Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure Experience Cloud Settings for Headless Passwordless Login

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure Experience Cloud Settings for Headless Passwordless Login

            Before you build the Headless Passwordless Login Flow, configure these settings for security and access.

            Required Editions

            Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
            Available in: Enterprise, Unlimited, and Developer Editions

            Before configuring these settings, complete these steps.

            For security, you must configure Salesforce to require either authentication or reCAPTCHA for your app’s initial request to Headless Passwordless Login API. Your security best practices depend on whether your app is a private client or a public client.

            If you’re implementing the flow with a private client, like a traditional client-server app with its own private backend, we recommend that you always require authentication. With this requirement, when your app submits information to the headless passwordless login endpoint, you must include an access token. To get the access token, use an internal integration user to complete an OAuth flow integrated with Salesforce, like the OAuth 2.0 web server flow. Include the pwdless_login_api scope when you complete this flow, either by configuring it in your connected app or passing it as a parameter.

            For a public client that can’t securely store information, like a single-page app, we recommend that you always require reCAPTCHA. With this requirement, you must include a reCAPTCHA token in POST requests when your app submits user information to Headless Passwordless Login API. To get a reCAPTCHA token, implement reCAPTCHA on your third-party app. For more information, see the reCAPTCHA documentation provided by Google. Salesforce supports these reCAPTCHA versions: v2, v3, and Enterprise.

            For a public client, we never recommend requiring authentication because the app can’t keep the access token secure.

            To expand your email template options for the one-time password (OTP) email sent to end users during the flow, opt in to email template allowlisting and create an allowlist with custom templates. See Use Multiple Email Templates for Headless Flows.

            1. From Setup, in the Quick Find box, enter Sites, and then select All Sites.
            2. To access Experience Workspaces, next to your site name, click Workspaces.
            3. Select Administration, and then select Login & Registration.
            4. From the Administration workspace, select Login & Registration.
            5. Under Headless Passwordless Login, select Allow login via the Headless Passwordless Login API.
            6. To require an access token when your app submits information to Headless Passwordless Login API, select Require authentication to access this API.
            7. To require a reCAPTCHA token when your app submits user information to Headless Passwordless Login API, select Require reCAPTCHA to access this API.
            8. If you selected Require reCAPTCHA to access this API, configure reCAPTCHA settings.
              1. For Secret Key, enter the key from your reCAPTCHA API key pair.
              2. For Score Threshold, enter a threshold value between 0.5 and 1.
                If you’re using reCAPTCHA v3, this value determines the score that you accept. Scores closer to 0.5 are more likely to be bots, while scores closer to 1 are more likely to be valid users. For more information, see the reCAPTCHA v3 documentation.
              Note
              Note If you require reCAPTCHA for other Headless Identity flows, like registration and forgot password, these settings also apply.
            9. To use a headless user discovery handler to look up users, take these steps.
              1. For User Discovery Handler, click Magnifying glass icon and select an Apex class that implements the Auth.HeadlessUserDiscoveryHandler interface. Or, to generate a template class, click Create a headless user discovery handler template and customize the code later.
              2. For Run As, select a user to run the handler. We recommend that you use an integration user account instead of a real user.
            10. Save your settings.
            11. Optionally, customize the OTP email that’s sent to end users for verification. If you created an email template allowlist, Salesforce defaults to this email template if you don’t include an emailtemplate parameter in your request.
              1. From the Administration workspace, select Emails.
              2. For One-Time Password, click Magnifying glass icon.
              3. In the window that appears, select Experience Cloud: One-Time Password Email.
              4. Save your changes.
              5. To customize the email, edit its default content.

            You’re now ready to implement the Headless Passwordless Login Flow. Check out the instructions for your app type.

             
            Loading
            Salesforce Help | Article