Configure External Client App for Guest JWT Authentication

Follow these steps to enable headless guest support for Cart and Checkout APIs using JWT in your B2B Commerce store.

Web applications use Cross-Origin Resource Sharing (CORS) to request resources from origins other than their own. For example, a web page can use CORS to request information about a user from your My Domain login URL or Experience Cloud site URL. In addition to public and allowlisted web pages, Salesforce supports CORS for certain OAuth endpoints when requested from a My Domain login URL or Experience Cloud site URL.

See Enable CORS for OAuth Endpoints for more information.

The External Client App (Connected App) is the foundation of your headless guest support implementation.

Create an external client app in App Manager. Local external client apps are available only on the org where you create them. Packageable external client apps can be packaged for distribution to other orgs. See Create an External Client App for more information.

  1. From Setup, in the Quick Find box, enter App Manager, and then select App Manager.

  2. Click New External Client App.

  3. Enter a name for the external client app to display in the External Client App Manager.

  4. Enter the contact email for Salesforce to use to contact you or your support team.

    Note: This address isn’t given to Salesforce admins who install the app.

  5. Select Enable OAuth in the API (Enable OAuth Settings) area of the page.

    The OAuth Settings area expands and the OAuth settings fields are visible.

  6. Enter the callback URL (endpoint) that Salesforce calls back to your application during OAuth in the App Settings area of the page. It’s the same as the OAuth redirect URI.

    Depending on which OAuth flow you use, the URL is typically the one that a user’s browser is redirected to after successful authorization.

    Example:

    • Store URL: https://mgltd.my.site-com.5ps3ut55w1pn004g6z7ffte3819ke.aa.crm.dev:6101/agent
    • Callback URL: https://mgltd.my.site-com.5ps3ut55w1pn004g6z7ffte3819ke.aa.crm.dev:6101/agent

  7. Select Access unique user identifiers (openid) in the OAuth Scopes area of the page. The returned token can include the ID token.

    Note: The ID token is always included in access token responses.

  8. Select Enable Authorization Code and Credentials Flow in the Flow Enablement area of the page.

  9. Click Create.

OAuth policies are an important part of the external client app OAuth plugin that are generated with default values when an external client app is saved or during deployment to a subscriber org. Admins configure the OAuth policies file for their specific use case.

Policies only apply to the org where they are configured, whether that is the same org where the external client app was created or the external client app was installed. After an admin updates policies, the values persist even if the developer updates the app Settings. See Configure OAuth Policies and Manage External Client Apps for more information.

  1. From Setup, in the Quick Find box, enter External Client Apps Manager, and then select External Client Apps Manager.
  2. From the actions list for the external client app, select Edit Policies.

Then edit the App or OAuth policies.

  1. Click OAuth Policies to expand the section.
  2. Select Admin approved users are pre-authorized from the Permitted Users dropdown in the OAuth Policies area of the page.
  3. To admin-approve users, select permission sets assigned to your app’s users. For more information, see Permission Sets.
  4. Click Save.

Your app can now use the Authorization Code and Credentials Flow for headless login, passwordless login, and registration.

Use these additional OAuth policies to enable your app for the guest user flow variation.

  1. From the external client app policies page, turn on Enable Code and Credentials Flow for Guest Users in the OAuth Flows and External Client App Enhancements area of the page.
  2. For Guest JSON Web Token (JWT) Timeout, select Use the Experience Cloud guest user session timeout to define how long the guest access token remains valid after it’s issued.
  3. Click Save.

In this OAuth 2.0 client credentials flow, the client app exchanges its client credentials defined in the external app—its consumer key and consumer secret—for an access token.

  1. From Setup, in the Quick Find box, enter External Client Apps Manager, and then select External Client Apps Manager.

  2. Click the external client app.

  3. Click Settings and expand the OAuth Settings section.

  4. From the App Settings section, click Consumer Key and Secret.

    In the Consumer Details page, copy the Consumer Key and Consumer Secret and save them for use in the headless API calls.