily, starting the week of August 7, registered shopper refresh tokens (existing and new) are valid for only 45 days, instead of the earlier validity of 90 days. This applies to shopping apps integrated with SLAS, and to shoppers who have not returned to the shopping app at least once in the last 45 days need to relogin. This temporary state ends on September 15. After September 15, registered shopper refresh tokens will resume their full 90 day, standard duration. Shopper Guest sessions and B2C Commerce basket retention is not affected in any way.
- Performance optimizations
- Optional query parameter
locale
, is now supported for mergeBasket, transferBasket and all delete endpoints in Shopper Orders and Shopper Baskets, with the exception of deleteBasket. - PaymentCardSpec includes a new field
securityCodeLength
. This is available in the response for Shopper baskets - getPaymentMethodsForBasket and Shopper Orders- getPaymentMethodsForOrder endpoints. - Coming soon: mergeBasket and transferBasket response will no longer include the property
notes
. Previously, this property was sent with an empty value in the response. - Fix coming soon: mergeBasket will return an HTTP 409 error response
no-source-basket-exception
if the guest's basket has already been ordered. Previously, the ordered guest basket was merged with the new basket.
- Performance optimizations
- SLAS Infrastructure and scale improvements to handle higher transaction volume.
- productSearch now correctly handles storefront search queries with the
&
character and considers all terms before and after the&
. Previously, the search query was incorrectly truncated before the&
character and subsequent terms were missing in the query.
-
SLAS
/token
endpoint includes refresh token time to live (TTL) claim, and the value is in seconds to be consistent withexpires_in
for theaccess_token
TTL. For more information, seegetAccessToken
. -
Improved error handling to send clear 4xx messages on
/revoke
endpoint if a null token is provided. For more information, seerevokeToken
. -
SLAS Admin has enhanced validation in place to help customers create tenants in the correct region.
- Performance optimizations
- Performance optimizations
- Shopper Customers API and Customers API security updates.
- Updated configuration handling to improve performance.
- Update on metrics and logging to improve supportability.
- introspectToken returns more specific error messages on failures.
- authenticateCustomer and other endpoints which result in calls to a B2C Commerce instance return more specific error messages when that instance is down.
- To support native mobile apps, added support for custom scheme redirects based on Private-Use URI Scheme Redirection.
- Updated routing and mapping policies to prepare for future functionality.
- Security updates.
- Updated TokenResponse, extending the maximum size of
idp_access_token
to 8k bytes. - getSessionBridgeAccessToken supports a new optional parameter
dwsgst
. Its value is a guest session signature created from Script API'sSession.generateGuestSessionSignature()
. Passing this parameter improves the performance of this API. - Guest refresh tokens are now valid for 30 days. Previously, they were valid for 90 days.
- Updated the getTrustedAgentAccessToken endpoint to make the
agent_id
parameter optional. - Updated the SLAS Admin UI with specific error messaging for issues with logging into Account Manager.
- Private clients now support
grant_type=authorization_code
in addition togrant_type=authorization_code_pkce
. - Removals of customer records in B2C Commerce are now synchronized with SLAS. If a customer record is deleted in B2C Commerce, this change is recognized by SLAS.
- NEW SLAS-Marketing Cloud SMS for Passwordless login is ready! See Passwordless Login with SMS to get started.
- resetPassword rejects weak passwords with an HTTP 400 error.
- getUserInfo supports names with special characters.
- getUserInfo supports Trusted System on Behalf of tokens.
- Credential Quality APIs deprecated and removed.
- Improved Guest Shopper validation to allow B2C Commerce IDP origin for session bridge.
- Session Bridge: fixed 500 server error on incorrect hint.
- SLAS Admin UI: Fixed issues related to Tenant ID format check at browser level.
- Shopper Baskets now supports the following SLAS Trusted-Agent-On-Behalf-only endpoints:
- PUT
/baskets/{basketId}/agent
- PUT
/baskets/{basketId}/storefront
- POST
baskets/{basketId}/price-adjustments
- DELETE
baskets/{basketId}/price-adjustments/{priceAdjustmentId}
- PATCH
baskets/{basketId}/price-adjustments/{priceAdjustmentId}
- PUT
- The following new channel types are supported by Baskets and Orders apps: TikTok, SnapChat, Google, WhatsApp, and YouTube
- BOT Mitigation improvements: Reduced the time window from 2 seconds to 1 second for the same user login that returns Error 409.
- Fixed the issue around deletion of a user with different loginID and IDP, when the tenant and customerID remains the same.
- SLAS Tenant creation improvements to include region validation.
- SLAS Service Introducing Rate Limit of 25 TPM per tenant for JWKs and well-known endpoints.
- SLAS service redirect to customer’s registered callback URL on IDP errors and return Error 412 for refresh token calls.
- Trusted agent on behalf (TAOB): Client ID present check fix on
/auth
rather than/token
. - Guest SESB refresh bug fix.
- Improved IDP message errors back from third-party IDP.
- Shopper Context API update.
- Increase shopper authorization code size to accommodate larger code sent from Identity Providers.
- SLAS Admin UI fixes for tenant display post deletion and faster IDP creation.
- SLAS Admin: Client scope update fix.
- Trusted agent on behalf: additional redirect URI parameters for authorize are separated properly.
- Shopper-Experience API global rollout.
- Bug fixes:
- Admin UI, client create claims fix
- SESB fix for OCAPI calls
- Features:
- Support for Active Directory Federated Service IDP
- The Shopper Context API is now generally available!
- Rate limit update to the rules endpoint in the Catalogs API.
- Update TrustedAgentOnBehalf support for Shopper Token policy.
- Support for Forgerock IDP.
- Trusted agent on behalf (TAOB) now supports Private ClientID flow. Changed the TAOB JWT token expiry from 30 to 15 minutes for PCI compliance.
/jwks
endpoint now returns 3 key IDs (past, current, and future KeyID).- Reduced the Passwordless OTP - token length from 20 to 8 characters.
- Enhanced BOT mitigation strategy within SLAS.
- Fixed inconsistencies related to failed tokens.
- Session Bridge: Improved error messaging & guest support.
- SLAS no longer calls ecom, when a shopper account is locked.
- User cache refinements & Fixed cache inconsistencies after tenant key rotation.
- Addressed login ID inconsistencies for passwordless login.
- Fixed AppleIDP issue related to middle name.
- Rate limit increase for
GET /customers/*(Shopper-Customers)
.
- Rate limit increase for
GET /products-lists/{id}(Shopper-Customers)
.
- Rate limit increase for
Orders
API. - Rate limit updates: API families have either a 5s tier or a 60s tier.
- Response compression has been introduced.
- The
expand
query parameter has been added forgetProducts
.
- Added support for
correlation-id
andx-correlation-id
headers.
The scheduled deactivation of /customers/actions/login
, /trusted-system/actions/login
, and other related endpoints has been extended from mid-2022 to March 31st, 2023 for existing customers. These endpoints are still not available to new customers, and we still discourage existing customers from using them. Instead, we strongly recommend that you use the Shopper Login and API Access Service (SLAS) because it meets a higher standard for security and availability.
- Increased performance and response times through caching on the edge layer.
- Resources affected:
/product
,/category
, and/product_search
. - Updates to the personalization handling ensure that personalized content is cached correctly.
- No action is required by developers to take advantage of this update.
- Replace
SlasJWT-BearerSecurityScheme.BearerToken
security scheme withCommerceCloudStandards.ShopperToken
.