Allow Guest Access

Add the ltng:allowGuestAccess interface to your Lightning Out dependency app to make it available to users without requiring them to authenticate with Salesforce. This interface lets you build your app with Lightning components, and deploy it anywhere and to anyone.

A Lightning Out dependency app with the ltng:allowGuestAccess interface can be used with Lightning Components for Visualforce and with Lightning Out.

• Using Lightning Components for Visualforce, you can add your Lightning app to a Visualforce page, and then use that page in Salesforce Tabs + Visualforce sites. Then you can allow public access to that page.
• Using Lightning Out, you can deploy your Lightning app anywhere Lightning Out is supported—which is almost anywhere!

The ltng:allowGuestAccess interface is only usable in orgs that have Digital Experiences enabled, and your Lightning Out app is associated with all Experience Cloud site endpoints that you’ve defined in your org. Experience Cloud sites include sites built using Experience Builder and Visualforce.

When you add the ltng:allowGuestAccess interface to a Lightning app, the app is open to guest users and is available through every Experience Builder site in your org, whether that site is enabled for public access or not. You can’t prevent it from being accessible via site URLs, and you can’t make it available for some sites but not others.

Be extremely careful about apps you open for guest access. Apps enabled for guest access bypass the object- and field-level security (FLS) you set for your Experience Cloud site’s guest user profile. Lightning components don’t automatically enforce CRUD and FLS when you reference objects or retrieve the objects from an Apex controller. This means that the framework continues to display records and fields for which users don’t have CRUD access and FLS visibility. You must manually enforce CRUD and FLS in your Apex controllers. A mistake in code used in an app enabled for guest access can open your org’s data to the world.

First, add the ltng:allowGuestAccess interface to your Lightning Out dependency app.

For example:

You can only add the ltng:allowGuestAccess interface to Lightning apps, not to individual components.

Next, add the Lightning Out JavaScript library to your page.

• With Lightning Components for Visualforce, simply add the <apex:includeLightning /> tag anywhere on your page.
• With Lightning Out, add a <script> tag that references the library directly, using a Experience Cloud site endpoint URL. For example:

A sample URL for the JavaScript library is https://universalcontainers.force.com/ourstores/lightning/lightning.out.js

Finally, add the JavaScript code to load and activate your Lightning app. This code is standard Lightning Out, with the important addition that you must use one of your org’s Experience Cloud site URLs for the endpoint. The endpoint URL takes the form https://yourExperienceDomain/experienceURL/. The relevant line is emphasized in the following sample.

For more information, see the Lightning Aura Components Developer Guide.