Headless Identity APIs: Authorization Code and Credentials Flow for Public Clients
For public clients such as single-page apps or mobile apps, you can set up headless login for customers and partners by using the Authorization Code and Credentials Flow. This flow is built on the OAuth 2.0 Authorization Code grant type. With the Authorization Code and Credentials Flow, you control the front-end login experience in a third-party app. You call Salesforce Headless Login APIs via your Experience Cloud site to handle the back-end work of authenticating users and granting access to protected Salesforce resources. With separate front-end and back-end processes, your users can log in and access Salesforce data without leaving your app. For single-page apps, you use a server-side callback endpoint to extract the authorization code, and you perform the code exchange from the browser via client-side JavaScript.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: Enterprise, Unlimited, and Developer Editions |
This help content describes how to set up the flow and how it works. To set up an end-to-end example implementation, see the Headless Identity Implementation Guide.
Before setting up this flow, complete these steps.
- Complete prerequisites for Headless Identity.
- Integrate your off-platform app with Salesforce using one of these options.
Because you manage Salesforce Customer Identity through Experience Cloud sites, you can
configure the Authorization Code and Credentials Flow only for customers and partners using an
Experience Cloud site subdomain such as https://MyExperienceCloudSite.my.site.com. You can’t set up this flow for employees
accessing the Salesforce platform with login.salesforce.com or your
org-specific My Domain login URL, or for employees who access Experience Cloud sites.
Here’s an example use case for the Authorization Code and Credentials Flow. You work for a travel company that stores customer data in Salesforce. You created a custom single-page app, and you want users to have access to their past travel bookings from your app. You also want full control over the login experience so that you can align with your company’s branding. So you configure your custom app as an external client app or connected app and set up the Authorization Code and Credentials Flow.
By default, users enter their username to log in. To give users more options, set up headless user discovery. For example, develop a flow where users enter their email address, phone number, or even an order number. See Headless Login without a Username.
Here’s a simplified overview of the flow in action.
- Your user goes to your custom app, where your login form is natively displayed within the app, and enters their username and password. Or, if you're using headless user discovery, they enter an identifier such as an email address, phone number, or order number, along with their password.
- If you’re using the Proof Key for Code Exchange (PKCE) extension, the app generates values to verify the authorization code. If you’re not using PKCE, your flow skips this step. We strongly recommend that you always use PKCE when implementing this flow for single-page apps.
- From the browser, your custom app—via JavaScript—sends a headless authorization request to the Salesforce Headless Login API authorization endpoint on your Experience Cloud site.
- If you're using headless user discovery, your Apex handler finds the user based on the identifier that they used to log in. If the user credentials are valid and the user has a verified email address or phone number, the login proceeds.
- Salesforce Headless Login API validates the user credentials and returns an HTTP 302 redirect to a preconfigured URL containing the authorization code. Salesforce then automatically sends the redirect response to the redirect URL, which points to the server-side callback handler.
- The server-side callback handler extracts the authorization code from the 302 redirect and returns it to the app.
- The client-side JavaScript receives the redirect URL parameters and initiates the code exchange with a POST request to the token endpoint.
- Salesforce Headless Login API validates the request and returns an access token response to the app.
- Client-side JavaScript on the app processes the access token and creates the user’s session.
- The user is now logged in, and they perform an action in your custom app that initiates a request for Salesforce data. For example, they click a button to access their travel booking history, which is stored in the Salesforce Experience Cloud site.
- Your custom app makes an authenticated request to a protected Salesforce endpoint, such as a Salesforce API.
- The user can now access their protected data in your custom app. For example, they can see their travel booking history.
A key component of this flow is the client-side JavaScript that sends the authorization request, performs the code exchange, and processes the access token. Here’s a JavaScript example that uses a connected app.
var clientId = "<Connected App Client ID>";
var baseURL = "<Experience Cloud Domain>";
var redirectURL = "<Experience Cloud Domain>/services/apexrest/code/extraction"
// Performs the code exchange
function doCodeExchange(authorizeResponse) {
//Perform Code Exchange
//Get Access Token
var client = new XMLHttpRequest();
client.open("POST", authorizeResponse.sfdc_community_url + "/services/oauth2/token", true);
client.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
client.send("code=" + authorizeResponse.code + "&grant_type=authorization_code&client_id=" + clientId + "&redirect_uri=" + redirectURL);
client.onreadystatechange = function() {
if(this.readyState == 3) {
response = JSON.parse(client.response);
getUserInfo(response.access_token, response.sfdc_community_url)
}
}
}
// Gets User Info
function getUserInfo(accessToken, userInfoBaseURL) {
var client = new XMLHttpRequest();
client.open("GET", userInfoBaseURL + "/services/oauth2/userinfo", true);
client.setRequestHeader("Content-Type", "application/json");
client.setRequestHeader("Authorization", "Bearer " + accessToken);
client.send();
client.onreadystatechange = function() {
if(this.readyState == 3) {
response = JSON.parse(client.response);
response.access_token = accessToken;
document.getElementById("json").textContent = JSON.stringify(response, undefined, 2);
document.getElementById("results").style.display="block";
}
}
}
//Starts the Login Process
function startLogin() {
var username = document.getElementById('user_name').value;
var password = document.getElementById('password').value;
var encodedUNP = btoa(username + ':' + password);
var client = new XMLHttpRequest();
client.open("POST", baseURL + "/services/oauth2/authorize", true);
client.setRequestHeader("Auth-Request-Type", "Named-User");
client.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
client.setRequestHeader("Authorization", "Basic " + encodedUNP);
client.send("response_type=code_credentials&client_id=" + clientId + "&redirect_uri=" + redirectURL);
client.onreadystatechange = function() {
if(this.readyState == 3) {
response = JSON.parse(client.response);
doCodeExchange(response);
}
}
return false;
}
Another key component is the server-side callback handler that extracts the code from the 302 redirect and returns it to the app. In this example, the handler is an Apex class exposed as a public REST endpoint, and is Cross Origin Resource Sharing (CORS) enabled to offer cross-site scripting protection. To simplify development, use the OAuth 2.0 echo endpoint to get the authorization code.
@RestResource(urlMapping='/code/extraction')
global class CodeExtractorAPI {
@HttpGet
global static CodeResponse doGet() {
RestRequest req = RestContext.request;
RestResponse res = RestContext.response;
try {
res.statusCode = 200;
return new CodeResponse(req.params.get('code'), req.params.get('sfdc_community_url'), req.params.get('sfdc_community_id'), req.params.get('state'));
} catch (Exception e) {
res.statusCode = 500;
return new CodeResponse('Could not parse auth code redirect URI');
}
}
// Response Wrapper
global class CodeResponse {
String code;
String sfdc_community_url;
String sfdc_community_id;
String state;
Boolean success;
String errMsg;
public CodeResponse(String code, String sfdc_community_url, String sfdc_community_id, String state) {
this.code = code;
this.sfdc_community_url = sfdc_community_url;
this.sfdc_community_id = sfdc_community_id;
this.state = state;
this.success = true;
}
public CodeResponse(String errMsg) {
this.success = false;
this.errMsg = this.errMsg;
}
}
}
Here’s a detailed breakdown of this flow.
End User Opens Third-Party App and Logs In
Your user opens your third-party app intending to log in. In your app, your login form appears showing username and password fields and a login button. Salesforce doesn’t provide this login form. Its look and feel are up to you. Your user enters their username and password and clicks the login button.
Third-Party App Generates code_verifier and code_challenge Values (Optional)
If you’re using the Proof Key for Code Exchange (PKCE) extension, the app generates values used to verify the authorization code.
Your flow includes this step only if you’re using the Proof Key for Code Exchange (PKCE) extension. As a security best practice, we strongly recommend using the PKCE extension when you implement the Authorization Code and Credentials Flow, especially for single-page apps. For more information on PKCE, see the specificationRFC 7636: Proof Key for Code Exchange by OAuth Public Clients provided by the Internet Engineering Task Force (IETF).
The PKCE specification defined in RFC 7636 also includes an optional
code_challenge_method parameter that you can send in the
authorization request. Salesforce ignores any value that you send in this parameter and defaults
to SHA256.
Third-Party App Headlessly Requests an Authorization Code
From the browser, your custom app—via JavaScript—sends a headless authorization code request to the Salesforce Headless Login API authorization endpoint. If you aren't using headless user discovery, use either the GET or POST method for this request. If you are using headless user discovery, only POST requests are supported.
In this client-side JavaScript excerpt, the authorization request is sent as part of the
startLogin function. After retrieving the user
credentials, the function constructs and sends a POST request, including a redirect URL that
points to the server-side callback
handler.
function startLogin() {
var username = document.getElementById('user_name').value;
var password = document.getElementById('password').value;
var encodedUNP = btoa(username + ':' + password);
var client = new XMLHttpRequest();
client.open("POST", baseURL + "/services/oauth2/authorize", true);
client.setRequestHeader("Auth-Request-Type", "Named-User");
client.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
client.setRequestHeader("Authorization", "Basic " + encodedUNP);
client.send("response_type=code_credentials&client_id=" + clientId + "&redirect_uri=" + redirectURL);
client.onreadystatechange = function() {
if(this.readyState == 3) {
console.log("here");
console.log(client.response);
response = JSON.parse(client.response);
if (response.success) {
getUserInfo(response.access_token, baseURL);
}
}
}
return false;
}
For both GET and POST requests, you must include the header Auth-Request-Type: Named-User.
Depending on which method you use and your external client app or connected app configuration, you’re sometimes required to include an authorization header of type Basic containing the user’s credentials. If you’re using a GET request, you must send the credentials—the user’s username and password, appended to each other and Base64-encoded—in an authorization header. Here’s an example GET request.
GET /services/oauth2/authorize? HTTP 1.1
Host: MyDomainName.my.site.com
Auth-Request-Type: Named-User
Authorization: Basic <encoded username:password>
response_type=code_credentials&
redirect_uri=https://www.MyExperienceCloudSite.my.site.com/services/apexrest/code/extraction&
client_id=******&
code_challenge=Y29kZ*******
If you’re using a POST request, you can include the Base64-encoded user credentials in an authorization header, or you can put them in the request body.
If you're
using headless user discovery, you don't send a username and password. Instead, you send an
identifier in the login_hint parameter, optional custom
data, and a password. Include the identifier, custom data, and password in the body of a POST
request. Don't use a GET request.
Optionally, to connect this flow to the headless guest
flow, you can include a Uvid-Hint header with a JWT-based
access token containing a UVID value, which is a Version 4 universally unique identifier (UUID)
that’s generated and managed entirely by your app. To get an access token with a UVID, you must
enable your external client app or connected app to issue JWT-based access tokens and implement
the headless guest flow on your app.
If you implement the guest user flow on your app, you can optionally use this header to pass in a JSON Web Token (JWT)-based access token containing a unique visitor ID (UVID) tied to a guest user’s identity. By passing the UVID into a named user flow, you can carry contextual information from a guest user session, like the user’s cookie preferences, into a named user session.
You can also include the plain UVID value in the request body.
For both GET and POST methods, include these required parameters in the body of the authorization request.
| Parameter | Description |
|---|---|
client_id |
The consumer key of the external client app or connected app. |
redirect_uri |
The URL where users are redirected after a successful authentication. The redirect URI must match one of the values in the Callback URL field on the external client app or connected app. Otherwise, the approval fails. For public clients, the redirect URI must point to an endpoint that can process the 302 redirect from Salesforce. To simplify development, use the OAuth echo endpoint, such as https://MyExperienceCloudSite.my.site.com/services/oauth2/echo. These examples use an Apex REST code extraction endpoint. For example, |
response_type |
The OAuth 2.0 grant type that the app requests. For the Authorization Code and
Credentials Flow, the value must code_credentials. |
You can also include these optional parameters in the authorization request.
| Parameter | Description |
|---|---|
code_challenge |
Required if using the PKCE extension. Specifies the SHA256 hash value of the This
parameter is required if a
|
scope |
Permissions that define the type of protected resources the app can access. You assign scopes to an external client app or connected app when you build it, and they’re included with the OAuth tokens during the authorization flow. If you don’t include this parameter, all scopes assigned to the app are requested. To restrict the scopes further, pass a subset of the assigned scopes in this parameter. For valid parameters, see OAuth Scopes. |
state |
Any state that the external web service requests to be sent to the callback URL. This value must be URL encoded. |
uvid_hint |
A plain Instead of passing the UVID in the request body, you can also pass it in a
JWT-based token with a UVID via the |
login_hint |
Required if using headless user discovery. An identifier that your Apex handler uses
to find a user's Salesforce account. For example, collect a user's order number in your app
and pass it in the login_hint parameter. We send the
login_hint value straight to your Apex
handler. |
customdata |
Required if you're using a headless user discovery handler that handles custom data. For example, if you're also using the handler with a login flow that handles custom data, you must pass custom data in the forgot password flow. A JSON string containing additional data that your Apex headless discovery handler uses to find a user's Salesforce account. For example, pass information about the user's locale. |
(Optional) Headless User Discovery Handler Finds the User
If you're using a headless user discovery handler, the handler takes the login_hint and customdata
parameters and finds the associated user. The handler confirms that the email address or phone
number for the user is verified.
For an example handler, see Auth.HeadlessUserDiscoveryHandler.
Salesforce Validates Credentials and Returns a 302 Redirect to Server-Side Callback Handler
Salesforce Headless Login API receives the authorization request. It validates the user
credentials and returns an HTTP 302 redirect to a preconfigured URL containing the authorization
code. Salesforce then automatically sends the redirect response to the redirect URL, which
points to the server-side callback handler at the /code/extraction endpoint in this example. During this process, the browser isn’t
redirected—everything happens behind the scenes.
Server-Side Callback Handler Extracts Code and Returns It to App
The server-side callback handler extracts the authorization code and other data. The example
Apex callback handler uses the doGet method to extract the
code, Experience Cloud site URL, site ID, and state from the 302
redirect.
@RestResource(urlMapping='/code/extraction')
global class CodeExtractorAPI {
@HttpGet
global static CodeResponse doGet() {
RestRequest req = RestContext.request;
RestResponse res = RestContext.response;
try {
res.statusCode = 200;
return new CodeResponse(req.params.get('code'), req.params.get('sfdc_community_url'), req.params.get('sfdc_community_id'), req.params.get('state'));
} catch (Exception e) {
res.statusCode = 500;
return new CodeResponse('Could not parse auth code redirect URI');
}
}
The response wrapper sets the variables for the code response, including success and error indicators.
// Response Wrapper
global class CodeResponse {
String code;
String sfdc_community_url;
String sfdc_community_id;
String state;
Boolean success;
String errMsg;
public CodeResponse(String code, String sfdc_community_url, String sfdc_community_id, String state) {
this.code = code;
this.sfdc_community_url = sfdc_community_url;
this.sfdc_community_id = sfdc_community_id;
this.state = state;
this.success = true;
}
public CodeResponse(String errMsg) {
this.success = false;
this.errMsg = this.errMsg;
}
}
Here’s another example of code extraction using PHP: Hypertext Preprocessor (PHP).
<?
header('Access-Control-Allow-Headers: *');
header('Access-Control-Allow-Origin: *');
header('Content-Type: application/json; charset=utf-8');
$out = [];
foreach ($_GET as $name => $value) {
$out[$name] = $value;
}
echo json_encode($out);
?>
After extracting the code, the callback handler sends it back to the browser.
App Receives Code Response and Performs Code Exchange
The browser receives the code response. Here’s an example of a successful response in the browser console log.
{"success":true,"state":"https://MyExperienceCloudSite.my.site.com/","sfdc_community_url":"https://MyExperienceCloudSite.my.site.com/vforcesite","sfdc_community_id":"0DBxxxxxxxxxxxx","errMsg":null,"code":"aPrxC1*******"}The browser headlessly requests to exchange the code for an access token. In the client-side
JavaScript example, the doCodeExchange function sends
the code in a POST request to the Experience Cloud token endpoint.
To avoid exposing the consumer secret to the browser, you must disable the Require Secret for Web Server Flow and Require Secret for Refresh Token Flow settings on your external client app or connected app. With these settings disabled, the consumer secret isn’t required in the authorization request. If possible, we recommend that you perform the code exchange using a server back end. See Headless Identity APIs: Authorization Code and Credentials Flow for Private Clients.
var clientId = "<Connected App Client ID>";
var baseURL = "<Experience Cloud Domain>";
var redirectURL = "<Experience Cloud Domain>/services/apexrest/code/extraction"
// Performs the code exchange
function doCodeExchange(authorizeResponse) {
//Perform Code Exchange
//Get Access Token
var client = new XMLHttpRequest();
client.open("POST", authorizeResponse.sfdc_community_url + "/services/oauth2/token", true);
client.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
client.send("code=" + authorizeResponse.code + "&grant_type=authorization_code&client_id=" + clientId + "&redirect_uri=" + redirectURL);
client.onreadystatechange = function() {
if(this.readyState == 3) {
response = JSON.parse(client.response);
getUserInfo(response.access_token, response.sfdc_community_url)
}
}
}
For the access token request, you can use only a POST request—GET requests aren’t supported.
You must include a Content-Type header. Include these
required parameters in the request body.
| Parameter | Description |
|---|---|
client_id |
The consumer key of the external client app or connected app. |
code |
The authorization server creates an authorization code, which is a short-lived token, and passes it to the client after successful authentication. The client sends the authorization code to the authorization server to obtain an access token and, optionally, a refresh token. |
grant_type |
The type of validation that the app can provide to prove it’s a safe visitor. For the
Authorization Code and Credentials Flow, the value must be authorization_code. |
redirect_uri |
The URL where users are redirected after a successful authentication. The redirect URI must match one of the values in the Callback URL field on the external client app or connected app. Otherwise, the approval fails. For public clients, the redirect URI must point to an endpoint that can process the 302 redirect from Salesforce. To simplify development, use the OAuth echo endpoint, such as https://MyExperienceCloudSite.my.site.com/services/oauth2/echo. These examples use an Apex REST code extraction endpoint. For example, |
You can also include these optional parameters in the token request.
| Parameter | Description |
|---|---|
client_secret |
The consumer secret of the external client app or connected app. |
code_verifier |
Required if using the PKCE extension. Specifies 128 bytes of random data with high
entropy to make guessing the
|
format |
The expected format of the response. Salesforce supports these formats.
|
Salesforce Grants an Access Token
After validating the app’s credentials, Salesforce Headless Login API returns an access token to the browser. Here’s an example access token response in JSON format.
{
"access_token":"*******************",
"sfdc_community_url":"https://MyDomainName.my.site.com",
"sfdc_community_id":"0DBxxxxxxxxxxxx",
"signature":"ts6wm/svX3jXlCGR4uu+SbA04M6qhD1SAgVTEwZ59P4=",
"scope":"openid api",
"id_token":"XXXXXX",
"instance_url":"https://yourInstance.salesforce.com",
"id":"https://yourInstance.salesforce.com/id/00Dxxxxxxxxxxxx/005xxxxxxxxxxxx",
"token_type":"Bearer",
"issued_at":"1667600739962"
}
The access token response contains these required parameters.
| Parameter | Description |
|---|---|
access_token
|
OAuth token that an external client app or connected app uses to request access to a protected resource on behalf of the client application. Additional permissions in the form of scopes can accompany the access token. |
id
|
An identity URL that can be used to identify the user and to query for more information about the user. See Identity URLs. |
instance_url
|
A URL indicating the instance of the user’s org. For example: https://yourInstance.salesforce.com/. |
issued_at
|
Time stamp of when the signature was created, expressed as the number of milliseconds from 1970-01-01T0:0:0Z UTC. |
signature
|
Base64-encoded HMAC-SHA256 signature signed with the client_secret. The signature can include the concatenated ID and issued_at value, which you can use to verify that the identity
URL hasn’t changed since the server sent it. |
sfdc_community_url
|
The URL of the Experience Cloud site. |
sfdc_community_id
|
The user’s Experience Cloud site ID. |
token_type
|
A Bearer token type, which is used for all
responses that include an access token.
|
The access token response can also include these parameters.
| Parameter | Description |
|---|---|
id_token
|
A signed data structure that contains authenticated user attributes, including a unique identifier for the user and a timestamp indicating when the token was issued. It also identifies the requesting client app. See OpenID Connect specifications. This parameter is returned
if the scope parameter includes |
refresh_token
|
Token obtained from the web server, user-agent, or hybrid app token flow. This value
is a secret. Take appropriate measures to protect it. This parameter is returned only if
your external client app or connected app is set up with a refresh_token scope. |
state
|
The state requested by the client. This value is included only if the state parameter is included in the original query
string.
|
App Processes Token Response and Creates the User Session
The browser stores the information from the token response and creates the user session. At this point, the user is logged in, and the client-side JavaScript calls the Salesforce User Info endpoint to confirm that the login was successful, as shown in this excerpt.
// Gets User Info
function getUserInfo(accessToken, userInfoBaseURL) {
var client = new XMLHttpRequest();
client.open("GET", userInfoBaseURL + "/services/oauth2/userinfo", true);
client.setRequestHeader("Content-Type", "application/json");
client.setRequestHeader("Authorization", "Bearer " + accessToken);
client.send();
client.onreadystatechange = function() {
if(this.readyState == 3) {
response = JSON.parse(client.response);
response.access_token = accessToken;
document.getElementById("json").textContent = JSON.stringify(response, undefined, 2);
document.getElementById("results").style.display="block";
}
}
}
End User Is Logged in and Performs an Action in the App
Your user is now logged in. They perform an action in your app that requires access to Salesforce data. For example, they click a button to view their travel booking history, which is stored in Salesforce.
App Makes an Authenticated Call to a Salesforce Endpoint
To access the user’s Salesforce data, your app uses the access token to make an authenticated call to a protected Salesforce endpoint, such as a Salesforce API.
End User Can Access Salesforce Data
The user can now access protected Salesforce data in your app. For example, they can see their travel booking history. From the end user’s perspective, the entire process from logging in to accessing their data happened without ever requiring them to leave the app.
