Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            OAuth 2.0 for First-Party Applications: Configure Experience Cloud Settings

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            OAuth 2.0 for First-Party Applications: Configure Experience Cloud Settings

            Before you build headless username-password login, passwordless login, and registration flows using the OAuth 2.0 for First-Party Applications draft protocol, configure Experience Cloud settings on the Login & Registration page.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Enterprise, Unlimited, and Developer Editions

            Headless Username-Password Login

            Configure settings for headless username-password login via the authorization challenge endpoint.

            1. From Setup, in the Quick Find box, enter Sites, and then select All Sites.
            2. To access Experience Workspaces, next to your site name, click Workspaces.
            3. Select Administration, and then select Login & Registration.
            4. Under OAuth 2.0 for First-Party Applications, select Allow off-platform apps to access the OAuth 2.0 authorization challenge endpoint.
            5. To require a reCAPTCHA token when your app submits user information to the authorization challenge endpoint, select Require reCAPTCHA to access the OAuth 2.0 authorization challenge endpoint for username-password login authorization flows.
            6. If you opted to require reCAPTCHA, scroll down to reCAPTCHA Options for Headless Identity and configure reCAPTCHA settings.
              1. For Secret Key, enter the key from your reCAPTCHA API key pair.
              2. For Score Threshold, enter a threshold value between 0.5 and 1.
                If you’re using reCAPTCHA v3, this value determines the score that you accept. Scores closer to 0.5 are more likely to be bots, while scores closer to 1 are more likely to be valid users. For more information, see the reCAPTCHA v3 documentation.
              Note
              Note If you require reCAPTCHA for other headless identity flows, these settings also apply.
            7. Save your settings.

            Headless Passwordless Login

            Configure settings for headless passwordless login via the authorization challenge endpoint.

            1. From Setup, in the Quick Find box, enter Sites, and then select All Sites.
            2. To access Experience Workspaces, next to your site name, click Workspaces.
            3. Select Administration, and then select Login & Registration.
            4. Under OAuth 2.0 for First-Party Applications, select Allow off-platform apps to access the OAuth 2.0 authorization challenge endpoint.
            5. Under Headless Passwordless Login, select Allow login via the Headless Passwordless Login API.
              Note
              Note This setting is required for headless passwordless login even if you don't make any calls to the services/auth/headless/init/passwordless/login endpoint.
            6. To require an access token in your initial request to the authorization challenge endpoint, select Require authentication to access this API.
              Note
              Note Passwordless login via the authorization challenge endpoint always requires a client attestation JWT in your initial call, so it isn't necessary to send an access token. But you can include it if you want.
            7. To require a reCAPTCHA token in your initial request to the authorization challenge endpoint, select Require reCAPTCHA to access this API.
            8. If you opted to require reCAPTCHA, scroll down to reCAPTCHA Options for Headless Identity and configure reCAPTCHA settings.
              1. For Secret Key, enter the key from your reCAPTCHA API key pair.
              2. For Score Threshold, enter a threshold value between 0.5 and 1.
                If you’re using reCAPTCHA v3, this value determines the score that you accept. Scores closer to 0.5 are more likely to be bots, while scores closer to 1 are more likely to be valid users. For more information, see the reCAPTCHA v3 documentation.
              Note
              Note If you require reCAPTCHA for other headless identity flows, these settings also apply.
            9. Save your settings.
            10. Optionally, customize the OTP email that’s sent to end users for verification. If you created an email template allowlist, Salesforce defaults to this email template if you don’t include an emailtemplate parameter in your request.
              1. From the Administration workspace, select Emails.
              2. For One-Time Password, click Magnifying glass icon.
              3. In the window that appears, select Experience Cloud: One-Time Password Email.
              4. Save your changes.
              5. To customize the email, edit its default content.

            Headless Registration

            Configure settings for headless passwordless login via the authorization challenge endpoint.

            1. From Setup, in the Quick Find box, enter Sites, and then select All Sites.
            2. To access Experience Workspaces, next to your site name, click Workspaces.
            3. Select Administration, and then select Login & Registration.
            4. Under OAuth 2.0 for First-Party Applications, select Allow off-platform apps to access the OAuth 2.0 authorization challenge endpoint.
            5. Under Headless Registration, select Allow self-registration via the Headless Registration API.
              Note
              Note This setting is required for headless passwordless login even if you don't make any calls to the /services/auth/headless/init/registration endpoint.
            6. To require an access token in your initial request to the authorization challenge endpoint, select Require authentication to access this API.
              Note
              Note Headless registration via the authorization challenge endpoint always requires a client attestation JWT in your initial call, so it isn't necessary to send an access token. But you can include it if you want.
            7. To require a reCAPTCHA token in your initial request to the authorization challenge endpoint, select Require reCAPTCHA to access this API.
            8. If you opted to require reCAPTCHA, scroll down to reCAPTCHA Options for Headless Identity and configure reCAPTCHA settings.
              1. For Secret Key, enter the key from your reCAPTCHA API key pair.
              2. For Score Threshold, enter a threshold value between 0.5 and 1.
                If you’re using reCAPTCHA v3, this value determines the score that you accept. Scores closer to 0.5 are more likely to be bots, while scores closer to 1 are more likely to be valid users. For more information, see the reCAPTCHA v3 documentation.
              Note
              Note If you require reCAPTCHA for other headless identity flows, these settings also apply.
            9. Save your settings.
            10. Optionally, customize the OTP email that’s sent to end users for verification. If you created an email template allowlist, Salesforce defaults to this email template if you don’t include an emailtemplate parameter in your request.
              1. From the Administration workspace, select Emails.
              2. For One-Time Password, click Magnifying glass icon.
              3. In the window that appears, select Experience Cloud: One-Time Password Email.
              4. Save your changes.
              5. To customize the email, edit its default content.
             
            Loading
            Salesforce Help | Article