b2c-slas

Create, update, and manage SLAS (Shopper Login and API Access Service) clients using the b2c CLI. Use this skill whenever the user needs to provision a SLAS client, update OAuth scopes, rotate client secrets, get a shopper access token, or configure shopper authentication for headless, PWA, or Storefront Next (SFNext) storefronts — even if they just say "I need a shopper token" or "set up auth for my storefront".

View SKILL.md on GitHub → Source repository Provider profile

Provider: Salesforce Commerce Cloud Path in repo: skills/b2c-cli/skills/b2c-slas/SKILL.md

Skill body

B2C SLAS Skill

Use the b2c CLI plugin to manage SLAS (Shopper Login and API Access Service) API clients and credentials.

Important: SLAS is for shopper (customer) authentication used by storefronts and headless commerce. For admin tokens (OCAPI, Admin APIs), use b2c auth token - see b2c-config skill.

Tip: If b2c is not installed globally, use npx @salesforce/b2c-cli instead (e.g., npx @salesforce/b2c-cli slas client list).

Configuration

Values like tenantId, shortCode, slasClientId, and slasClientSecret resolve from dw.json / SFCC_* env vars / the active instance. Examples below show minimal usage; add flags only to override configured values. If a required value is missing, the CLI emits an actionable error pointing at the flag, env var, and config key. See the b2c-config skill for precedence details.

Relevant overrides:

--tenant-id / SFCC_TENANT_ID / tenantId
--short-code / SFCC_SHORTCODE / shortCode
--slas-client-id / SFCC_SLAS_CLIENT_ID / slasClientId
--slas-client-secret / SFCC_SLAS_CLIENT_SECRET / slasClientSecret

When to Use

Common scenarios requiring SLAS client management:

Testing Custom APIs: Create a client with custom scopes (e.g., c_loyalty) to test your Custom API endpoints
PWA/Headless Development: Configure clients for composable storefronts
Integration Testing: Create dedicated test clients with specific scope sets

Examples

List SLAS Clients

# list all SLAS clients for the configured tenant
b2c slas client list

# JSON output
b2c slas client list --json

# target a different tenant than the active config
b2c slas client list --tenant-id abcd_123

Get SLAS Client Details

# get details for a specific SLAS client
b2c slas client get my-client-id

Create SLAS Client

# create a new SLAS client with default scopes (auto-generates UUID client ID)
b2c slas client create --channels RefArch --default-scopes --redirect-uri http://localhost:3000/callback

# create with a specific client ID and custom scopes
b2c slas client create my-client-id --channels RefArch --scopes sfcc.shopper-products,sfcc.shopper-search --redirect-uri http://localhost:3000/callback

# create a public client
b2c slas client create --channels RefArch --default-scopes --redirect-uri http://localhost:3000/callback --public

# create client without auto-creating tenant (if you manage tenants separately)
b2c slas client create --channels RefArch --default-scopes --redirect-uri http://localhost:3000/callback --no-create-tenant

# output as JSON (useful for capturing the generated secret)
b2c slas client create --channels RefArch --default-scopes --redirect-uri http://localhost:3000/callback --json

Note: By default, the tenant is automatically created if it doesn’t exist.

Warning: Use --scopes (plural) for client scopes, NOT --auth-scope (singular). The --auth-scope flag is a global authentication option for OAuth scopes.

Create Client for Custom API Testing

When testing a Custom API that requires custom scopes:

# Create a private client with custom scope for testing
# Replace c_my_scope with your API's custom scope from schema.yaml
b2c slas client create \
  --channels RefArch \
  --default-scopes \
  --scopes "c_my_scope" \
  --redirect-uri http://localhost:3000/callback \
  --json

# Output includes client_id and client_secret - save these for token requests

Important: The custom scope in your SLAS client must match the scope defined in your Custom API’s schema.yaml security section.

Get a Shopper Token

Use b2c slas token to obtain a shopper access token for API testing. The --site-id is specific to the request and must be provided per call.

# Guest token with auto-discovery (finds first public SLAS client)
b2c slas token --site-id RefArch

# Registered customer token
b2c slas token --site-id RefArch --shopper-login [email protected] --shopper-password secret

# JSON output (includes refresh token, expiry, usid, etc.)
b2c slas token --site-id RefArch --json

# Use token in a subsequent API call
TOKEN=$(b2c slas token --site-id RefArch)
curl -H "Authorization: Bearer $TOKEN" "https://$SHORTCODE.api.commercecloud.salesforce.com/..."

# Override the SLAS client explicitly (e.g., targeting a private client for client_credentials flow)
b2c slas token --site-id RefArch --slas-client-id my-client --slas-client-secret sk_xxx

Update SLAS Client

# update the display name
b2c slas client update my-client-id --name "New Name"

# rotate the client secret
b2c slas client update my-client-id --secret new-secret-value

# add scopes (appends to existing by default)
b2c slas client update my-client-id --scopes sfcc.shopper-baskets

# replace scopes instead of appending
b2c slas client update my-client-id --scopes sfcc.shopper-baskets --replace

# replace channels
b2c slas client update my-client-id --channels RefArch,SiteGenesis --replace

Delete SLAS Client

# delete a SLAS client
b2c slas client delete my-client-id

More Commands

See b2c slas --help for a full list of available commands and options in the slas topic.

b2c:b2c-custom-api-development - Creating Custom APIs that require SLAS authentication
b2c-cli:b2c-scapi-custom - Checking Custom API registration status