Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure Headless Identity API Flows

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure Headless Identity API Flows

            After you complete your setup in Salesforce, build headless identity flows that integrate your off-platform app with Headless Identity APIs.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Enterprise, Unlimited, and Developer Editions
            • Headless Identity APIs: Authorization Code and Credentials Flow for Public Clients
              For public clients such as single-page apps or mobile apps, you can set up headless login for customers and partners by using the Authorization Code and Credentials Flow. This flow is built on the OAuth 2.0 Authorization Code grant type. With the Authorization Code and Credentials Flow, you control the front-end login experience in a third-party app. You call Salesforce Headless Login APIs via your Experience Cloud site to handle the back-end work of authenticating users and granting access to protected Salesforce resources. With separate front-end and back-end processes, your users can log in and access Salesforce data without leaving your app. For single-page apps, you use a server-side callback endpoint to extract the authorization code, and you perform the code exchange from the browser via client-side JavaScript.
            • Headless Identity APIs: Authorization Code and Credentials Flow for Private Clients
              For private clients, such as client-server apps, you can set up headless login for customers and partners by using the Authorization Code and Credentials Flow, which is built on the OAuth 2.0 Authorization Code grant type.
            • Headless Identity APIs: Headless Registration Flow for Public Clients
              For apps that can’t keep confidential information, such as single-page apps, you can set up headless registration for customers and partners using the Headless Registration Flow. The Headless Registration Flow extends the Authorization Code and Credentials Flow, which is built on the OAuth 2.0 Authorization Code grant type. With this flow, you control the front-end user registration experience in a third-party app. You call Salesforce Headless Registration API via your Experience Cloud site to create users, log them in, and give them access to Salesforce resources. By separating these two processes, your users can register for your app and access Salesforce data without leaving the app.
            • Headless Identity APIs: Headless Registration Flow for Private Clients
              For apps that are able to keep confidential information, such as web apps with a client-server architecture, you can set up headless registration for customers and partners using the Headless Registration Flow. The Headless Registration Flow extends the Authorization Code and Credentials Flow, which is built on the OAuth 2.0 Authorization Code grant type. With this flow, you control the front-end user registration experience in a third-party app. You call Salesforce Headless Registration API via your Experience Cloud site to create users, log them in, and give them access to Salesforce resources. By separating these two processes, your users can register for your app and access Salesforce data without leaving the app.
            • Headless Identity APIs: Headless Passwordless Login Flow for Public Clients
              Make it easy for customers and partner users to log in to an off-platform app with the Headless Passwordless Login Flow. With this flow, users log in by entering their email address or phone number and verifying their identity with a one-time password (OTP). You control the front-end experience in your app. On the backend, your app calls Headless Passwordless Login API via an Experience Cloud site to log the user in. These steps show you how the flow works with a public client, like a single-page app, that can’t keep information private.
            • Headless Identity APIs: Headless Passwordless Login Flow for Private Clients
              To simplify the login process for your off-platform app, configure the Headless Passwordless Login Flow. Users log in to your app by entering their email address or phone number and verifying their identity with a one-time password (OTP). On the front end, you control the user experience in your app. On the backend, your app calls Headless Passwordless Login API via an Experience Cloud site to log the user in. These steps show you how the flow works with a private client, like a traditional client-server app, that can keep information confidential.
            • Headless Identity APIs: Headless Forgot Password Flow for Customers and Partners
              Set up a headless password reset process on your app using the Headless Forgot Password Flow, which calls Headless Forgot Password API. Use this flow along with other headless flows to provide native identity experiences. With this flow, a user who has forgotten their password can verify their identity and create a password without ever leaving the branded experience of your app.
            • Headless Identity APIs: Headless Guest Flow for Public Clients
              Some users interact with your off-platform app but don’t log in or register. You can issue identifiers in the form of unique visitor ID (UVIDs) for these unknown visitors with the Headless Guest Flow. If the user decides to log in or register, you can pass the identifier into a named user flow, like a headless login flow. Use guest user identity as a tool for carrying context from guest user sessions to named user sessions. This flow is a variation of the Authorization Code and Credentials Flow.
            • Headless Identity APIs: Headless Guest Flow for Private Clients
              For users who interact with your off-platform app but aren’t necessarily logged in, you can use the Headless Guest Flow to identify users with a unique visitor ID (UVID). When the user logs in or registers, you can carry the UVID forward and maintain any contextual information associated with it, like a user’s preferences. This flow is a variation of the Authorization Code and Credentials Flow.
            • Headless Identity APIs: Extending the Headless Guest Flow into a Named User Flow
              When you complete a headless guest flow in your off-platform app, you get a guest JWT-based access token with the user’s unique visitor ID (UVID) minted into it. To bring the UVID and all of its associated context into a named user session, you can pass the UVID into a new authorization flow, like a headless login or registration flow.
             
            Loading
            Salesforce Help | Article