SLAS Client Config Builder — SFCC Headless Auth
Skip to main content
Dev Toolkitby salesforceapp.tech

App

🕐History⚙️Settings1d

SLAS Client Config Builder

Build a SLAS client config for B2C Commerce headless storefronts (PWA Kit, Storefront Next, custom). Validates scopes against the catalog and surfaces redirect-URI mistakes.

e.g. zzte_001

Channels

Redirect URIs

  • https://example.com/callback

OAuth scopes

SLAS config valid

Generated config (JSON)
{
  "tenantId": "zzte_001",
  "name": "PWA Kit Storefront",
  "description": "",
  "isPrivateClient": false,
  "redirectUris": [
    "https://example.com/callback"
  ],
  "scopes": [
    "sfcc.shopper-products",
    "sfcc.shopper-categories",
    "sfcc.shopper-search",
    "sfcc.shopper-baskets-orders"
  ],
  "channels": [
    "RefArch"
  ]
}

About SLAS Client Config Builder

Build a SLAS client configuration for B2C Commerce headless storefronts. The builder validates scopes against the published catalog, checks redirect URIs, and warns about common mistakes like localhost redirects on private clients. The generated JSON maps directly to the Account Manager API client creation form.

Pipeline

  • SCAPI Request Builder — build SCAPI calls using the client ID and scopes from this config.
  • JWK Inspector — inspect the JWKS endpoint exposed by SLAS for token signature verification.
  • JWT Tool — decode and inspect SLAS access tokens.

Frequently asked

What is SLAS?
Shopper Login and API Access Service (SLAS) is the B2C Commerce OAuth 2.0 service that issues access tokens for headless storefronts. PWA Kit, Storefront Next, and custom headless frontends use SLAS to authenticate shoppers and obtain tokens for SCAPI calls.
What is the difference between a public and private client?
A public client (isPrivateClient: false) is used in browser-based or native apps where a client secret cannot be kept confidential. It uses PKCE for the authorization code flow. A private (confidential) client has a secret and is used in server-side applications where the secret can be stored securely.
What are channels?
Channels map to storefront site IDs (e.g. RefArch, SiteGenesis). A SLAS client can only issue tokens for the sites listed in its channels array. If a shopper tries to authenticate against a site not in the list, the request is rejected.
What scopes should I request?
Request only the scopes your storefront actually uses. For a typical headless storefront: sfcc.shopper-products, sfcc.shopper-categories, sfcc.shopper-search, sfcc.shopper-baskets-orders, sfcc.shopper-customers.login, and sfcc.shopper-myaccount for authenticated customers. Requesting unnecessary scopes increases the attack surface if a token is compromised.
How do I create the client in Account Manager?
Go to Account Manager > API Client > Add API Client. Paste the generated JSON values into the corresponding fields. The client ID is assigned by Account Manager after creation — you cannot choose it. Store the client secret securely; it is shown only once.