Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure Experience Cloud Settings for the Headless Forgot Password Flow

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure Experience Cloud Settings for the Headless Forgot Password Flow

            Before you set up the Headless Forgot Password Flow, configure settings to control security and access for your off-platform app.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Enterprise, Unlimited, and Developer Editions.
            User Permissions Needed
            To read, create, update, or delete external client apps:

            Customize Application AND either

            Modify All Data OR Manage External Client Apps
            To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes:

            Customize Application AND either

            Modify All Data OR Manage External Client Apps
            To update Profiles, Permission Sets, and Service Provider SAML Attributes: Customize Application AND Modify All Data AND Manage Profiles and Permission Sets
            To rotate the consumer key and consumer secret: Allow consumer key and secret rotation
            To install and uninstall external client apps:

            Customize Application AND either

            Modify All Data OR Manage External Client Apps
            To install and uninstall packaged external client apps:

            Download AppExchange Packages AND Customize Application AND either

            Modify All Data OR Manage External Client Apps

            For security, you must configure Salesforce to require either authentication or reCAPTCHA when your app submits user information to Headless Forgot Password API.

            If you’re implementing the flow with a private client—also known as a web app with a backing server—we recommend that you always require authentication. With this requirement, when your app submits user information to the headless registration endpoint, you must include an access token issued to an integration user. To get the access token, use an internal integration user to complete an OAuth flow integrated with Salesforce, like the OAuth 2.0 user-agent flow. Make sure that you include the forgot_password scope when you complete this flow, either by configuring it on your external client app or passing it as a parameter. Save the access token from your response.

            If you’re using the flow with a public client—also known as a single-page app—you must require reCAPTCHA. With this requirement, you must include a reCAPTCHA token in POST requests when your app submits user information to the Headless Registration API. To get a reCAPTCHA token, implement reCAPTCHA on your third-party app. For more information, see the reCAPTCHA documentation provided by Google.

            To expand your email template options for the one-time password (OTP) email sent to end users during the flow, opt in to email template allowlisting and create an allowlist with custom templates. See Use Multiple Email Templates for Headless Flows.

            Before you start, create your external client app, complete its basic information. When you enable the necessary OAuth settings, add the Access Headless Forgot Password API (forgot_password) scope to the external client app.

            After the external client app is set with the proper scope, take these steps to configure the Experience Cloud site for the Headless Forgot Password Flow.

            1. From Setup, in the Quick Find box, enter Sites, and then select All Sites.
            2. To access Experience Workspaces, next to your site name, click Workspaces.
            3. Select Administration, and then select Login & Registration.
            4. In the Headless Identity Configuration section, select Allow password reset via the Headless Forgot Password Flow.
            5. To require an access token in your initial POST request, select Require authentication to access this API. We recommend that you always enable this setting for private clients, and that you never enable it for public clients.
            6. To require a reCAPTCHA token in your initial POST request, select Require reCAPTCHA to access this API. We recommend that you always enable this setting for public clients. For private clients, you can optionally enable this setting, but it’s less critical than requiring authentication.
            7. From the dropdown, select the maximum number of password reset attempts you allow before users must request a new OTP.
            8. If you require reCAPTCHA, configure reCAPTCHA settings.
              1. For Secret Key, enter the secret key provided by Google in your reCAPTCHA API key pair.
              2. For Score Threshold, enter a threshold value between 0.5 and 1.
                If you’re using reCAPTCHA v3, this value determines the score that you accept. Scores closer to 0.5 are more likely to be bots, while scores closer to 1 are more likely to be valid users. For more information, see the reCAPTCHA v3 documentation.
              Note
              Note If you require reCAPTCHA for the Headless Registration Flow, these settings also apply.
            9. To opt in to email template allowlisting, select Use only allowlisted email templates.
            10. Save your settings.
            11. Depending on your email settings, configure an email template. If you selected Use only allowlisted email templates, this step is optional—Salesforce defaults to this email template if you don’t include an emailtemplate parameter in your request.
              1. From the Administration workspace, select Emails.
              2. For One-Time Password for Headless Forgot Password Flow, click Magnifying glass icon.
              3. In the popup window that appears, select an email template.
              4. Save your changes.
              5. To customize the email, edit its default content.
             
            Loading
            Salesforce Help | Article