Share Lightning Out Apps with Unauthenticated Users

Add the ltng:allowGuestAccess interface to your standalone Aura dependency app to make it available to users without requiring them to authenticate with Salesforce. This interface lets you build your app with Lightning web components, and deploy it anywhere and to anyone.

If a user is authenticated with the Lightning Out endpoint, you must set the session in $Lightning.use(). Even though we’re talking about unauthenticated users, it’s important to understand the requirements if a user is authenticated.

You can add a standalone Aura dependency app with the ltng:allowGuestAccess interface to a Visualforce page, and you can use it with a Lightning Out app hosted outside Salesforce.

  • Using Lightning Web Components for Visualforce, you can add your dependency app to a Visualforce page, and then use that page in Salesforce Tabs + Visualforce sites. Then you can allow public access to that page.
  • Using Lightning Out, you can deploy your dependency app anywhere Lightning Out is supported—which is almost anywhere!

The ltng:allowGuestAccess interface is only usable in orgs that have Digital Experiences enabled, and your Lightning Out app is associated with all site endpoints that you’ve defined in your org.

When you make a dependency app accessible to guest users by adding the ltng:allowGuestAccess interface, it’s available through every Experience Cloud site in your org, whether that site is enabled for public access or not. You can’t prevent it from being accessible via site URLs, and you can’t make it available for some sites but not others.

Be extremely careful about apps you open for guest access. Apps enabled for guest access bypass the object- and field-level security (FLS) you set for your site’s guest user profile. Components don’t automatically enforce CRUD and FLS in an Apex method when you reference or retrieve objects. The framework continues to display records and fields for which users don’t have CRUD access and FLS visibility. A mistake in code used in an app enabled for guest access can open your org’s data to the world.

Add the ltng:allowGuestAccess interface to your standalone Aura dependency app.

You can only add the ltng:allowGuestAccess interface to dependency apps, not to individual components.

Next, add the Lightning Out JavaScript library to your page.

  • With Lightning Web Components for Visualforce, simply add the <apex:includeLightning /> tag anywhere on your page.

  • With Lightning Out, add a <script> tag that references the library directly, using a site endpoint URL.

    For example: https://universalcontainers.force.com/ourstores/lightning/lightning.out.js

Finally, add the JavaScript code to load and activate your dependency app. This code is standard Lightning Out, with the important addition that you must use one of your org’s site URLs for the endpoint. The endpoint URL takes the form https://YOURSITEDOMAIN/SITEURL, as shown by https://universalcontainers.force.com/ourstores/ in this example.

See Also