Headless Identity for Customers and Partners
Headless identity helps you separate back-end authentication processes from front-end identity experiences. With Salesforce headless identity, use the power of Salesforce Customer Identity for authentication while maintaining control of the user experience in an off-platform app. Salesforce offers headless username-password login, passwordless login, registration, forgot password, and guest user flows. You can also link a single sign-on (SSO) provider to your headless app to create a native SSO experience.
Required Editions
| Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience |
| Available in: , Enterprise, Unlimited, and Developer Editions |
For example, you work for a travel company that stores travel booking information in Salesforce. You build a custom mobile app, and you want your customers to be able to see their past travel bookings in the app. To see their booking history, customers must be logged in, and you want to make sure new customers can register.
So you start with registration and set up the Headless Registration Flow. When a new customer visits your mobile app, they click a registration button and enter their information in a registration form hosted in your app. You have full control over the look and feel of the registration form, so you can customize and brand it for your company’s needs. The customer enters their information, and your app sends it to Salesforce, which does the heavy lifting of creating the customer and logging them in. At the end of the process, the user is registered without ever leaving your app, and their contact information is saved to an account in Salesforce.
Similarly, you set up a headless login process so that existing customers can access their booking history. When a customer visits your mobile app, they enter their username and password in your branded login form. Your mobile app passes these login credentials to a Salesforce headless identity endpoint, which authenticates the user. After the customer is logged in, they click a button to review their past bookings. Your mobile app then makes an authenticated call to a Salesforce API to retrieve the customer’s booking history.
What if the same customer returned to your app but couldn’t remember their password? To reset their password with Salesforce, the customer must complete a verification process by using a one-time password delivered in an email. To maintain the seamless in-app experience during a password reset, you implement the Headless Forgot Password Flow. Just like the login process, your mobile app passes the customer’s username to the Salesforce Headless Forgot Password API along with a request to change their password. Salesforce sends an email to the address on file with the one-time password. Using this one-time password, they complete the process by filling in a form with their username, the one-time password, and their new password. This information is provided to Salesforce through a final API call, and the process is complete. The customer can now log in to your app with their new credentials.
You can even set up a native single sign-on experience for your app using standard redirect-based OAuth flows. Though this implementation isn’t technically headless because the browser is redirected, you can use it to create an experience that feels like your app is natively integrated with the SSO provider. For more information, see Create a Native Single Sign-On Experience in Your App.
What’s the relationship between Headless Identity and Experience Cloud?
All headless identity implementations require you to set up an Experience Cloud site, but sometimes users don’t interact directly with the site. Headless identity use cases are in two categories.
- Apps that complement a customer-facing Experience Cloud site. Users fully interact with and log in to the Experience Cloud site and the app. For example, you build a mobile app in addition to your Experience Cloud site, because you want to target mobile-first users. You want to fully design the user experience to suit your company’s branding. You can control the user experience in your app while Salesforce provides identity services. And because you already have an Experience Cloud site, you can simplify your setup process.
- Standalone apps. Users interact with and log in to your app, but not an Experience Cloud
site. For example, your company builds customer-facing apps to align with your digital
marketing strategy. You want to use Salesforce to manage customer outreach. Because you
want to store customer information in Salesforce, enabling your users to log in and
register for your apps is important. But you still want full control over the user
experience in your apps. With headless identity you can have it all—you can provide
identity services to your apps, manage customers in Salesforce, and keep up with your
company’s digital marketing strategy.
For use cases in this category, you still create and set up an Experience Cloud site because headless identity endpoints are exposed and configured through Experience Cloud. The Experience Cloud site also functions as a way to store your customer accounts and contact records and manage access to your app.
Implement Headless Identity
Because you manage Salesforce Customer
Identity through Experience Cloud sites, you can configure headless identity only for
customers and partners using an Experience Cloud site subdomain, such as https://MyExperienceCloudSite.my.site.com. You can’t set up
headless identity for employees accessing the Salesforce platform with login.salesforce.com
or an org-specific My Domain login URL, or for employees who access Experience Cloud
sites.
Salesforce offers two primary ways to implement headless identity.
- Use Salesforce's proprietary flows, which call Salesforce Headless Identity APIs.
- Use flows that implement the OAuth 2.0 for First-Party Applications draft standard, which call the authorization challenge endpoint.
To set up an end-to-end example Headless Identity API implementation with a public client, see the Headless Identitly Implementation Guide.
For implementation steps for public and private clients, check out these resources.
- Headless Identity Implementation Checklists
As you set up Headless Identity features, use these checklists to guide you. - Complete Prerequisites for Headless Identity
Before you get started with a Headless Identity implementation for your off-platform apps, cross off these prerequisites in Salesforce. - Headless Identity APIs: Configure an External Client App for the Authorization Code and Credentials Flow
To integrate with Salesforce Headless Identity APIs, configure an external client app for the Authorization Code and Credentials Flow. Use the External Client App Manager in Setup. Or configure your external client app via Metadata API. External client apps support all variations of the Authorization Code and Credentials Flow, including headless login, passwordless login, registration, and guest user variations. - Configure a Connected App for the Authorization Code and Credentials Flow
The Authorization Code and Credentials Flow is the foundation of headless login, registration, passwordless login, and guest user identity. Before setting up these features, enable the Authorization Code and Credentials Flow at an org-wide level and configure required settings and access policies for your connected app. - OAuth 2.0 for First-Party Applications: Configure an External Client App for Headless Identity Flows
To develop headless identity flows that use the OAuth 2.0 for First-Party Applications draft standard, configure an external client app. For these flows, you must configure your external client app via Metadata API. Use these steps to configure an app for headless username-password login, passwordless login, and registration. - Configure Experience Cloud Settings for Headless Identity
For headless registration, headless forgot password, and headless passwordless login, enable the flows from your Experience Cloud site and configure security and access settings. - Configure Headless Identity API Flows
After you complete your setup in Salesforce, build headless identity flows that integrate your off-platform app with Headless Identity APIs. - Configure Headless Identity Flows with OAuth 2.0 for First-Party Applications
After you complete your setup in Salesforce, build headless identity flows that integrate your off-platform app using the OAuth 2.0 for First-Party Applications draft protocol. - Headless Login Without a Username
Use headless user discovery to develop a flow where users log in with any identifier, such as an email address, phone number, or order number, instead of a username. Headless user discovery is supported for login, passwordless login, and forgot password flows.
