Deprecation Notice for /tokeninfo and /dw/oauth2 endpoints in Account Manager for B2C Commerce

1. Use /dwsso/oauth2 instead of /dw/oauth2 in all Account Manager URLs

All Account Manager endpoints starting with /dw/oauth2 (https://account.demandware.com/dw/oauth2) currently redirect to their corresponding /dwsso/oauth2 (https://account.demandware.com/dwsso/oauth2) endpoints. However, Salesforce will disable the /dw/oauth2 endpoint and the redirects will stop working. This means that for Account Manager, all the URLs starting with https://account.demandware.com/dw/oauth2/ must be updated to start with https://account.demandware.com/dwsso/oauth2/.

When: The /dw/oauth2 endpoint is now deprecated and beginning July 2026, the /dw/oauth2 endpoint will be disabled and redirects to /dwsso/oauth2 will no longer work. In the period until July 2026, the endpoint will have an incremental reduction in rate limits. 

Action: Replace all Account Manager endpoints starting with /dw/oauth2 (https://account.demandware.com/dw/oauth2/*) with endpoints starting with /dwsso/oauth2 (https://account.demandware.com/dwsso/oauth2/*). The endpoints starting with /dwsso/oauth2 are more performant and offer a 3X increase in its rate limit compared to /dw/oauth2. Therefore, it would be beneficial to replace these endpoints sooner.

Note: The Business Manager /dw/oauth2/access_token endpoint i.e. https://[Business_Manager_Hostname].dw.demandware.net/dw/oauth2/access_token which is provided by the B2C Commerce platform differs from the Account Manager /dw/oauth2/access_token endpoint and therefore remains supported and available for use.

2. Use /dwsso/oauth2/introspect instead of /tokeninfo endpoint

Note: No action needed as /tokeninfo endpoint is now disabled (as of March 1, 2025). 

The Account Manager endpoint /tokeninfo (https://account.demandware.com/dwsso/oauth2/tokeninfo) checked the validity of the UUID access token or retrieved token metadata, such as expiration timestamp, scopes, and the like. This application is possible because the UUID access tokens are a series of numbers.

The endpoint required that the token is passed as a URL parameter. Sensitive information within URLs can be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs can also be displayed on-screen, bookmarked, or included in emails. They can be disclosed to third parties via the Referrer header when any off-site links are followed. Placing a UUID access token into the URL increases the risk that attackers or non-privileged users can capture the UUID. This endpoint doesn’t require any authentication, so anyone can use it to gain information on an access token.

If you used the /tokeninfo endpoint, please replace it with the /dwsso/oauth2/introspect (https://account.demandware.com/dwsso/oauth2/introspect) endpoint. This endpoint is specified in RFC 7662, and provides a secure alternative. The endpoint includes the UUID access token in the request body which is usually not logged or recorded. In addition, only authenticated clients can use this endpoint. As an added level of security, an API client can only introspect its own tokens and cannot share information outside of your organizations.

Example:

POST https://account.demandware.com/dwsso/oauth2/introspect
Authorization: Basic YXBpQ2xpZW50SWQ6YXBpQ2xpZW50UGFzc3dvcmQ=
Content-Type: application/x-www-form-urlencoded

token={accessToken}

If the API client uses a JSON Web Token (JWT) instead of a password to authenticate, the request must look like this:

POST https://account.demandware.com/dwsso/oauth2/introspect
Content-Type: application/x-www-form-urlencoded

client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion={signedJWT}&token={accessToken}