auth-oas-v1-public.yaml

openapi: 3.0.3
info:
  x-api-type: Shopper
  x-api-family: Shopper
  title: Auth
  version: 1.46.0
  description: |-
    [Download API specification](https://developer.salesforce.com/static/commercecloud/commerce-api/auth/auth-oas-v1-public.yaml)

    # API Overview

    The Shopper Login and API Access Service (SLAS) enables secure access to Commerce Cloud’s Shopper APIs for a wide range of headless commerce applications.

    **Important:** Before using this API, see [Authorization for Shopper APIs](https://developer.salesforce.com/docs/commerce/commerce-api/guide/authorization-for-shopper-apis.html) in the Get Started guides and the more detailed [SLAS guides](https://developer.salesforce.com/docs/commerce/commerce-api/guide/slas.html) for instructions on setting up a SLAS client, obtaining credentials, as well as flow and use case information.

    For load shedding and rate limiting information, see [Load Shedding and Rate Limiting.](https://developer.salesforce.com/docs/commerce/commerce-api/guide/throttle-rates.html)
servers:
  - url: https://{shortCode}.api.commercecloud.salesforce.com/shopper/auth/v1
    variables:
      shortCode:
        default: shortCode
paths:
  /organizations/{organizationId}/oauth2/login:
    post:
      summary: Log in a shopper with credentials that are managed by a B2C Commerce instance (B2C Commerce).
      description: |-
        This follows the authorization code grant flow as defined by the OAuth 2.1 standard. It also uses a proof key for code exchange (PKCE).

        For PKCE values:
        - The `code_verifier` string is a random string used for the `/token` endpoint request.
        - The `code_challenge` is an encoded version of the `code_verifier` string using an SHA-256 hash.

        The request must include a basic authorization header that contains a Base64 encoded version of the following string: `<shopperUserID>:<shopperPassword>`.
        Required parameters: `code_challenge`, `channel_id`, `client_id`, and `redirect_uri`.

        Optional parameters: `usid`.
        The SLAS `/login` endpoint redirects back to the redirect URI and returns an authorization code.
        Calls to `/login` made with the same loginId and tenantId within 1 second result in a conflict.
      operationId: authenticateCustomer
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - name: Authorization
          in: header
          description: Base64-encoded username and password for HTTP basic authentication
          required: true
          schema:
            type: string
            example: Basic <client credentials>
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/LoginRequest'
        required: true
      responses:
        '303':
          description: The authorization code and usid were successfuly added to the location header and sent to the callback as query parameters.
          content:
            application/json:
              schema:
                type: string
              examples:
                authenticateCustomerSuccess:
                  $ref: '#/components/examples/authenticateCustomerSuccess'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingClientId400:
                  $ref: '#/components/examples/BadOrMissingClientId400'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InvalidBasicAuth401:
                  $ref: '#/components/examples/InvalidBasicAuth401'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '409':
          description: Conflict
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                ConflictingCalls409:
                  $ref: '#/components/examples/ConflictingCalls409'
        '500':
          description: Internal server error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InternalServerError500:
                  $ref: '#/components/examples/InternalServerError500'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
  /organizations/{organizationId}/oauth2/passwordless/login:
    post:
      summary: Allow the customer to authenticate when their identity provider is down.
      description: This endpoint allows customers to authenticate when their configured identity provider is inaccessible. It provides an alternative authentication path through passwordless login methods like email or SMS verification.
      operationId: authorizePasswordlessCustomer
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - $ref: '#/components/parameters/register_customer'
        - name: Authorization
          in: header
          description: 'Base64-encoded string for HTTP Basic authentication. The string is composed of a client ID and client secret, separated by a colon (`:`), for example: `clientId:clientSecret`'
          required: false
          schema:
            type: string
            example: Basic <client credentials>
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/PasswordlessLoginRequest'
        required: true
      responses:
        '200':
          description: The customer authenticated successfully.
          content:
            application/json:
              schema:
                type: string
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingAccessToken400:
                  $ref: '#/components/examples/BadOrMissingAccessToken400'
                TooManyLoginRequests400:
                  description: |
                    This error is returned specifically when mode = email and the user has exceeded the maximum number of login attempts within the rate limit window.
                    The client should implement exponential backoff and retry the request after the specified time period.
                  value:
                    error: invalid_request
                    error_description: Too many login requests were made. Please try again later.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '412':
          description: Precondition failure
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                DependentServiceUnavailable412:
                  $ref: '#/components/examples/DependentServiceUnavailable412'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
  /organizations/{organizationId}/oauth2/logout:
    get:
      summary: Log out a shopper.
      description: |-
        The shopper's access token and refresh token are revoked. If the shopper authenticated with a B2C Commerce (B2C Commerce) instance, the OCAPI JWT is also revoked. Call this endpoint for registered users that have logged in using SLAS. Do not use this endpoint for guest users.

        Required header: Authorization header bearer token of the Shopper access token to log out.

        Required parameters: `refresh token`, `channel_id`, and `client`.
      operationId: logoutCustomer
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - $ref: '#/components/parameters/client_id'
        - $ref: '#/components/parameters/refresh_token'
        - name: channel_id
          in: query
          description: The `channel_id` parameter must be provided if the shopper authenticated using the `login` endpoint with B2C Commerce.
          required: false
          example: RefArch
          schema:
            example: RefArch
            maxLength: 100
            type: string
        - $ref: '#/components/parameters/logout_hint'
        - name: Authorization
          in: header
          description: Shopper access token to be revoked
          required: true
          schema:
            type: string
            example: Bearer eyJ2ZXIiOiIxLjAiLCJraWQiOiI0ZTQyNTFkOS0zM2Y2LTRjMTMtYjZmZC1mOWJkNTJmYTZhNDciLCJ0eXAiOiJqd3QiLCJjbHYiOiJKMi4xLjAiLCJhbGciOiJFUzI1NiJ9.eyJhdXQiOiJHVUlEIiwic2NwIjoic2ZjYy5wcm9kdWN0cy5ybyBzZmNjLmNhdGFsb2dzLnJvIHNmY2Muc2hvcHBlci5ydyIsInN1YiI6ImNjLXNsYXM6OnNsc2FfZGV2OjpzY2lkOjU1M2FjOGFjLTRkYjktNGVkMy04MjVjLTNhZTNiZjVkMzI3Yjo6dXNpZDoxY2E3OWZiNi0xYjIyLTRmOWItOGJiNi05YmU5NWNjMjA4NjMiLCJjdHgiOiJzbGFzLm5vdF9mb3JfZXh0ZXJuYWxfdXNlIiwiaXNzIjoic2xhcy9kZXYvc2xzYV9kZXYiLCJpc3QiOjEsImF1ZCI6ImNvbW1lcmNlY2xvdWQvZGV2L3Nsc2FfZGV2IiwibmJmIjoxNTk0NzY0MDgwLCJzdHkiOiJVc2VyIiwiaXNiIjoidWlkbzpzbGFzOjp1cG46R3Vlc3Q6OnVpZG46R3Vlc3QgVXNlciIsImV4cCI6MTU5NDc2NTkxMCwiaWF0IjoxNTk0NzY0MTEwLCJqdGkiOiJDMkMxNjM0NTE0NTEwLTE3MTQzMTg2NzY0MjcwNTcyNjQ2NTYxMzgifQ.UVYAsWXCn3hoUPy8vLlc7O96RZEHD3N3ZgdNH-ZVvJ1G-R6uJ2VPrYvwKmYXF41Ujm2bo83AYOHVqEEEPT8Kgw
      responses:
        '200':
          description: Success
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
              examples:
                logoutCustomerSuccess:
                  $ref: '#/components/examples/logoutCustomerSuccess'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '303':
          description: The user has sent too many requests in a given amount of time, and rate limiting is in effect.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingClientId400:
                  $ref: '#/components/examples/BadOrMissingClientId400'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingClientId400:
                  $ref: '#/components/examples/BadOrMissingClientId400'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '500':
          description: Internal server error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InternalServerError500:
                  $ref: '#/components/examples/InternalServerError500'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
  /organizations/{organizationId}/oauth2/authorize:
    get:
      summary: Get an authorization code after authenticating a user against an identity provider (IDP).
      description: |-
        This is the first step of the OAuth 2.1 authorization code flow, in which a user can log in via federation to the IDP configured for the client. After successfully logging in, the user gets an authorization code via a redirect URI.

        You can call this endpoint from the front channel (the browser).
      operationId: authorizeCustomer
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - $ref: '#/components/parameters/redirect_uri'
        - $ref: '#/components/parameters/response_type'
        - $ref: '#/components/parameters/client_id'
        - $ref: '#/components/parameters/scope'
        - $ref: '#/components/parameters/state'
        - $ref: '#/components/parameters/usid'
        - $ref: '#/components/parameters/hint'
        - name: channel_id
          in: query
          description: The channel that this request is for. For a B2C Commerce request, this is angalous to the site ID.
          required: false
          example: RefArch
          schema:
            example: RefArch
            maxLength: 100
            type: string
        - $ref: '#/components/parameters/code_challenge'
        - $ref: '#/components/parameters/ui_locales'
      responses:
        '303':
          description: The authorization code was successfully added to the `redirect_uri`.
          content:
            application/json:
              schema:
                type: string
              examples:
                authorizeCustomerSuccess:
                  $ref: '#/components/examples/authorizeCustomerSuccess'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingClientId400:
                  $ref: '#/components/examples/BadOrMissingClientId400'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InvalidBasicAuth401:
                  $ref: '#/components/examples/InvalidBasicAuth401'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '500':
          description: Internal Server Error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InternalServerError500:
                  $ref: '#/components/examples/InternalServerError500'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
  /organizations/{organizationId}/oauth2/token:
    post:
      summary: Get the shopper or guest JWT access token and a refresh token.
      description: |-
        This is the second step of the OAuth 2.1 authorization code flow.

        For a private client, an application is able to get an access token for the shopper through the back channel (a trusted server) by passing in the client credentials and the authorization code retrieved from the `authorize` endpoint.

        For a guest user, get the shopper JWT access token and a refresh token. This is where a client appplication is able to get an access token for the guest user through the back channel (a trusted server) by passing in the client credentials.

        For a public client using PKCE, an application passes a PKCE `code_verifier` that matches the `code_challenge` that was used to `authorize` the customer along with the authorization code.

        When refreshing the access token with a private client ID and client secret, the refresh token is _not_ regenerated. However, when refreshing the access token with a public client ID, the refresh token is _always_ regenerated. The old refresh token is voided with every refresh call, so the refresh token on the client must be replaced to always store the new refresh token.

        See the Body section for required parameters, including `grant_type` and others that depend on the value of `grant_type`.

        **Important**: As of July 31, 2024**, SLAS requires the `channel_id` query parameter in token requests.
      operationId: getAccessToken
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - name: Authorization
          in: header
          description: "Base64-encoded string for HTTP Basic authentication. The string is composed of a client ID and client secret, separated by a colon (`:`), for example: `clientId:clientSecret`. \nNot required if the grant type is `authorization_code_pkce` or `refresh_token`."
          required: false
          schema:
            type: string
            example: Basic <client credentials>
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/TokenRequest'
        required: true
      responses:
        '200':
          description: the shopper or guest JWT access token and a refresh token were retrieved successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
              examples:
                getAccessTokenSuccess:
                  $ref: '#/components/examples/getAccessTokenSuccess'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingAccessToken400:
                  $ref: '#/components/examples/BadOrMissingAccessToken400'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InvalidBasicAuth401:
                  $ref: '#/components/examples/InvalidBasicAuth401'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '500':
          description: Internal server error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InternalServerError500:
                  $ref: '#/components/examples/InternalServerError500'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
  /organizations/{organizationId}/oauth2/session-bridge/token:
    post:
      summary: Get a shopper JWT access token for a customer using session bridging.
      description: |-
        For public client ID requests, you must set the grant_type to `session_bridge`.

        For private client_id and secret, you must set the grant_type to `client_credentials` along with a basic authorization header.

        **DEPRECATED** - As of January 31, 2024, SLAS no longer supports the SESB `dwsid` parameter for `guest` users for `session-bridge/token` calls. We recommended you transition to using a SESB `dwsgst` token.

        The `dwsid` is still needed for `registered` user `session-bridge/token` calls.

        **NOTE:** The registered customer Json Web Token (JWT) is available in B2C Commerce versions 25.4 and later.
      operationId: getSessionBridgeAccessToken
      parameters:
        - $ref: '#/components/parameters/organizationId'
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/SessionBridgeTokenRequest'
        required: true
      responses:
        '200':
          description: The shopper JWT access token was retrieved successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
              examples:
                getSessionBridgeAccessTokenSuccess:
                  $ref: '#/components/examples/getSessionBridgeAccessTokenSuccess'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingAccessToken400:
                  $ref: '#/components/examples/BadOrMissingAccessToken400'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '503':
          description: Gateway error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                GatewayError503:
                  $ref: '#/components/examples/GatewayError503'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
  /organizations/{organizationId}/oauth2/trusted-system/token:
    post:
      summary: Get a shopper JWT access token for a registered customer whose credentials are stored using a third party.
      description: |-
        The SLAS client must have the `sfcc.ts_ext_on_behalf_of` scope to access this endpoint.


        For trusted-system requests, you can use a basic authorization header that includes a SLAS private client ID and SLAS private client secret instead of the bearer token.


        For trusted-system requests, you cannot use SLAS public client_ids.
      operationId: getTrustedSystemAccessToken
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - name: Authorization
          in: header
          description: "Base64-encoded string for HTTP Basic authentication. The string is composed of a client ID and client secret, separated by a colon (`:`), for example: `clientId:clientSecret`. \nNot required if the grant type is `authorization_code_pkce` or `refresh_token`."
          required: false
          schema:
            type: string
            example: Basic <client credentials>
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/TrustedSystemTokenRequest'
        required: true
      responses:
        '200':
          description: The shopper JWT access token was retrieved successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
              examples:
                getTrustedSystemAccessTokenSuccess:
                  $ref: '#/components/examples/getTrustedSystemAccessTokenSuccess'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingClientId400:
                  $ref: '#/components/examples/BadOrMissingClientId400'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '409':
          description: Conflict
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                ConflictingCalls409:
                  $ref: '#/components/examples/ConflictingCalls409'
        '503':
          description: Gateway error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                GatewayError503:
                  $ref: '#/components/examples/GatewayError503'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
  /organizations/{organizationId}/oauth2/trusted-agent/authorize:
    get:
      summary: Obtain a new agent on behalf of an authorization token for a registered customer.
      description: This endpoint enables trusted agents (such as customer service representatives or merchants) to obtain authorization tokens that allow them to act on behalf of registered customers. This facilitates customer support scenarios where agents need secure access to customer accounts.
      operationId: getTrustedAgentAuthorizationToken
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - $ref: '#/components/parameters/client_id'
        - $ref: '#/components/parameters/channel_id'
        - $ref: '#/components/parameters/code_challenge'
        - $ref: '#/components/parameters/login_id'
        - $ref: '#/components/parameters/idp_origin'
        - $ref: '#/components/parameters/redirect_uri'
        - $ref: '#/components/parameters/response_type'
      responses:
        '303':
          description: The new agent was obtained successfully.
          headers:
            Location:
              description: Location header with the `redirect_uri` to Account Manager, which allows the agent to log in.
              schema:
                maxLength: 2048
                description: URL with redirect
                example: https://account.demandware.com:443/dwsso/UI/Login?realm=/&goto=https://account.demandware.com:443/dwsso/oauth2/authorize?client_id=6739cb07-2f5f-4e16-a88a-8113a3cb5512&redirect_uri=https://stg.us1.shopper.cc.salesforce.com/api/v1/trusted-agent/callback"
                type: string
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
          content:
            application/json:
              schema:
                type: string
              examples:
                getTrustedAgentAuthorizationTokenSuccess: {}
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingClientId400:
                  $ref: '#/components/examples/BadOrMissingClientId400'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '500':
          description: Internal server error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InternalServerError500:
                  $ref: '#/components/examples/InternalServerError500'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
  /organizations/{organizationId}/oauth2/trusted-agent/token:
    post:
      summary: Get a shopper JWT access token for a registered customer using a trusted agent (merchant).
      description: |-
        If using a SLAS private client ID, you must also use an `_sfdc_client_auth` header.

        The value of the `_sfdc_client_auth` header must be a Base64-encoded string. The string is composed of a SLAS private client ID and client secret, separated by a colon (`:`). For example, `privateClientId:privateClientsecret` becomes `cHJpdmF0ZUNsaWVudElkOnByaXZhdGVDbGllbnRzZWNyZXQ=` after Base64 encoding.
      operationId: getTrustedAgentAccessToken
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - $ref: '#/components/parameters/_sfdc_client_auth'
        - name: Authorization
          in: header
          description: This is the `Bearer` token that is returned from Account Manager after the trusted agent on behalf of (TAOB) authorize call.
          required: false
          schema:
            type: string
            example: Bearer HQ8zQXpc0VVaXEdBdzasZQaCQDw
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/TrustedAgentTokenRequest'
        required: true
      responses:
        '200':
          description: Success
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
              examples:
                getTrustedAgentAccessTokenSuccess:
                  $ref: '#/components/examples/getTrustedAgentAccessTokenSuccess'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingAccessToken400:
                  $ref: '#/components/examples/BadOrMissingAccessToken400'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '503':
          description: Gateway error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                GatewayError503:
                  $ref: '#/components/examples/GatewayError503'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
  /organizations/{organizationId}/oauth2/password/reset:
    post:
      summary: Request a reset password token.
      description: This endpoint initiates the password reset process for a customer by requesting a password reset token. The token is delivered through the configured delivery mode (email, SMS, etc.) and can be used with the password/action endpoint to set a new password.
      operationId: getPasswordResetToken
      parameters:
        - $ref: '#/components/parameters/organizationId'
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/PasswordActionRequest'
        required: true
      responses:
        '200':
          description: The reset password token was requested successfully.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadMissingAccessOrRefreshToken400:
                  $ref: '#/components/examples/BadMissingAccessOrRefreshToken400'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '412':
          description: Precondition failure
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                DependentServiceUnavailable412:
                  $ref: '#/components/examples/DependentServiceUnavailable412'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
  /organizations/{organizationId}/oauth2/password/action:
    post:
      summary: Create a new password.
      description: This endpoint allows a customer to set a new password using a valid password reset token. The customer must provide the token received from the password/reset endpoint along with the desired new password.
      operationId: resetPassword
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - name: Authorization
          in: header
          description: 'Base64-encoded string for HTTP Basic authentication. The string is composed of a client ID and client secret, separated by a colon (`:`), for example: `clientId:clientSecret`'
          required: false
          schema:
            type: string
            example: Basic <client credentials>
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/PasswordActionVerifyRequest'
        required: true
      responses:
        '200':
          description: The password was created successfully.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadParameters400:
                  $ref: '#/components/examples/BadParameters400'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '503':
          description: Gateway error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                GatewayError503:
                  $ref: '#/components/examples/GatewayError503'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
  /organizations/{organizationId}/oauth2/passwordless/token:
    post:
      summary: Issue a shopper token (JWT).
      description: This endpoint issues a shopper JWT access token using a passwordless login token. It enables authentication flows where traditional username/password combinations are not required, supporting alternative authentication methods.
      operationId: getPasswordLessAccessToken
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - name: Authorization
          in: header
          description: 'Base64-encoded string for HTTP Basic authentication. The string is composed of a client ID and client secret, separated by a colon (`:`), for example: `clientId:clientSecret`'
          required: false
          schema:
            type: string
            example: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/PasswordLessLoginTokenRequest'
        required: true
      responses:
        '200':
          description: The shopper token was issued successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
              examples:
                getPasswordLessAccessTokenSuccess:
                  $ref: '#/components/examples/getPasswordLessAccessTokenSuccess'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingAccessToken400:
                  $ref: '#/components/examples/BadOrMissingAccessToken400'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '503':
          description: Gateway error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                GatewayError503:
                  $ref: '#/components/examples/GatewayError503'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
  /organizations/{organizationId}/oauth2/revoke:
    post:
      summary: Invalidate a refresh token.
      description: A basic auth header with Base64-encoded `clientId:secret` is required in the Authorization header, and the refresh token to be revoked is required in the body.
      operationId: revokeToken
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - name: Authorization
          in: header
          description: 'Base64-encoded string for HTTP Basic authentication. The string is composed of a client ID and client secret, separated by a colon (`:`), like this: `clientId:clientSecret`'
          required: true
          schema:
            type: string
            example: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/TokenActionRequest'
            examples:
              TokenActionRequestBody:
                $ref: '#/components/examples/TokenActionRequestBody'
        required: true
      responses:
        '200':
          description: The refresh token was revoked successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenActionRequest'
              examples:
                revokeTokenSuccess:
                  $ref: '#/components/examples/revokeTokenSuccess'
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingRefreshToken400:
                  $ref: '#/components/examples/BadOrMissingRefreshToken400'
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InvalidBasicAuth401:
                  $ref: '#/components/examples/InvalidBasicAuth401'
        '500':
          description: Internal server error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InternalServerError500:
                  $ref: '#/components/examples/InternalServerError500'
  /organizations/{organizationId}/oauth2/introspect:
    post:
      summary: Return token properties.
      description: A basic auth header with Base64-encoded `clientId:secret` is required in the Authorization header, as well as an access token or refresh token. Use `token_type_hint` to help identify the token.
      operationId: introspectToken
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - $ref: '#/components/parameters/Authorization'
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/TokenActionRequest'
            examples:
              TokenActionRequestBody:
                $ref: '#/components/examples/TokenActionRequestBody'
        required: true
      responses:
        '200':
          description: Token properties returned successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenActionRequest'
              examples:
                introspectTokenSuccess:
                  $ref: '#/components/examples/introspectTokenSuccess'
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadMissingAccessOrRefreshToken400:
                  $ref: '#/components/examples/BadMissingAccessOrRefreshToken400'
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InvalidBasicAuth401:
                  $ref: '#/components/examples/InvalidBasicAuth401'
        '500':
          description: Internal server error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InternalServerError500:
                  $ref: '#/components/examples/InternalServerError500'
  /organizations/{organizationId}/oauth2/userinfo:
    get:
      summary: Return a JSON listing of claims about the currently authenticated user.
      description: This endpoint returns identity information about the authenticated user in the form of OpenID Connect claims. It requires a valid access token and returns information such as user ID, name, email, and other identity attributes based on the scopes granted during authentication.
      operationId: getUserInfo
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - name: channel_id
          in: query
          description: Used when getting user information for a SFCC login. For an B2C Commerce customer, this is angalous to the site ID. Required when getting user information for an B2C Commerce customer.
          required: false
          example: RefArch
          schema:
            example: RefArch
            maxLength: 100
            type: string
        - name: Authorization
          in: header
          description: SLAS Access Token
          required: true
          schema:
            type: string
            example: Bearer eyJ2ZXIiOiIxLjAiLCJraWQiOiI0ZTQyNTFkOS0zM2Y2LTRjMTMtYjZmZC1mOWJkNTJmYTZhNDciLCJ0eXAiOiJqd3QiLCJjbHYiOiJKMi4xLjAiLCJhbGciOiJFUzI1NiJ9.eyJhdXQiOiJHVUlEIiwic2NwIjoic2ZjYy5wcm9kdWN0cy5ybyBzZmNjLmNhdGFsb2dzLnJvIHNmY2Muc2hvcHBlci5ydyIsInN1YiI6ImNjLXNsYXM6OnNsc2FfZGV2OjpzY2lkOjU1M2FjOGFjLTRkYjktNGVkMy04MjVjLTNhZTNiZjVkMzI3Yjo6dXNpZDoxY2E3OWZiNi0xYjIyLTRmOWItOGJiNi05YmU5NWNjMjA4NjMiLCJjdHgiOiJzbGFzLm5vdF9mb3JfZXh0ZXJuYWxfdXNlIiwiaXNzIjoic2xhcy9kZXYvc2xzYV9kZXYiLCJpc3QiOjEsImF1ZCI6ImNvbW1lcmNlY2xvdWQvZGV2L3Nsc2FfZGV2IiwibmJmIjoxNTk0NzY0MDgwLCJzdHkiOiJVc2VyIiwiaXNiIjoidWlkbzpzbGFzOjp1cG46R3Vlc3Q6OnVpZG46R3Vlc3QgVXNlciIsImV4cCI6MTU5NDc2NTkxMCwiaWF0IjoxNTk0NzY0MTEwLCJqdGkiOiJDMkMxNjM0NTE0NTEwLTE3MTQzMTg2NzY0MjcwNTcyNjQ2NTYxMzgifQ.UVYAsWXCn3hoUPy8vLlc7O96RZEHD3N3ZgdNH-ZVvJ1G-R6uJ2VPrYvwKmYXF41Ujm2bo83AYOHVqEEEPT8Kgw
      responses:
        '200':
          description: Claims returned successfully.
          content:
            application/json:
              schema:
                type: string
              examples:
                getUserInfoSuccess:
                  $ref: '#/components/examples/getUserInfoSuccess'
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingAccessToken400:
                  $ref: '#/components/examples/BadOrMissingAccessToken400'
        '500':
          description: Internal server error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InternalServerError500:
                  $ref: '#/components/examples/InternalServerError500'
  /organizations/{organizationId}/oauth2/.well-known/openid-configuration:
    get:
      summary: |
        Return a JSON listing of the OpenID/OAuth endpoints, supported scopes and claims, public keys used to sign the tokens, and other details.

        For performance purposes, the `/.well-known/openid-configuration` endpoint is rate limited to 25 call per minute.
      description: This endpoint provides OpenID Connect discovery information in a standardized format. It allows clients to programmatically discover SLAS capabilities, including available endpoints, supported authentication flows, token signing algorithms, and other configuration details. This information helps clients integrate with the authentication service with minimal manual configuration.
      operationId: getWellknownOpenidConfiguration
      parameters:
        - $ref: '#/components/parameters/organizationId'
      responses:
        '200':
          description: The JSON listing information was returned successfully.
          content:
            application/json:
              schema:
                type: string
              examples:
                getWellknownOpenidConfigurationSuccess:
                  $ref: '#/components/examples/getWellknownOpenidConfigurationSuccess'
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                MalformedTenantId400:
                  $ref: '#/components/examples/MalformedTenantId400'
        '500':
          description: Internal server error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InternalServerError500:
                  $ref: '#/components/examples/InternalServerError500'
  /organizations/{organizationId}/oauth2/jwks:
    get:
      summary: Retrieve JWKS keys.
      description: |
        The `/jwks` endpoint provides a JSON Web Key Set (JWKS) that includes current, past, and future public keys. These keys allow clients to validate the Shopper JSON Web Token (JWT) issued by SLAS, ensuring that no tampering with the token has occurred. Every SLAS JWT that is passed into SLAS, SCAPI, or OCAPI is always validated and is rejected if the signature validation does not match.

        To optimize performance, the `/jwks` endpoint is limited to 25 calls per minute, so we recommended caching the JWKS keys and refresh them only when necessary, instead of making frequent requests. Typically, the JWKs endpoint can be used once per DAY.

        For additional information on using JWKS, see https://developer.salesforce.com/docs/commerce/commerce-api/guide/slas-validate-jwt-with-jwks.html.
      operationId: getJwksUri
      parameters:
        - $ref: '#/components/parameters/organizationId'
      responses:
        '200':
          description: The response body containing the JWKS keys was retrieved successfully.
          content:
            application/json:
              schema:
                type: object
              examples:
                getJwksSuccess:
                  $ref: '#/components/examples/getJwksSuccess'
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                getJwksUri400:
                  $ref: '#/components/examples/MalformedTenantId400'
        '500':
          description: Internal Server Error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                InternalServerError500:
                  $ref: '#/components/examples/InternalServerError500'
  /organizations/{organizationId}/oauth2/webauthn/register/authorize:
    post:
      summary: Authorize user for WebAuthn registration
      description: "Authorizes a user to register a WebAuthn credential (passkey). This endpoint validates the user's \ncredentials and creates a password action token that can be used to start the registration process.\nThe token is sent to the user via the specified channel (email or SMS).\n\nThe SLAS client must have the `sfcc.pwdless_login` scope to access this endpoint."
      operationId: authorizeWebauthnRegistration
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - name: Authorization
          in: header
          description: 'Base64-encoded string for HTTP Basic authentication. The string is composed of a client ID and client secret, separated by a colon (`:`). For example: `clientId:clientSecret`.'
          required: false
          schema:
            type: string
            example: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
      requestBody:
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/PasswordActionRequest'
        required: true
      responses:
        '204':
          description: User successfully authorized for WebAuthn registration. TOTP sent to user.
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingClientId400:
                  $ref: '#/components/examples/BadOrMissingClientId400'
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
  /organizations/{organizationId}/oauth2/webauthn/register/start:
    post:
      summary: Start WebAuthn registration
      description: |
        Starts the WebAuthn registration process by generating credential creation options.
        Returns the challenge and other parameters needed by the authenticator to create a new credential.

        The SLAS client must have the `sfcc.pwdless_login` scope to access this endpoint.
      operationId: startWebauthnUserRegistration
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - name: Authorization
          in: header
          description: 'Base64-encoded string for HTTP Basic authentication. The string is composed of a client ID and client secret, separated by a colon (`:`). For example: `clientId:clientSecret`.'
          required: false
          schema:
            type: string
            example: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/RegistrationStartRequest'
            examples:
              registrationStartRequest:
                value:
                  client_id: 12345678-1234-1234-1234-123456789012
                  pwd_action_token: '12345678'
                  user_id: user@example.com
                  channel_id: RefArch
                  display_name: John Doe
                  nick_name: My iPhone
      responses:
        '200':
          description: Registration options successfully generated.
          content:
            application/json:
              schema:
                type: object
              examples:
                startWebauthnUserRegistrationSuccess:
                  $ref: '#/components/examples/startWebauthnUserRegistrationSuccess'
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingClientId400:
                  $ref: '#/components/examples/BadOrMissingClientId400'
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
  /organizations/{organizationId}/oauth2/webauthn/register/finish:
    post:
      summary: Finish WebAuthn registration
      description: |
        Completes the WebAuthn registration process by verifying the credential created by the authenticator.
        Stores the public key and credential information for future authentication.

        The SLAS client must have the `sfcc.pwdless_login` scope to access this endpoint.
      operationId: finishWebauthnUserRegistration
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - name: Authorization
          in: header
          description: 'Base64-encoded string for HTTP Basic authentication. The string is composed of a client ID and client secret, separated by a colon (`:`). For example: `clientId:clientSecret`.'
          required: false
          schema:
            type: string
            example: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RegistrationFinishRequest'
      responses:
        '204':
          description: Registration successfully completed
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingClientId400:
                  $ref: '#/components/examples/BadOrMissingClientId400'
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
  /organizations/{organizationId}/oauth2/webauthn/authenticate/start:
    post:
      summary: Start WebAuthn authentication
      description: |
        Starts the WebAuthn authentication process by generating credential request options.
        Returns the challenge and allowed credentials for the user to authenticate with.

        The SLAS client must have the `sfcc.pwdless_login` scope to access this endpoint.
      operationId: startWebauthnAuthentication
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - name: Authorization
          in: header
          description: 'Base64-encoded string for HTTP Basic authentication. The string is composed of a client ID and client secret, separated by a colon (`:`). For example: `clientId:clientSecret`.'
          required: false
          schema:
            type: string
            example: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/AuthenticateRequest'
            examples:
              authenticateRequest:
                value:
                  tenant_id: zzte_053
                  client_id: 12345678-1234-1234-1234-123456789012
                  channel_id: RefArch
                  user_id: user@example.com
      responses:
        '200':
          description: Authentication options successfully generated
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PublicKeyCredentialRequestOptions'
              examples:
                webauthnAuthenticationStartSuccess:
                  $ref: '#/components/examples/webauthnAuthenticationStartSuccess'
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingClientId400:
                  $ref: '#/components/examples/BadOrMissingClientId400'
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
        '404':
          description: Not Found
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                UserNotFound404:
                  $ref: '#/components/examples/UserNotFound404'
  /organizations/{organizationId}/oauth2/webauthn/authenticate/finish:
    post:
      summary: Finish WebAuthn authentication
      description: |
        Completes the WebAuthn authentication process by verifying the assertion from the authenticator.
        Returns OAuth tokens upon successful authentication.

        The SLAS client must have the `sfcc.pwdless_login` scope to access this endpoint.
      operationId: finishWebauthnAuthentication
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - name: Authorization
          in: header
          description: 'Base64-encoded string for HTTP Basic authentication. The string is composed of a client ID and client secret, separated by a colon (`:`). For example: `clientId:clientSecret`.'
          required: false
          schema:
            type: string
            example: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AuthenticateFinishRequest'
      responses:
        '200':
          description: Authentication successful
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthenticateResult'
              examples:
                webauthnAuthenticationFinishSuccess:
                  $ref: '#/components/examples/webauthnAuthenticationFinishSuccess'
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingClientId400:
                  $ref: '#/components/examples/BadOrMissingClientId400'
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
  /organizations/{organizationId}/oauth2/webauthn/passkey/user/{loginId}:
    get:
      summary: Retrieve passkey user information and credentials by login ID
      description: "This endpoint retrieves a user's WebAuthn passkey information including all associated credentials. \nIt returns the user's profile information along with a list of all registered passkey credentials.\n\nThe SLAS client must have the `sfcc.pwdless_login` scope to access this endpoint.\n\nThis endpoint requires Shopper JWT authentication. "
      operationId: getPasskeyUserByLoginId
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - $ref: '#/components/parameters/channel_id'
        - name: loginId
          in: path
          description: The login ID (username) of the user whose passkey information is being retrieved
          required: true
          schema:
            type: string
            minLength: 1
            maxLength: 256
            example: user@example.com
        - name: Authorization
          in: header
          description: Shopper JWT access token
          required: true
          schema:
            type: string
            minLength: 1
            maxLength: 4096
            example: Bearer eyJ2ZXIiOiIxLjAiLCJraWQiOiI0ZTQyNTFkOS0zM2Y2LTRjMTMtYjZmZC1mOWJkNTJmYTZhNDciLCJ0eXAiOiJqd3QiLCJjbHYiOiJKMi4xLjAiLCJhbGciOiJFUzI1NiJ9...
      responses:
        '200':
          description: The passkey user information and credentials were retrieved successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PasskeyUser'
              examples:
                getPasskeyUserByLoginIdSuccess:
                  $ref: '#/components/examples/getPasskeyUserByLoginIdSuccess'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingLoginId400:
                  value:
                    error: invalid_request
                    error_description: The login ID is missing or invalid.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '403':
          description: Forbidden - token validation failed
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                TokenMismatch403:
                  value:
                    error: forbidden
                    error_description: The loginId, organizationId, or channel_id in the token does not match the request parameters.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '404':
          description: Not found
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                PasskeyUserNotFound404:
                  value:
                    error: not_found
                    error_description: No passkey user found with the provided login ID.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
      security:
        - ShopperToken:
            - sfcc.pwdless_login
    delete:
      summary: Delete passkey user and all associated credentials
      description: "This endpoint deletes a user's WebAuthn passkey information and all associated credentials.\nThe endpoint validates the Shopper JWT signature and ensures that the loginId, organizationId, \nand channel_id in the token match the values in the path and query parameters.\n\nThe SLAS client must have the `sfcc.pwdless_login` scope to access this endpoint.\n\nThis endpoint requires Shopper JWT authentication. "
      operationId: deletePasskeyUser
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - $ref: '#/components/parameters/channel_id'
        - name: loginId
          in: path
          description: The login ID (username) of the user whose passkey information is being deleted
          required: true
          schema:
            type: string
            minLength: 1
            maxLength: 256
            example: user@example.com
        - name: Authorization
          in: header
          description: Shopper JWT access token
          required: true
          schema:
            type: string
            minLength: 1
            maxLength: 4096
            example: Bearer eyJ2ZXIiOiIxLjAiLCJraWQiOiI0ZTQyNTFkOS0zM2Y2LTRjMTMtYjZmZC1mOWJkNTJmYTZhNDciLCJ0eXAiOiJqd3QiLCJjbHYiOiJKMi4xLjAiLCJhbGciOiJFUzI1NiJ5...
      responses:
        '204':
          description: The passkey user and all credentials were deleted successfully.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingLoginId400:
                  value:
                    error: invalid_request
                    error_description: The login ID is missing or invalid.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '403':
          description: Forbidden - token validation failed
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                TokenMismatch403:
                  value:
                    error: forbidden
                    error_description: The loginId, organizationId, or channel_id in the token does not match the request parameters.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '404':
          description: Not found
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                PasskeyUserNotFound404:
                  value:
                    error: not_found
                    error_description: No passkey user found with the provided login ID.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
      security:
        - ShopperToken:
            - sfcc.pwdless_login
  /organizations/{organizationId}/oauth2/webauthn/passkey/user/{loginId}/credentials/{credentialId}:
    delete:
      summary: Delete a specific passkey credential
      description: "This endpoint deletes a specific WebAuthn passkey credential for a user.\nThe endpoint validates the Shopper JWT signature and ensures that the loginId, organizationId, \nand channel_id in the token match the values in the path and query parameters.\n\nThe SLAS client must have the `sfcc.pwdless_login` scope to access this endpoint.\n\nThis endpoint requires Shopper JWT authentication. "
      operationId: deletePasskeyCredential
      parameters:
        - $ref: '#/components/parameters/organizationId'
        - $ref: '#/components/parameters/channel_id'
        - name: loginId
          in: path
          description: The login ID (username) of the user whose passkey credential is being deleted
          required: true
          schema:
            type: string
            minLength: 1
            maxLength: 256
            example: user@example.com
        - name: credentialId
          in: path
          description: The unique identifier of the credential to delete
          required: true
          schema:
            type: string
            minLength: 1
            maxLength: 1024
            example: Y3JlZGVudGlhbElkMTIz
        - name: Authorization
          in: header
          description: Shopper JWT access token
          required: true
          schema:
            type: string
            minLength: 1
            maxLength: 4096
            example: Bearer eyJ2ZXIiOiIxLjAiLCJraWQiOiI0ZTQyNTFkOS0zM2Y2LTRjMTMtYjZmZC1mOWJkNTJmYTZhNDciLCJ0eXAiOiJqd3QiLCJjbHYiOiJKMi4xLjAiLCJhbGciOiJFUzI1NiJ5...
      responses:
        '204':
          description: The passkey credential was deleted successfully.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '400':
          description: Bad request
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                BadOrMissingParameter400:
                  value:
                    error: invalid_request
                    error_description: The login ID or credential ID is missing or invalid.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                Unauthorized401:
                  $ref: '#/components/examples/InvalidClient401'
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '403':
          description: Forbidden - token validation failed
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                TokenMismatch403:
                  value:
                    error: forbidden
                    error_description: The loginId, organizationId, or channel_id in the token does not match the request parameters.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
        '404':
          description: Not found
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Oauth2ErrorResponse'
              examples:
                PasskeyCredentialNotFound404:
                  value:
                    error: not_found
                    error_description: No passkey credential found with the provided credential ID.
          headers:
            X-RateLimit-1M-Limit:
              description: The 1 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-1M-Remaining:
              description: The 1 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-1M-Reset:
              description: The 1 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
            X-RateLimit-5M-Limit:
              description: The 5 minute maximum number of requests permitted per hour.
              schema:
                type: string
            X-RateLimit-5M-Remaining:
              description: The 5 minute number of requests remaining in the current rate limit window.
              schema:
                type: string
            X-RateLimit-5M-Reset:
              description: The 5 minute time at which the current rate limit window resets in UTC epoch seconds.
              schema:
                type: string
      security:
        - ShopperToken:
            - sfcc.pwdless_login
components:
  securitySchemes:
    ShopperToken:
      type: oauth2
      description: "ShopperToken authentication follows the authorization code grant flow, as defined by the OAuth 2.1 standard. Depending on the type of OAuth client (public or private), this authorization flow has further requirements. \nFor a detailed description of the authorization flow, see the [SLAS overview](https://developer.salesforce.com/docs/commerce/commerce-api/references?meta=shopper-login:Summary).\nA shopper token allows you to access the Shopper API endpoints of both OCAPI and the B2C Commerce API. These endpoints can be used to build headless storefronts and other applications.\nThe `ShopperToken` security scheme is a parent of other security schemes, such as `ShopperTokenTsob`. A Shopper API endpoint can require a specific child scheme (`ShopperTokenTsob`, for example) that cannot be accessed with a regular shopper token.\n"
      flows:
        clientCredentials:
          tokenUrl: https://{shortCode}.api.commercecloud.salesforce.com/shopper/auth/v1/organizations/{organizationId}/oauth2/token
          scopes:
            sfcc.pwdless_login: Passwordless Login scope
            sfcc.session_bridge: Session Bridge scope
            sfcc.ta_ext_on_behalf_of: Trusted Agent External On Behalf Of scope
            sfcc.ts_ext_on_behalf_of: Trusted System External On Behalf Of scope
        authorizationCode:
          authorizationUrl: https://{short-code}.api.commercecloud.salesforce.com/shopper/auth/v1/organizations/{organizationId}/oauth2/authorize
          tokenUrl: https://{short-code}.api.commercecloud.salesforce.com/shopper/auth/v1/organizations/{organizationId}/oauth2/token
          scopes:
            sfcc.pwdless_login: Passwordless Login scope
            sfcc.session_bridge: Session Bridge scope
            sfcc.ta_ext_on_behalf_of: Trusted Agent External On Behalf Of scope
            sfcc.ts_ext_on_behalf_of: Trusted System External On Behalf Of scope
  schemas:
    OrganizationId:
      description: An identifier for the organization the request is being made by
      example: f_ecom_zzxy_prd
      type: string
      minLength: 1
      maxLength: 32
    ResponseType:
      type: string
      description: Response Type
      enum:
        - code
      example: code
    LoginRequest:
      type: object
      required:
        - redirect_uri
        - channel_id
      description: |-
        Supports multiple custom parameters to invoke hooks in B2C Commerce API. Multiple custom parameters can be added. Use the `c_` prefix to distinguish custom query parameters from standard query parameters, for example: c_captcha=true
        If there is a validation error, a 400 Bad_Request with the details of the error is thrown.
      additionalProperties:
        title: Additional Property Support
        description: |-
          This type supports additional properties passed along with the defined properties of this API.
          To indicate that the properties were defined and expected to be handled as additional properties, they are expected to be prefixed with a `c_`.
          The type will reject any property that does not fit this pattern, only allowing additional properties beginning with the known prefix.
        example: c_trackingId
      properties:
        client_id:
          description: SLAS client ID. Required when the grant type is `authorization_code_pkce`.
          type: string
          maxLength: 40
          example: z99ec276-cg53-4g94-cf72-76f300c6778zc
        response_type:
          description: Must be `code`. Indicates that the client wants an authorization code (when the grant type is `authorization_code`).
          allOf:
            - $ref: '#/components/schemas/ResponseType'
        redirect_uri:
          description: "The URI to which the server redirects the browser after the user grants the authorization. The URI must be registered with the SLAS client. A variety of URI formats and wildcards for host are supported, but app links like airbnb:// or fb:// are not. Examples of supported URIs: \n\nExamples of supported URIs:\n  - `http://localhost:3000/callback`\n  - `https://example.com/callback`\n  - `com.example.app:redirect_uri_path`\n  - ` *.subdomain.topleveldomain.com`\n"
          maxLength: 256
          type: string
          example: http://localhost:3000/callback
        state:
          description: Value to be sent by the client to determine the state between the authorization request and the server response. Optional, but strongly recommended.
          type: string
          maxLength: 512
          example: client-state
        scope:
          description: Scopes to limit an application's access to a user's account.
          type: string
          maxLength: 256
          example: openid|offline_access|email
        usid:
          description: The unique shopper ID.
          type: string
          maxLength: 128
          example: 18cda486-fe32-4e27-888b-6e4f89938e67
        channel_id:
          description: The channel that the request is for. For a B2C Commerce request, this is angalous to the site ID.
          type: string
          maxLength: 100
          example: RefArch
        code_challenge:
          description: |-
            PKCE code verifier. Created by the client calling the `login` endpoint.

            The `code_challenge` is created by SHA256 hashing the `code_verifier` and Base64 encoding the resulting hash.

            The `code_verifier` should be a high entropy cryptographically random string with a minimum of 43 characters and a maximum of 128 characters.

            The `code_challenge` is optional when using a private client id for the token request.
          type: string
          minLength: 43
          maxLength: 128
          example: krc5G3_5lRUcXDUzFZQ88oJA_-ZmlHWkyGsgOrSLEWg
    Oauth2ErrorResponse:
      required:
        - error
      type: object
      properties:
        error:
          type: string
          example: invalid_client
        error_uri:
          type: string
          example: https://api.commercecloud.salesforce.com/documentation/error/v1/errors/oauth-service
        error_description:
          type: string
          example: Missing access token or refresh token.
    PasswordlessLoginRequest:
      required:
        - channel_id
        - mode
        - user_id
      type: object
      properties:
        user_id:
          maxLength: 128
          type: string
          description: User ID for logging in.
          example: samantha.sampleson@example.com
        mode:
          type: string
          description: Password Action delivery modes
          enum:
            - callback
            - sms
            - email
        locale:
          type: string
          description: The locale of the template. Required when the mode is `email` or `sms`.
          example: en-us
        usid:
          type: string
          description: The shopper's unique identifier, if known. If not provided, a new USID is generated.
          example: 18cda486-fe32-4e27-888b-6e4f89938e67
        channel_id:
          maxLength: 100
          type: string
          description: The channel (B2C Commerce site) that the user is associated with.
          example: RefArch
        callback_uri:
          type: string
          description: |-
            The callback URI. Required when the mode is `callback`. The `callback_uri` property will be validated against the callback URIs that have been registered with the SLAS client. The callback URI _must_ be a `POST` endpoint because the token will be included in the body.

            Wildcards are not allowed in the callback_uri because this is a security risk that can expose the token. This is not considered an OAuth2 callback_url.
          example: http://localhost:9050/passwordless/login/callback
        last_name:
          maxLength: 100
          type: string
          description: "The user's last name. Required when `register_customer` is `true`. \nThe `last_name` parameter is not used when `register_customer` parameter is not added or is `false`."
          example: Sampleson
        email:
          maxLength: 128
          type: string
          description: "The user's email address. Required when `register_customer` is `true` and `user_id` is not an email address. \nThe `email` parameter is not used when `register_customer` parameter is not added or is `false`."
          example: samantha.sampleson@example.com
        first_name:
          maxLength: 100
          type: string
          description: "The user's first name. Optional when `register_customer` is `true`. \nThe `first_name` parameter is not used when `register_customer` parameter is not added or is `false`."
          example: Samantha
        phone_number:
          maxLength: 48
          type: string
          description: "The user's phone number. Optional when `register_customer` is `true`. \nThe `phone_number` parameter is not used when `register_customer` parameter is not added or is `false`."
          example: 17776665555
        customer_no:
          maxLength: 100
          type: string
          description: "The customer number assigned to the shopper profile when `register_customer` is set to `true`. \nIf the `customer_no` already exists, the request fails. \nThe `customer_no` parameter is optional and only used when `register_customer` is set to `true`."
          example: 123456789
      description: A request for a passwordless login token. This is only available for registered users using B2C Commerce.
    TokenType:
      type: string
      description: Token Type
      enum:
        - Bearer
      example: Bearer
    TokenResponse:
      required:
        - access_token
        - customer_id
        - enc_user_id
        - expires_in
        - id_token
        - idp_access_token
        - refresh_token
        - refresh_token_expires_in
        - token_type
        - usid
      type: object
      properties:
        access_token:
          type: string
          description: |-
            Short term shopper JWT that can be used to access Shopper APIs. Valid for 30 minutes.

            A trusted agent shopper JWT is valid for 15 min.
          example: eyJ2ZXIiOiIxLjAiLCJraWQiOiJTTEFTIiwidHlwIjoiand0IiwiY2x2IjoiSjIuMS4wIiwiYWxnIjoiRVMyNTYifQ.eyJhdWQiOiJjb3JlL2Rldi9idGluZ2V5bHRtMiIsImF1dCI6IkdVSUQiLCJzdWIiOiJ1c2lkOjo1NGFkMmM1YS05MWYwLTQ0YWItODE3Yy03M2Q2Yjg2ODcyZDk6OnVwbjpndWVzdCIsIm5iZiI6MTU4Mjg0NTYyNCwiY3R4Ijoic2ZkYy5jb21tZXJjZWNsb3VkIiwiaXNzIjoiY29yZS9kZXYvYnRpbmdleWx0bTIiLCJzdHkiOiJVc2VyIiwiaXN0IjoxLCJleHAiOjE1ODI4NDU3NDQsImlhdCI6MTU4Mjg0NTY1NCwianRpIjoiQzJDOTA0ODg2NDA3MDkwNDg4NjQwNzMyMjExNzQ1ODEyMTQzIn0.2a6lMBSY17PrhDO8pvEk7PCXW_nkguMHi4J-Tuirkz-ETB6rnKyuRjF5yD6B55tMvm8dO8ulAHyDYqjObMxLJg
        id_token:
          type: string
          description: User ID token. Valid for 30 minutes.
          example: eyJraWQiOiI3NGU2YjMxZS1lYTczLTQ3OTYtOWRkYi1jMDJmZGI4ZDgwYmUiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2lkOmQ1MDBhMzY5LTc1MWQtNDkzYy1iNDAzLThmOThmYjg3MTdiNiIsImF1ZCI6IjU1M2FjOGFjLTRkYjktNGVkMy04MjVjLTNhZTNiZjVkMzI3YiIsImlzcyI6ImRldi51cy5zaG9wcGVyLmNjLnNhbGVzZm9yY2UuY29tIiwibmFtZSI6ImJsYWlyLnNsYXMudGVzdEBnbWFpbC5jb20iLCJleHAiOjE1OTExMTE0MzgsImlhdCI6MTU5MTEwOTYzOCwiZW1haWwiOiJibGFpci5zbGFzLnRlc3RAZ21haWwuY29tIn0.KgpAcq-G9Lz7IGnjkJlaFLFXYncVCwcVrRIuy3bEfgzRozqaDRvAori4oOz4RtgYjmoc5x2euoisHL0mVnHgPKOdYBty1wTJqneJEQt6hP4Kp0KFciID_ILCi-DE8VWS5t0NknnMP_iKhIkqcRL48iwPFUWkWA6AEWxE_yvJLNRLithsSxsx7EfBfpD8Hr2b5tMEwImQNmJNYGRTI4LSmcYspBORvJoAnfGpMC0kglxl40bhf5j4ItX4_DiWQC4zaGYD-HJV4BDr6C7iGCs5ZVPypF0yQD3iBio26fwj9Ys5WF9XMtPtqET2kqsz6fDC5GkE6HTUHH_r87jxbDq-8w
        refresh_token:
          type: string
          description: "Long term refresh token that can be used to refresh an access token. Valid for 30 days. \n\nThe refresh_token will not be returned for trusted agents JWTs. A JWT for trusted agents expires after 15 minutes and is not refreshable. When expired, then app must restart the authorization flow and make another request to the /trusted-agent/authorize endpoint."
          example: EgMYpjfFKdlSy-a3PYeyihmP95IpIp3FaDpPmVH1yu8.lahomBi7zJbRa6yKAuAAiKu3lprTPsEueKwqcBvhRLU
        expires_in:
          type: integer
          description: Remaining access token expiry time, in seconds.
          example: 900
        refresh_token_expires_in:
          type: number
          description: Remaining refresh token expiry time, in seconds.
          example: 2592000
        token_type:
          $ref: '#/components/schemas/TokenType'
        usid:
          type: string
          description: The unique shopper ID. Returned when using the `client_credentials` grant type.
          example: 18cda486-fe32-4e27-888b-6e4f89938e67
        customer_id:
          type: string
          description: Customer's ID
          example: 1000005
        enc_user_id:
          type: string
          description: MD5 Hashed B2C Commerce user ID in uppercase.
          example: 45D39A8499A95288F82855427EBA99B5
        idp_access_token:
          maxLength: 8192
          type: string
          description: This is the access token that is returned from the IDP. The IDP access token is returned to be able to make calls into the IDP outside of SLAS.
          example: eyJraWQiOiJYS21HbHVuSm0zSlBTMHNjQXZXV19XQlYtRi1wMkxLSDR0V05UMHVVSjVJIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjFMY0xxTWhqM2t0N1FKeFhxQ0VtdGZOOVV2eUcweW1meDFxZG9BdzF1NWMub2FyeXhveHF0QUtxaVFMbkM1ZDYiLCJpc3MiOiJodHRwczovL2Rldi05NTY1MjM2Lm9rdGEuY29tIiwiYXVkIjoiaHR0cHM6Ly9kZXYtOTU2NTIzNi5va3RhLmNvbSIsInN1YiI6Im9rdGEuc2xhcy50ZXN0IiwiaWF0IjoxNjc5Njk4MzA4LCJleHAiOjE2Nzk3MDE5MDgsImNpZCI6IjBvYTJrNXNma0JXZ0poTEVHNWQ2IiwidWlkIjoiMDB1MzhxZGpuU2NMT0IxbXE1ZDYiLCJzY3AiOlsib2ZmbGluZV9hY2Nlc3MiLCJvcGVuaWQiLCJlbWFpbCIsInByb2ZpbGUiXSwiYXV0aF90aW1lIjoxNjc5Njk4MzA2fQ.FDbGsnZGwTYVKGSlAo6jqcjG2HQ_BqQKRk72M5h69DRHyOM4wngsEELN_Wtgj3E77sP7IOmIKjiK5SFP17ADMbKZptVr2pqaMVF3PuU3Cbl_MgXZValfT-z12jHRq9sHMfsdTjY2RnvG44ZDFKc2no8mdL6IJ1MfCaZT5Tql5Ktq_UgudaWFsYqad3ETcmp5Y8ivz1bFnqud0sO9D9JzYOtfd9h71JKcsSC2rXc_Si-INPKKaGl8CDgaLXxu_Am9twJpUenHLpy0BerhcVvdFz7_611E53xOT_Esrc1pe-XAZtlYsJFnhxTBDT342ukiSWk2m6juVappv1GsRfUf2g
        idp_refresh_token:
          maxLength: 128
          type: string
          description: This is the refresh token that is returned from the IDP. The IDP refresh token is returned to be able to make calls into the IDP outside of SLAS.
          example: EgMYpjfFKdlSy-a3PYeyihmP95IpIp3FaDpPmVH1yu8.lahomBi7zJbRa6yKAuAAiKu3lprTPsEueKwqcBvhRLU
        dnt:
          maxLength: 5
          type: string
          description: Do not track
          example: true
    GrantType:
      type: string
      description: Grant Type
      enum:
        - authorization_code
        - refresh_token
        - client_credentials
        - authorization_code_pkce
        - session_bridge
      example: authorization_code
    TokenRequest:
      required:
        - grant_type
      type: object
      properties:
        refresh_token:
          maxLength: 256
          type: string
          description: The long-term token used to refresh the short term access token. Required only with a grant type of `refresh_token`.
        code:
          maxLength: 256
          type: string
          description: Authorization code from the OAuth 2.1 service received in the front channel that is used to get access tokens and refresh tokens. Required with a grant type of `authorization_code` and `session_bridge`.
          example: M0t1K0pyoFKhBpUZnuUYO07xf8iYyMJrAc7h31h_ra8.gglPClJHsofqdTm_yPe5n6m2yCXzFmD8qICwIEjQGVA
        usid:
          type: string
          description: The shopper's unique identifier, if known. If not provided, a new USID is generated.
          example: 54ad2c5a-91f0-44ab-817c-73d6b86872d9
        grant_type:
          $ref: '#/components/schemas/GrantType'
        redirect_uri:
          maxLength: 256
          type: string
          description: "The redirect URI that was used when getting the authorization code. A variety of URI formats and wildcards for host are supported, but app links like `airbnb://` or `fb://` are not. \n\nExamples of supported URIs:\n  - `http://localhost:3000/callback`\n  - `https://example.com/callback`\n  - `com.example.app:redirect_uri_path`\n  - ` *.subdomain.topleveldomain.com`\n"
          example: http://localhost:3000/callback
        code_verifier:
          maxLength: 128
          type: string
          description: |-
            PKCE code verifier. Created by the client calling the `login` endpoint.

            The `code_verifier` should be a high entropy cryptographically random string with a minimum of 43 characters and a maximum of 128 characters.

            The `code_verifier` is optional when using a private client id for the token request.
        client_id:
          maxLength: 40
          type: string
          description: The SLAS client ID. Required when the grant type is `authorization_code_pkce`.
          example: z99ec276-cg53-4g94-cf72-76f300c6778zc
        channel_id:
          maxLength: 100
          type: string
          description: |-
            The channel (B2C Commerce site) that the user is associated with.

            **Important: We strongly recommended using the channel_id query parameter because it will be required in the future.

            **NOTE - As of July 31, 2024**, SLAS will be requiring the `channel_id` query parameter in token requests.
          example: RefArch
        dnt:
          type: string
          description: "This is an optional parameter to set `Do Not Track` for the session. \n\nSLAS is making this available, but will not be used by B2C Commerce until after the 24.4 release.\n\nValues are:\n  * `false`\n  * `true`\n\nIf not added the `dnt` value will default to `false`."
          example: 'true'
    SessionBridgeTokenRequest:
      required:
        - channel_id
        - client_id
        - code
        - code_verifier
        - dwsid
        - grant_type
        - login_id
      type: object
      properties:
        code:
          maxLength: 256
          type: string
          description: Authorization code returned from session bridge authorization received in the front channel that is used to get session bridge access tokens and refresh tokens. Required with a grant type of `session_bridge`. The SLAS client must have the `sfcc.session_bridge` scope to request a session bridge token.
          example: M0t1K0pyoFKhBpUZnuUYO07xf8iYyMJrAc7h31h_ra8.gglPClJHsofqdTm_yPe5n6m2yCXzFmD8qICwIEjQGVA
        client_id:
          maxLength: 40
          type: string
          description: The SLAS public client ID for use with PKCE requests. This is a required parameter when using a public client.
          example: 6c388ebd-6843-4863-aef9-781382c9e8cd
        channel_id:
          maxLength: 100
          type: string
          description: The channel (B2C Commerce site) that the user is associated with.
          example: RefArch
        code_verifier:
          type: string
          description: |-
            PKCE code verifier. Created by the caller. This is a required parameter when using a public client.

            The `code_challenge` is created by SHA256 hashing the `code_verifier` and Base64 encoding the resulting hash.

            The `code_verifier` should be a high entropy cryptographically random string with a minimum of 43 characters and a maximum of 128 characters.
          example: Ar0lAwU_jsuA~ZXX8-JnMbZFxrnDot2OtgLEi1kOT_FxD6Bo0EQDbbrvoym9xHvatNGnNzrObLJeK6e4U9m4pveRMbdwNGa4jwiAlKGvijVn0PW0hqb03_w1gQE00wTo
        dwsid:
          type: string
          description: "Cookie passed back from the '/authorize' endpoint call for session bridge. This parameter is optional and not needed if using the `dwsgst` parameter.\n\n**DEPRECATED** - As of January 31, 2024, SLAS will no longer support the SESB `dwsid` parameter for `guest` users for `session-bridge/token` calls. It is recommended to transition over to using a SESB `dwsgst` token. \n\nThe `dwsid` will still be needed for `registered` user session-bridge/token calls."
          example: pATvWUO3KSdt-Kmcy-8-RsxKnoO4BMDwoec7ACVlW6tZNnhaOL7gt7mHqL-h7QYn5TyE61z0DeSMCqxngsWeHw==
        grant_type:
          type: string
          description: Grant Type
          enum:
            - authorization_code
            - refresh_token
            - client_credentials
            - authorization_code_pkce
            - session_bridge
        login_id:
          maxLength: 128
          type: string
          description: The ID of the shopper for session bridge access. If requesting a token for a guest user set login_id to `guest`.
          example: jack.shopper@example.com
        dwsgst:
          type: string
          description: Signed guest Json Web Token (JWT) that was obtained from B2C Commerce. This parameter is optional and not needed if using the guest `dwsid` parameter.
          example: eyJraWQiOiIxNjgxNTU5OTkxNzkwIiwiYWxnIjoiRVMyNTYifQ.eyJ0ZW5hbnRJZCI6IkJHVk5fUzA1IiwiZHdzaWQiOiJuWHRhckdNU2ZxbnBaSUNJUGFKTHJSWGZ6b2lWYXBBU3BBTFNfeFdUMV9QZjRBWDA0N1lMQ1dSUFByM1BiSEl4d2RaODFiVGZoM3M1Wlgza2NhOG0zZz09IiwiY3VzdG9tZXJJZCI6ImJjQXI5N2NuMm1ZdmhjMGhqTGsxYmFXSzRqIiwiaWF0IjoxNjg1MTI4NjM2LCJleHAiOjE2ODUxMjkyMzksImlzcyI6ImNvbW1lcmNlY2xvdWQvcHJvZHVjdGlvbi9iZ3ZuczA1IiwidmVycyI6IjEiLCJ0eXBlIjoiRyJ9.BGY4kyOXbQSzZxubE3BrSzhf8ByehGUfJa7_J2XRQ93xY4dAOhF_xbXcHmBaEUBUzSny-Cf0pATzEaSsKpTxkg
        dwsrst:
          type: string
          description: "Signed registered customer Json Web Token (JWT) that was obtained from B2C Commerce. This parameter is optional and not needed if using the registered user `dwsid` parameter. \n\n**NOTE:** The registered customer Json Web Token (JWT) will be available in ECOM versions 25.4 and higher."
          example: eyJraWQiOiIxNjMwOTM5MzAyODE0IiwiYWxnIjoiRVMyNTYifQ.eyJmbmFtZSI6Ikx1a2UiLCJkd3NpZCI6IkdkWWpSQjViZGVpU0xkb3Ixdy15QzRTZ1l3dDJHYl9Ec255OG5nZ2I3c0VDajVMWndnT0ZJWTZsa21sNlVRMXZoazl1SDVJUGxMek5rZTJhNTV2YU9nPT0iLCJ2ZXJzIjoiMiIsImlzcyI6InNsYXMvZGV2L2Jndm5fc3RnIiwidHlwZSI6IlIiLCJsbmFtZSI6IlNreXdhbGtlciIsInJjdXN0b21lcklkIjoiOGgzNHh6dDQxOTVpOHA1MmE2ejAzczIxNDgiLCJwaG9uZSI6bnVsbCwidGVuYW50SWQiOiJiZ3ZuX3N0ZyIsImN1c3RvbWVySWQiOiI0OHB1eXA4dTdmMmM5NHgzMTUxeDA4bGEweiIsImV4cCI6MTczNTE1NDQ4NiwiaWF0IjoxNzMyNTYyNDg2LCJlbWFpbCI6Imx1a2Uuc2t5d2Fsa2VyQG5hYm9vLm9yZyJ9.Q2nF0wuEl1X7aVZ-ycCwxDjjmq5toJred5AEDqKXXjj89BY_0HIQoAEMbx9UDqOmhjdBkxN4idVzYVoXcl0c2A
        usid:
          type: string
          description: The unique shopper ID. Returned when from session bridge authorization.
          example: 18cda486-fe32-4e27-888b-6e4f89938e67
        dnt:
          type: string
          description: "This is an optional parameter to set `Do Not Track` for the session. \n\nSLAS is making this available, but will not be used by B2C Commerce until after the 24.4 release.\n\nValues are:\n  * `false`\n  * `true`\n\nIf not added the `dnt` value will default to `false`."
          example: 'true'
    TrustedSystemTokenRequest:
      required:
        - channel_id
        - client_id
        - grant_type
        - hint
        - idp_origin
        - login_id
      type: object
      properties:
        usid:
          type: string
          description: The shopper's unique identifier, if known. If not provided, a new USID is generated.
          example: 54ad2c5a-91f0-44ab-817c-73d6b86872d9
        grant_type:
          type: string
          description: Grant Type
          enum:
            - authorization_code
            - refresh_token
            - client_credentials
            - authorization_code_pkce
            - session_bridge
        hint:
          type: string
          description: Type of system used for Trusted System On Behalf of requests.
          enum:
            - ts_ext_on_behalf_of
        login_id:
          maxLength: 128
          type: string
          description: "The ID used by the shopper for trusted system access. \n\nIf set to `guest`, a token is returned for a guest user."
          example: samantha.sampleson@example.com
        idp_origin:
          type: string
          description: IDPs that work with SLAS. Use `ecom` when using B2C Commerce is the identity provider.
          enum:
            - apple
            - auth0
            - azure
            - azure_adb2c
            - cognito
            - default
            - ecom
            - facebook
            - forgerock
            - gigya
            - gigya_socialize
            - google
            - okta
            - ping
            - salesforce
        client_id:
          maxLength: 40
          type: string
          description: The SLAS public client ID for use with trusted-system requests.
          example: 6c388ebd-6843-4863-aef9-781382c9e8cd
        channel_id:
          maxLength: 100
          type: string
          description: The channel (ECOM site) that the user is associated with.
          example: RefArch
        email_id:
          maxLength: 128
          type: string
          description: The email address for the shopper that is used for trusted-system requests. If not provided, `login_id` is used instead.
          example: samantha.sampleson@example.com
        dnt:
          type: string
          description: |-
            This is an optional parameter to set `Do Not Track` for the session.

            SLAS is making this available, but will not be used by B2C Commerce until after the 24.4 release.

            Values are:
              * `false`
              * `true`

            If not added the `dnt` value will default to `false`.

            Note: The default value for `dnt` is set to `false` for SLAS token requests except for Trusted Agent token request. For Trusted Agent token requests the default value for `dnt` is `true`.
          example: 'true'
      description: A request for an access token on behalf of a registered user whose credentials are stored using a third party system.
    TrustedAgentTokenRequest:
      required:
        - channel_id
        - client_id
        - code_verifier
        - grant_type
        - idp_origin
        - login_id
      type: object
      properties:
        agent_id:
          maxLength: 40
          type: string
          description: |-
            The ID of the merchant. If passed in, the `agent_id` will be validated using the SUB claim in the response from Account Manager.

            This is an optional parameter unless the request is for a Trusted Agent on Behalf then `agent_id` is required.
          example: merchant@example.com
        client_id:
          maxLength: 40
          type: string
          description: |-
            The SLAS public client ID or SLAS private client ID for use with trusted-system requests.

            The `client_id` is not needed if a using a SLAS private `client_id` and the `_sfdc_client_auth` header.
          example: 6c388ebd-6843-4863-aef9-781382c9e8cd
        channel_id:
          maxLength: 100
          type: string
          description: The channel (B2C Commerce site) that the user is associated with.
          example: RefArch
        code_verifier:
          type: string
          description: |-
            PKCE code verifier. Created by the caller.

            The `code_challenge` is created by SHA256 hashing the `code_verifier` and Base64 encoding the resulting hash.

            The `code_verifier` should be a high entropy cryptographically random string with a minimum of 43 characters and a maximum of 128 characters.

            The `code_verifier` is not needed if a using a SLAS private `client_id` and the `_sfdc_client_auth` header.
          example: Ar0lAwU_jsuA~ZXX8-JnMbZFxrnDot2OtgLEi1kOT_FxD6Bo0EQDbbrvoym9xHvatNGnNzrObLJeK6e4U9m4pveRMbdwNGa4jwiAlKGvijVn0PW0hqb03_w1gQE00wTo
        grant_type:
          type: string
          description: Grant Type
          enum:
            - authorization_code
            - refresh_token
            - client_credentials
            - authorization_code_pkce
            - session_bridge
        login_id:
          maxLength: 128
          type: string
          description: |-
            The ID is the shopper for trusted agent access.

            For TAOB Guest the `login_id` must be set to `Guest`.
          example: jack.shopper@example.com
        idp_origin:
          maxLength: 16
          type: string
          description: "The IDP that the user is associated with. \n\nFor TAOB Guest the `idp_origin` parameter should be `slas`. If set to any other IDP origin a 400 Bad Request will be returned."
          example: ecom
        usid:
          type: string
          description: The shopper's unique identifier, if known. If not provided, a new USID is generated.
          example: 54ad2c5a-91f0-44ab-817c-73d6b86872d9
        dnt:
          type: string
          description: "This is an optional parameter to set `Do Not Track` for the session. \n\nSLAS is making this available, but will not be used by B2C Commerce until after the 24.4 release.\n\nValues are:\n  * `false`\n  * `true`\n\n  If not added the `dnt` value will default to `true`\n\n  Note: The default value for `dnt` is set to `true` for all TAOB flows. This is opposite from other SLAS token requests."
          example: 'true'
        state:
          type: string
          description: "This is an optional parameter to set state for the trusted agent session. \n\nIf the `state` parameter is used it will be validated and a 400 Bad Request will be returned if missing or invalid.\n\nFor TAOB Guest you must pass the `state` parameter to transfer the state from the TAOB Guest authorization call to the token call. \nThe `state` parameter value is returned with the authorization code in the response url from the TAOB guest authorization call, \nfor example: `.../taob/callback?code=HETXpvg5LKBNIHjDTWkRrf2MLVU&state=taob.gst.7bc7fb7f-e646-44fd-bc73-dfd5c3c9019b`.\n\nYou would use `taob.gst.7bc7fb7f-e646-44fd-bc73-dfd5c3c9019b` for the `state` value in the TAOB request."
          example: taobgst.3ebdcbb6-ef87-4f41-8173-67728636e513
    PasswordActionRequest:
      required:
        - channel_id
        - mode
        - user_id
      type: object
      properties:
        user_id:
          maxLength: 128
          type: string
          description: User ID for logging in. This is the id that is used to log into SFCC.
          example: samantha.sampleson@example.com
        mode:
          type: string
          description: Password Action delivery modes
          enum:
            - callback
            - sms
            - email
        channel_id:
          type: string
          description: The channel (B2C Commerce site) that the user is associated with.
          example: RefArch
        locale:
          type: string
          description: The locale of the template. Required when the mode is `email` or `sms`.
          example: en-us
        client_id:
          maxLength: 40
          type: string
          description: |-
            -| The public client ID. Requires setting `grant_type` to `passwordless_login_pkce`.
            When using the `hint` query parameter either a public or private client ID can be used.
          example: 6b200ebd-7843-4073-aef9-792482c9e1de
        code_challenge:
          maxLength: 128
          minLength: 43
          type: string
          description: "PKCE code challenge. Created by the client.\n\nThe `code_challenge` is created by SHA256 hashing the `code_verifier` and Base64 encoding the resulting hash.\n\nThe `code_verifier` should be a high entropy cryptographically random string with a minimum of 43 characters and a maximum of 128 characters. \n\n Requires setting `grant_type` to `passwordless_login_pkce`"
          example: Nx_Vf0-0W6SpyRVBVTbl8VSu2OE4yD2fZNExW6N3V_Q
        callback_uri:
          type: string
          description: |
            The callback uri. Required when the mode is `callback`. The `callback_uri` property will be validated against the callback URIs that have been registered with the SLAS client. The callback URI _must_ be a `POST` endpoint because the token will be included in the body.

            Wildcards are not allowed in the callback_uri because this is a security risk that can expose the token. This is not considered an OAuth2 callback_url.
          example: http://localhost:9050/password/reset/callback
        idp_name:
          type: string
          description: The name of the 3rd party identity provider for the user ID
          example: okta
        hint:
          type: string
          description: Adding a `hint` query parameter with a value of `cross_device` will remove the need to have the code_challenge for password reset request. If the `hint` query parameter is used it must also be used in the password reset request.
          example: cross_device
      description: A request for a password reset token. This is only available for resgistered users using B2C Commerce.
    PasswordActionVerifyRequest:
      required:
        - channel_id
        - client_id
        - pwd_action_token
      type: object
      properties:
        client_id:
          maxLength: 40
          type: string
          description: |-
            -| The public client ID.
            When using the `hint` query parameter either a public or private client ID can be used.
          example: 6b200ebd-7843-4073-aef9-792482c9e1de
        pwd_action_token:
          type: string
          description: Password action token that was returned from the `/password/reset` endpoint.
          example: QJO3CA7QTPVCQ3OMROXF2MTDDED3EEC3
        code_verifier:
          type: string
          description: |-
            PKCE code verifier. Created by the client.

            The `code_challenge` is created by SHA256 hashing the `code_verifier` and Base64 encoding the resulting hash.

            The `code_verifier` should be a high entropy cryptographically random string with a minimum of 43 characters and a maximum of 128 characters.
          example: Ar0lAwU_jsuA~ZXX8-JnMbZFxrnDot2OtgLEi1kOT_FxD6Bo0EQDbbrvoym9xHvatNGnNzrObLJeK6e4U9m4pveRMbdwNGa4jwiAlKGvijVn0PW0hqb03_w1gQE00wTo
        new_password:
          type: string
          description: The new password to set for the shopper associated with the password action token.
          example: new_password
        channel_id:
          maxLength: 100
          type: string
          description: The channel that the request is for. For a B2C Commerce request, this is angalous to the site ID.
          example: RefArch
        hint:
          type: string
          description: Adding a `hint` query parameter with a value of `cross_device` will remove the need to have the code_verifier for password reset request. If the `hint` query parameter is used it must also have been used in the password action request.
          example: cross_device
        user_id:
          maxLength: 128
          type: string
          description: User ID for logging in. This is the id that is used to log into SFCC. Required only when hint is provided.
          example: samantha.sampleson@example.com
      description: A request for creating a new password using the password action token.
    PasswordLessLoginTokenRequest:
      required:
        - grant_type
        - hint
        - pwdless_login_token
      type: object
      properties:
        grant_type:
          type: string
          description: Grant Type
          enum:
            - authorization_code
            - refresh_token
            - client_credentials
            - authorization_code_pkce
            - session_bridge
        hint:
          type: string
          description: Passwordless hint. Use `pwdless_login`.
          example: pwdless_login
        pwdless_login_token:
          type: string
          description: Passwordless login token that was created from the user ID.
          example: QJO3CA7QTPVCQ3OMROXF2MTDDED3EEC3
        client_id:
          maxLength: 40
          type: string
          description: The public client ID.
          example: 6b200ebd-7843-4073-aef9-792482c9e1de
        code_verifier:
          type: string
          description: |-
            PKCE code verifier. Created by the client.

            The `code_challenge` is created by SHA256 hashing the `code_verifier` and Base64 encoding the resulting hash.

            The `code_verifier` should be a high entropy cryptographically random string with a minimum of 43 characters and a maximum of 128 characters.
          example: Ar0lAwU_jsuA~ZXX8-JnMbZFxrnDot2OtgLEi1kOT_FxD6Bo0EQDbbrvoym9xHvatNGnNzrObLJeK6e4U9m4pveRMbdwNGa4jwiAlKGvijVn0PW0hqb03_w1gQE00wTo
        login_id:
          maxLength: 128
          type: string
          description: |-
            The ID used by the shopper for password token request. When provided, login_id must exactly match the ID used during passwordless login.
            ex. If passwordless login used `samantha.sampleson@example.com`, but the passwordless login token request provides `sam.sampleson@example.com`, the request fails due to mismatch.
          example: samantha.sampleson@example.com
      description: A request for an access token using a passwordless token.
    TokenActionRequest:
      required:
        - token
      type: object
      properties:
        token:
          type: string
          description: Token to inspect or revoke.
          example: EgMYpjfFKdlSy-a3PYeyihmP95IpIp3FaDpPmVH1yu8.lahomBi7zJbRa6yKAuAAiKu3lprTPsEueKwqcBvhRLU
        token_type_hint:
          type: string
          description: Token Type Hint
          enum:
            - access_token
            - refresh_token
    RegistrationStartRequest:
      type: object
      description: |
        WebAuthn registration request. Inherits most fields from PasswordActionVerifyRequest
        but does NOT use code_verifier or new_password fields.
      required:
        - channel_id
        - pwd_action_token
        - user_id
      properties:
        client_id:
          type: string
          description: OAuth client identifier. Required if Authorization header is not provided.
          pattern: ^[A-Za-z0-9_-]+$
          minLength: 36
          maxLength: 36
          example: 12345678-1234-1234-1234-123456789012
        pwd_action_token:
          type: string
          description: Password action token (TOTP) received by the user.
          pattern: ^[0-9]{8}$
          example: '12345678'
        user_id:
          type: string
          description: The ID of the user.
          maxLength: 128
          example: user@example.com
        channel_id:
          type: string
          description: The ID of the channel.
          pattern: ^[A-Za-z0-9_-]+$
          maxLength: 100
          example: RefArch
        display_name:
          type: string
          description: Display name for the passkey.
          maxLength: 128
          example: John Doe
        nick_name:
          type: string
          description: Nickname for the credential.
          maxLength: 128
          example: My iPhone
    AuthenticatorAttestationResponseJson:
      type: object
      description: Authenticator response for registration (attestation).
      required:
        - clientDataJSON
        - attestationObject
      properties:
        clientDataJSON:
          description: Base64url-encoded client data JSON.
          type: array
          items:
            type: object
            properties:
              id:
                type: string
                format: byte
                example: eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiVjJGc2RHVnlJRmRvYVhSbElGUmxjM1FnUTJoaGJHeGxibWRsIiwib3JpZ2luIjoiaHR0cHM6Ly9leGFtcGxlLmNvbSJ9
        attestationObject:
          description: Base64url-encoded attestation object.
          type: array
          items:
            type: object
            properties:
              id:
                type: string
                format: byte
                example: o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVikSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFAAAAAK3OAAI1vMYKZIsLJfHwVQMAIAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gpQECAyYgASFYIIGjL8Hs9Yz5LvVGBnGJlGYKbJZXLqLLnKLJKLJLKLJLIlgg
    AuthenticatorAssertionResponseJson:
      type: object
      description: Authenticator response for authentication (assertion).
      required:
        - authenticatorData
        - clientDataJSON
        - signature
      properties:
        authenticatorData:
          description: Base64url-encoded authenticator data
          type: array
          items:
            type: object
            properties:
              id:
                type: string
                format: byte
                example: SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MFAAAAAQ
        clientDataJSON:
          description: Base64url-encoded client data JSON.
          type: array
          items:
            type: object
            properties:
              id:
                type: string
                format: byte
                example: eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiVjJGc2RHVnlJRmRvYVhSbElGUmxjM1FnUTJoaGJHeGxibWRsIiwib3JpZ2luIjoiaHR0cHM6Ly9leGFtcGxlLmNvbSJ9
        signature:
          description: Base64url-encoded signature.
          type: array
          items:
            type: object
            properties:
              id:
                type: string
                format: byte
                example: MEYCIQDqwzerkQlKKLJKLJKLJKLJKLJKLJKLJKLJKLJKLJKLJAiEA
        userHandle:
          description: Base64url-encoded user handle.
          nullable: true
          type: array
          items:
            type: object
            properties:
              id:
                type: string
                format: byte
                example: dXNlckBleGFtcGxlLmNvbQ
    PublicKeyCredentialJson:
      type: object
      description: "WebAuthn credential representation. The response field can contain either\nAuthenticatorAttestationResponseJson (for registration) or \nAuthenticatorAssertionResponseJson (for authentication).\n"
      required:
        - id
        - rawId
        - type
        - response
      properties:
        id:
          type: string
          description: Base64url-encoded credential ID
          maxLength: 256
          example: AQIDBAUGBwgJCgsMDQ4PEA
        rawId:
          type: string
          description: Base64url-encoded raw credential ID.
          maxLength: 256
          example: AQIDBAUGBwgJCgsMDQ4PEA
        type:
          type: string
          description: The type of credential.
          enum:
            - public-key
          example: public-key
        clientExtensionResults:
          type: string
          description: WebAuthn client extension results (typically empty).
          nullable: true
          maxLength: 100
          example:
            extensions: {}
        response:
          oneOf:
            - $ref: '#/components/schemas/AuthenticatorAttestationResponseJson'
            - $ref: '#/components/schemas/AuthenticatorAssertionResponseJson'
          description: Authenticator response (attestation for registration, assertion for authentication)
    RegistrationFinishRequest:
      type: object
      required:
        - client_id
        - channel_id
        - pwd_action_token
        - username
        - credential
      properties:
        client_id:
          type: string
          description: The ID of the OAuth client.
          maxLength: 36
          example: 12345678-1234-1234-1234-123456789012
        username:
          type: string
          description: Username for the credential.
          maxLength: 128
          example: user@example.com
        credential:
          $ref: '#/components/schemas/PublicKeyCredentialJson'
        channel_id:
          type: string
          description: The ID of the channel.
          maxLength: 128
          example: RefArch
        pwd_action_token:
          type: string
          description: Password action token.
          maxLength: 8
          pattern: ^[0-9]{8}$
          example: '12345678'
    AuthenticateRequest:
      type: object
      required:
        - client_id
        - channel_id
      properties:
        tenant_id:
          type: string
          description: The ID of the tenant.
          maxLength: 8
          example: zzte_053
        client_id:
          type: string
          description: The ID of the OAuth client.
          pattern: ^[A-Za-z0-9_-]+$
          minLength: 36
          maxLength: 36
          example: 12345678-1234-1234-1234-123456789012
        channel_id:
          type: string
          description: The ID of the channel.
          pattern: ^[A-Za-z0-9_-]+$
          maxLength: 100
          example: RefArch
        user_id:
          type: string
          description: The ID of the user.
          maxLength: 128
          example: user@example.com
    PublicKeyCredentialDescriptor:
      type: object
      description: Public key credential descriptor.
      required:
        - type
        - id
      properties:
        type:
          type: string
          maxLength: 256
          description: Credential type.
          enum:
            - public-key
          example: public-key
        id:
          type: string
          description: The base64url-encoded ID of the credential.
          maxLength: 64
          example: AQIDBAUGBwgJCgsMDQ4PEA
        transports:
          type: array
          description: Authenticator transports.
          example:
            - internal
            - usb
          items:
            type: string
            maxLength: 8
            enum:
              - usb
              - nfc
              - ble
              - internal
            example: usb
    PublicKeyCredentialRequestOptions:
      type: object
      description: Options for requesting a WebAuthn credential (returned by authenticate/start).
      properties:
        challenge:
          type: string
          description: Base64url-encoded challenge.
          maxLength: 512
          example: V2FsdGVyIFdoaXRlIFRlc3QgQ2hhbGxlbmdl
        timeout:
          type: integer
          description: Timeout value in milliseconds.
          example: 60000
        rpId:
          type: string
          description: The ID of the relying party.
          maxLength: 256
          example: example.com
        allowCredentials:
          type: array
          description: Allowed credentials for authentication.
          items:
            $ref: '#/components/schemas/PublicKeyCredentialDescriptor'
        userVerification:
          type: string
          description: The level of requirement for user verification.
          enum:
            - required
            - preferred
            - discouraged
          example: preferred
        extensions:
          type: object
          description: WebAuthn extensions.
          additionalProperties: true
    AuthenticateFinishRequest:
      type: object
      required:
        - channel_id
        - client_id
        - credential
      properties:
        user_id:
          maxLength: 128
          type: string
          description: The ID of the user.
          example: user@example.com
        channel_id:
          type: string
          maxLength: 100
          description: The ID of the channel.
          example: RefArch
        client_id:
          type: string
          description: The ID of the OAuth client.
          minLength: 36
          maxLength: 36
          example: 12345678-1234-1234-1234-123456789012
        email:
          type: string
          format: email
          description: User's email address.
          maxLength: 128
          example: user@example.com
        tenant_id:
          type: string
          description: The ID of the tenant.
          maxLength: 8
          example: zzte_053
        usid:
          type: string
          description: The unique session ID.
          maxLength: 128
          example: 87654321-4321-4321-4321-210987654321
        credential:
          $ref: '#/components/schemas/PublicKeyCredentialJson'
    AuthenticateResult:
      type: object
      properties:
        credentialId:
          type: string
          description: The credential ID that was used for authentication.
          maxLength: 1024
          example: AQIDBAUGBwgJCgsMDQ4PEA
        username:
          type: string
          description: The authenticated username.
          maxLength: 128
          example: user@example.com
        success:
          type: boolean
          description: Specifies whether authentication was successful (true) or not (false).
          example: true
        tokenResponse:
          $ref: '#/components/schemas/TokenResponse'
    PasskeyCredential:
      type: object
      description: Represents a WebAuthn passkey credential
      properties:
        id:
          type: integer
          format: int32
          description: Unique identifier for the credential
          example: 20
        userId:
          type: integer
          format: int32
          description: The ID of the user who owns this credential
          example: 26
        credentialId:
          type: string
          description: The WebAuthn credential ID
          maxLength: 1024
          example: SVKfbUGBXofb2JzliJrMtZDENYByWgq_j4-p2M_3wC4
        nickName:
          type: string
          description: User-friendly name for the credential
          maxLength: 32
          example: Fingerprint
        publicKey:
          type: string
          description: The public key associated with this credential
          maxLength: 1024
          example: pQECAyYgASFYIHM_4IKLMC8dboiRNfD0E0Gk4LmCTIgEyCTr-9SyHHeIIlggfn5_AzAl67kttLXWb-_Ts6MG7WHKoXzlKtame_wEYPE
        userHandle:
          type: string
          description: The user handle associated with this credential
          maxLength: 128
          example: yRU-7pWyWUE6nw8hztqqUZG635p7UKDDb2lbC1FyF78
        signatureCount:
          type: string
          maxLength: 8
          description: The signature counter for replay attack prevention
          example: '42'
    PasskeyUser:
      type: object
      description: Represents a passkey user with their associated credentials
      properties:
        id:
          type: integer
          format: int32
          description: Unique identifier for the passkey user
          example: 26
        userName:
          type: string
          description: The username of the passkey user
          maxLength: 128
          example: user@example.com
        displayName:
          type: string
          description: The display name of the passkey user
          maxLength: 256
          example: John Doe
        userHandle:
          type: string
          description: The user handle (WebAuthn user ID)
          maxLength: 128
          example: yRU-7pWyWUE6nw8hztqqUZG635p7UKDDb2lbC1FyF78
        slasUserId:
          type: integer
          format: int32
          description: The associated SLAS user ID
          example: 10000
        credentials:
          type: array
          description: Set of passkey credentials associated with this user
          uniqueItems: true
          items:
            $ref: '#/components/schemas/PasskeyCredential'
  parameters:
    organizationId:
      description: An identifier for the organization the request is being made by
      name: organizationId
      in: path
      required: true
      example: f_ecom_zzxy_prd
      schema:
        $ref: '#/components/schemas/OrganizationId'
    register_customer:
      name: register_customer
      in: query
      description: |-
        When set to `true`, creates a new customer profile in B2C Commerce if one doesn't already exist. Requires `last_name` and `email` body parameters unless `user_id` is an email address. Optionally accepts `first_name` and `phone_number` body parameters.
        If the customer profile doesn't exist, it is created when the TOTP is validated via the `passwordless/token` endpoint.

        When set to `false` (or omitted), no customer profile is created in B2C Commerce.
      required: false
      schema:
        maxLength: 5
        type: string
    client_id:
      name: client_id
      in: query
      description: The SLAS public client ID or SLAS private client ID for use with trusted-agent requests. When using a private client ID a PKCE code challenge is not required.
      required: true
      schema:
        maxLength: 40
        type: string
    refresh_token:
      name: refresh_token
      in: query
      description: Refresh token that was given during the access token request.
      required: true
      schema:
        type: string
    logout_hint:
      name: hint
      in: query
      description: |-
        `hint=all-sessions` logs out all sessions and invalidates all refresh tokens for a shopper with the same SLAS user ID.
        This only works within the same session type. Sessions created through different authentication methods (/authorize vs. Trusted System On Behalf) are treated as separate sessions. To invalidate tokens with different SLAS User IDs, you must make explicit logout calls with each token.
        A shopper authenticated via both /authorize and TSOB has two separate sessions. You will need two logout calls (one per token) to fully log them out.

        If this query parameter is not provided, the default behavior is to log out only the current session that matches the refresh token in the request.

        If an incorrect value is provided for the hint other than `all-sessions`, the request fails.
      required: false
      schema:
        type: string
        enum:
          - all-sessions
    redirect_uri:
      name: redirect_uri
      in: query
      description: |
        The redirect for Account Manager to redirect to. A variety of URI formats and wildcard for host are supported, but app links like `airbnb://` or `fb://` are not. Examples of supported URIs:
          - `http://localhost:3000/callback`
          - `https://example.com/callback`
          - `com.example.app:redirect_uri_path`
          - ` *.subdomain.topleveldomain.com`
      required: true
      schema:
        maxLength: 256
        type: string
    response_type:
      name: response_type
      in: query
      description: Must be `code`. Indicates that the caller wants an authorization code.
      required: true
      schema:
        type: string
        description: Response Type
        enum:
          - code
    scope:
      name: scope
      in: query
      required: false
      schema:
        maxLength: 256
        type: string
        enum:
          - openid
          - offline_access
          - email
    state:
      name: state
      in: query
      description: Value to send the client to determine the state between the authorization request and the server response. Optional, but strongly recommended.
      required: false
      schema:
        maxLength: 512
        type: string
    usid:
      name: usid
      in: query
      description: A unique shopper identifier (USID). If not provided, a new USID is generated.
      required: false
      schema:
        maxLength: 256
        type: string
    hint:
      name: hint
      in: query
      description: |-
        Name of an identity provider (IDP) to optionally redirect to, thereby skipping the IDP selection step.

        To use a public client, set `hint` to `guest` and use a public client ID to get an authorization code. If no `hint` is provided, the preferred IDP of the tenant is used by default.

        For session bridge authorization the `hint` should be set to `sb-user` for a registered customer and to `sb-guest` for a guest. For session bridge authorization the SLAS Client `sfcc.session_bridge` scope.
      required: false
      schema:
        maxLength: 256
        type: string
    code_challenge:
      name: code_challenge
      in: query
      description: |-
        PKCE code challenge. Created by the caller.

        The `code_challenge` is created by SHA256 hashing the `code_verifier` and Base64 encoding the resulting hash.

        The `code_verifier` should be a high entropy cryptographically random string with a minimum of 43 characters and a maximum of 128 characters.

        The *`code_challenge` and 'code_verifier'* are required if a using SLAS public `client_id`.
      required: false
      schema:
        maxLength: 128
        minLength: 43
        type: string
    ui_locales:
      name: ui_locales
      in: query
      description: "End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For example, the value `fr-CA fr en` represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). \n\nIn most cases the IDP supports one language tag and has a default language set on the server. SLAS will support the space-separated list and pass them to the IDP."
      required: false
      schema:
        maxLength: 256
        type: string
    channel_id:
      name: channel_id
      in: query
      description: The channel (B2C Commerce site) that the user is associated with.
      example: RefArch
      required: true
      schema:
        maxLength: 100
        type: string
        example: RefArch
    login_id:
      name: login_id
      in: query
      description: |-
        The ID of the shopper for trusted agent access.

        For TAOB Guest the `login_id` must be set to `Guest`.
      required: true
      schema:
        maxLength: 128
        type: string
    idp_origin:
      name: idp_origin
      in: query
      description: |-
        The IDP that the shopper is associated with.

        For TAOB Guest the `idp_origin` must be set to `slas`. This is standard for SLAS Guest requests. If any other `idp_origin` value is used, SLAS returns a bad request.
      required: true
      schema:
        maxLength: 16
        type: string
    _sfdc_client_auth:
      name: _sfdc_client_auth
      in: header
      description: |-
        "Base64-encoded string of client credentials. The string is composed of a client ID and client secret, separated by a colon (`:`), like this: `clientId:clientSecret`. (Do not add the string `"Basic"`.)

        The `_sfdc_client_auth` header is only required when using a SLAS private client ID."
      required: false
      schema:
        type: string
    Authorization:
      name: Authorization
      in: header
      description: Base64 string for HTTP Basic authentication.
      required: true
      schema:
        type: string
  examples:
    authenticateCustomerSuccess:
      value:
        location: https://<host>:<port>/callback?usid=d11392ae-cbf0-4296-9723-8f9f0e49fd73&state=1728422547223&scope=openid%20offline_access&code=561X8NOKvoRezq2aucazwwkrevUoIP37YRTfsRHX8ow
    BadOrMissingClientId400:
      value:
        error: invalid_request
        error_description: Bad or missing client_id.
    InvalidBasicAuth401:
      value:
        error: invalid_client
        error_description: Basic Authorization failed.
    ConflictingCalls409:
      value:
        error: conflict
        error_description: The same loginId and tenantId tried to login twice within 1 second.
    InternalServerError500:
      value:
        error: server_error
        error_description: The server has encountered a situation that it doesn't know how to handle.
    BadOrMissingAccessToken400:
      value:
        error: invalid_request
        error_description: Bad or missing access token.
    InvalidClient401:
      value:
        error: invalid_client
        error_description: Authorization failed.
    DependentServiceUnavailable412:
      value:
        error: precondition_failure
        error_description: Dependent service is not available.
    logoutCustomerSuccess:
      value:
        access_token: ''
        id_token: 'null'
        refresh_token: ''
        expires_in: 0
        refresh_token_expires_in: 0
        token_type: Bearer
        usid: 'null'
        customer_id: 'null'
        enc_user_id: 'null'
        idp_access_token: ''
        idp_refresh_token: 'null'
        dnt: 'null'
    authorizeCustomerSuccess:
      value:
        authorizationCode: eyJ2ZXIiOiIxLjAiLCJraWQiOiJTTEFTIiwidHlwIjoiand0IiwiY2x2IjoiS
        usid: 156c4e69-e89b-406b-a4b7-576980bb234e
    getAccessTokenSuccess:
      value:
        access_token: eyJ2ZXIiOiIxLjAiLCJraWQiOiJTTEFTIiwidHlwIjoiand0IiwiY2x2IjoiSjIuMS4wIiwiYWxnIjoiRVMyNTYifQ.eyJhdWQiOiJjb3JlL2Rldi9idGluZ2V5bHRtMiIsImF1dCI6IkdVSUQiLCJzdWIiOiJ1c2lkOjo1NGFkMmM1YS05MWYwLTQ0YWItODE3Yy03M2Q2Yjg2ODcyZDk6OnVwbjpndWVzdCIsIm5iZiI6MTU4Mjg0NTYyNCwiY3R4Ijoic2ZkYy5jb21tZXJjZWNsb3VkIiwiaXNzIjoiY29yZS9kZXYvYnRpbmdleWx0bTIiLCJzdHkiOiJVc2VyIiwiaXN0IjoxLCJleHAiOjE1ODI4NDU3NDQsImlhdCI6MTU4Mjg0NTY1NCwianRpIjoiQzJDOTA0ODg2NDA3MDkwNDg4NjQwNzMyMjExNzQ1ODEyMTQzIn0.2a6lMBSY17PrhDO8pvEk7PCXW_nkguMHi4J-Tuirkz-ETB6rnKyuRjF5yD6B55tMvm8dO8ulAHyDYqjObMxLJg
        id_token: eyJraWQiOiI3NGU2YjMxZS1lYTczLTQ3OTYtOWRkYi1jMDJmZGI4ZDgwYmUiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2lkOmQ1MDBhMzY5LTc1MWQtNDkzYy1iNDAzLThmOThmYjg3MTdiNiIsImF1ZCI6IjU1M2FjOGFjLTRkYjktNGVkMy04MjVjLTNhZTNiZjVkMzI3YiIsImlzcyI6ImRldi51cy5zaG9wcGVyLmNjLnNhbGVzZm9yY2UuY29tIiwibmFtZSI6ImJsYWlyLnNsYXMudGVzdEBnbWFpbC5jb20iLCJleHAiOjE1OTExMTE0MzgsImlhdCI6MTU5MTEwOTYzOCwiZW1haWwiOiJibGFpci5zbGFzLnRlc3RAZ21haWwuY29tIn0.KgpAcq-G9Lz7IGnjkJlaFLFXYncVCwcVrRIuy3bEfgzRozqaDRvAori4oOz4RtgYjmoc5x2euoisHL0mVnHgPKOdYBty1wTJqneJEQt6hP4Kp0KFciID_ILCi-DE8VWS5t0NknnMP_iKhIkqcRL48iwPFUWkWA6AEWxE_yvJLNRLithsSxsx7EfBfpD8Hr2b5tMEwImQNmJNYGRTI4LSmcYspBORvJoAnfGpMC0kglxl40bhf5j4ItX4_DiWQC4zaGYD-HJV4BDr6C7iGCs5ZVPypF0yQD3iBio26fwj9Ys5WF9XMtPtqET2kqsz6fDC5GkE6HTUHH_r87jxbDq-8w
        refresh_token: EgMYpjfFKdlSy-a3PYeyihmP95IpIp3FaDpPmVH1yu8.lahomBi7zJbRa6yKAuAAiKu3lprTPsEueKwqcBvhRLU
        expires_in: 900
        refresh_token_expires_in: 7776000
        token_type: Bearer
        usid: 18cda486-fe32-4e27-888b-6e4f89938e67
        customer_id: '1000005'
        enc_user_id: 45D39A8499A95288F82855427EBA99B5
        idp_access_token: eyJraWQiOiJYS21HbHVuSm0zSlBTMHNjQXZXV19XQlYtRi1wMkxLSDR0V05UMHVVSjVJIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjFMY0xxTWhqM2t0N1FKeFhxQ0VtdGZOOVV2eUcweW1meDFxZG9BdzF1NWMub2FyeXhveHF0QUtxaVFMbkM1ZDYiLCJpc3MiOiJodHRwczovL2Rldi05NTY1MjM2Lm9rdGEuY29tIiwiYXVkIjoiaHR0cHM6Ly9kZXYtOTU2NTIzNi5va3RhLmNvbSIsInN1YiI6Im9rdGEuc2xhcy50ZXN0IiwiaWF0IjoxNjc5Njk4MzA4LCJleHAiOjE2Nzk3MDE5MDgsImNpZCI6IjBvYTJrNXNma0JXZ0poTEVHNWQ2IiwidWlkIjoiMDB1MzhxZGpuU2NMT0IxbXE1ZDYiLCJzY3AiOlsib2ZmbGluZV9hY2Nlc3MiLCJvcGVuaWQiLCJlbWFpbCIsInByb2ZpbGUiXSwiYXV0aF90aW1lIjoxNjc5Njk4MzA2fQ.FDbGsnZGwTYVKGSlAo6jqcjG2HQ_BqQKRk72M5h69DRHyOM4wngsEELN_Wtgj3E77sP7IOmIKjiK5SFP17ADMbKZptVr2pqaMVF3PuU3Cbl_MgXZValfT-z12jHRq9sHMfsdTjY2RnvG44ZDFKc2no8mdL6IJ1MfCaZT5Tql5Ktq_UgudaWFsYqad3ETcmp5Y8ivz1bFnqud0sO9D9JzYOtfd9h71JKcsSC2rXc_Si-INPKKaGl8CDgaLXxu_Am9twJpUenHLpy0BerhcVvdFz7_611E53xOT_Esrc1pe-XAZtlYsJFnhxTBDT342ukiSWk2m6juVappv1GsRfUf2g
    getSessionBridgeAccessTokenSuccess:
      value:
        access_token: eyJ2ZXIiOiIxLjAiLCJraWQiOiJTTEFTIiwidHlwIjoiand0IiwiY2x2IjoiSjIuMS4wIiwiYWxnIjoiRVMyNTYifQ.eyJhdWQiOiJjb3JlL2Rldi9idGluZ2V5bHRtMiIsImF1dCI6IkdVSUQiLCJzdWIiOiJ1c2lkOjo1NGFkMmM1YS05MWYwLTQ0YWItODE3Yy03M2Q2Yjg2ODcyZDk6OnVwbjpndWVzdCIsIm5iZiI6MTU4Mjg0NTYyNCwiY3R4Ijoic2ZkYy5jb21tZXJjZWNsb3VkIiwiaXNzIjoiY29yZS9kZXYvYnRpbmdleWx0bTIiLCJzdHkiOiJVc2VyIiwiaXN0IjoxLCJleHAiOjE1ODI4NDU3NDQsImlhdCI6MTU4Mjg0NTY1NCwianRpIjoiQzJDOTA0ODg2NDA3MDkwNDg4NjQwNzMyMjExNzQ1ODEyMTQzIn0.2a6lMBSY17PrhDO8pvEk7PCXW_nkguMHi4J-Tuirkz-ETB6rnKyuRjF5yD6B55tMvm8dO8ulAHyDYqjObMxLJg
        id_token: eyJraWQiOiI3NGU2YjMxZS1lYTczLTQ3OTYtOWRkYi1jMDJmZGI4ZDgwYmUiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2lkOmQ1MDBhMzY5LTc1MWQtNDkzYy1iNDAzLThmOThmYjg3MTdiNiIsImF1ZCI6IjU1M2FjOGFjLTRkYjktNGVkMy04MjVjLTNhZTNiZjVkMzI3YiIsImlzcyI6ImRldi51cy5zaG9wcGVyLmNjLnNhbGVzZm9yY2UuY29tIiwibmFtZSI6ImJsYWlyLnNsYXMudGVzdEBnbWFpbC5jb20iLCJleHAiOjE1OTExMTE0MzgsImlhdCI6MTU5MTEwOTYzOCwiZW1haWwiOiJibGFpci5zbGFzLnRlc3RAZ21haWwuY29tIn0.KgpAcq-G9Lz7IGnjkJlaFLFXYncVCwcVrRIuy3bEfgzRozqaDRvAori4oOz4RtgYjmoc5x2euoisHL0mVnHgPKOdYBty1wTJqneJEQt6hP4Kp0KFciID_ILCi-DE8VWS5t0NknnMP_iKhIkqcRL48iwPFUWkWA6AEWxE_yvJLNRLithsSxsx7EfBfpD8Hr2b5tMEwImQNmJNYGRTI4LSmcYspBORvJoAnfGpMC0kglxl40bhf5j4ItX4_DiWQC4zaGYD-HJV4BDr6C7iGCs5ZVPypF0yQD3iBio26fwj9Ys5WF9XMtPtqET2kqsz6fDC5GkE6HTUHH_r87jxbDq-8w
        refresh_token: EgMYpjfFKdlSy-a3PYeyihmP95IpIp3FaDpPmVH1yu8.lahomBi7zJbRa6yKAuAAiKu3lprTPsEueKwqcBvhRLU
        expires_in: 900
        refresh_token_expires_in: 7776000
        token_type: Bearer
        usid: 18cda486-fe32-4e27-888b-6e4f89938e67
        customer_id: '1000005'
        enc_user_id: 45D39A8499A95288F82855427EBA99B5
        idp_access_token: ''
    GatewayError503:
      value:
        error: gateway_server_error
        error_description: A service that the server relies on is down or is having difficulty.
    getTrustedSystemAccessTokenSuccess:
      value:
        access_token: eyJ2ZXIiOiIxLjAiLCJraWQiOiJTTEFTIiwidHlwIjoiand0IiwiY2x2IjoiSjIuMS4wIiwiYWxnIjoiRVMyNTYifQ.eyJhdWQiOiJjb3JlL2Rldi9idGluZ2V5bHRtMiIsImF1dCI6IkdVSUQiLCJzdWIiOiJ1c2lkOjo1NGFkMmM1YS05MWYwLTQ0YWItODE3Yy03M2Q2Yjg2ODcyZDk6OnVwbjpndWVzdCIsIm5iZiI6MTU4Mjg0NTYyNCwiY3R4Ijoic2ZkYy5jb21tZXJjZWNsb3VkIiwiaXNzIjoiY29yZS9kZXYvYnRpbmdleWx0bTIiLCJzdHkiOiJVc2VyIiwiaXN0IjoxLCJleHAiOjE1ODI4NDU3NDQsImlhdCI6MTU4Mjg0NTY1NCwianRpIjoiQzJDOTA0ODg2NDA3MDkwNDg4NjQwNzMyMjExNzQ1ODEyMTQzIn0.2a6lMBSY17PrhDO8pvEk7PCXW_nkguMHi4J-Tuirkz-ETB6rnKyuRjF5yD6B55tMvm8dO8ulAHyDYqjObMxLJg
        id_token: eyJraWQiOiI3NGU2YjMxZS1lYTczLTQ3OTYtOWRkYi1jMDJmZGI4ZDgwYmUiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2lkOmQ1MDBhMzY5LTc1MWQtNDkzYy1iNDAzLThmOThmYjg3MTdiNiIsImF1ZCI6IjU1M2FjOGFjLTRkYjktNGVkMy04MjVjLTNhZTNiZjVkMzI3YiIsImlzcyI6ImRldi51cy5zaG9wcGVyLmNjLnNhbGVzZm9yY2UuY29tIiwibmFtZSI6ImJsYWlyLnNsYXMudGVzdEBnbWFpbC5jb20iLCJleHAiOjE1OTExMTE0MzgsImlhdCI6MTU5MTEwOTYzOCwiZW1haWwiOiJibGFpci5zbGFzLnRlc3RAZ21haWwuY29tIn0.KgpAcq-G9Lz7IGnjkJlaFLFXYncVCwcVrRIuy3bEfgzRozqaDRvAori4oOz4RtgYjmoc5x2euoisHL0mVnHgPKOdYBty1wTJqneJEQt6hP4Kp0KFciID_ILCi-DE8VWS5t0NknnMP_iKhIkqcRL48iwPFUWkWA6AEWxE_yvJLNRLithsSxsx7EfBfpD8Hr2b5tMEwImQNmJNYGRTI4LSmcYspBORvJoAnfGpMC0kglxl40bhf5j4ItX4_DiWQC4zaGYD-HJV4BDr6C7iGCs5ZVPypF0yQD3iBio26fwj9Ys5WF9XMtPtqET2kqsz6fDC5GkE6HTUHH_r87jxbDq-8w
        refresh_token: EgMYpjfFKdlSy-a3PYeyihmP95IpIp3FaDpPmVH1yu8.lahomBi7zJbRa6yKAuAAiKu3lprTPsEueKwqcBvhRLU
        expires_in: 900
        refresh_token_expires_in: 7776000
        token_type: Bearer
        usid: 18cda486-fe32-4e27-888b-6e4f89938e67
        customer_id: '1000005'
        enc_user_id: 45D39A8499A95288F82855427EBA99B5
        idp_access_token: ''
    getTrustedAgentAccessTokenSuccess:
      value:
        access_token: eyJ2ZXIiOiIxLjAiLCJraWQiOiJTTEFTIiwidHlwIjoiand0IiwiY2x2IjoiSjIuMS4wIiwiYWxnIjoiRVMyNTYifQ.eyJhdWQiOiJjb3JlL2Rldi9idGluZ2V5bHRtMiIsImF1dCI6IkdVSUQiLCJzdWIiOiJ1c2lkOjo1NGFkMmM1YS05MWYwLTQ0YWItODE3Yy03M2Q2Yjg2ODcyZDk6OnVwbjpndWVzdCIsIm5iZiI6MTU4Mjg0NTYyNCwiY3R4Ijoic2ZkYy5jb21tZXJjZWNsb3VkIiwiaXNzIjoiY29yZS9kZXYvYnRpbmdleWx0bTIiLCJzdHkiOiJVc2VyIiwiaXN0IjoxLCJleHAiOjE1ODI4NDU3NDQsImlhdCI6MTU4Mjg0NTY1NCwianRpIjoiQzJDOTA0ODg2NDA3MDkwNDg4NjQwNzMyMjExNzQ1ODEyMTQzIn0.2a6lMBSY17PrhDO8pvEk7PCXW_nkguMHi4J-Tuirkz-ETB6rnKyuRjF5yD6B55tMvm8dO8ulAHyDYqjObMxLJg
        id_token: eyJraWQiOiI3NGU2YjMxZS1lYTczLTQ3OTYtOWRkYi1jMDJmZGI4ZDgwYmUiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2lkOmQ1MDBhMzY5LTc1MWQtNDkzYy1iNDAzLThmOThmYjg3MTdiNiIsImF1ZCI6IjU1M2FjOGFjLTRkYjktNGVkMy04MjVjLTNhZTNiZjVkMzI3YiIsImlzcyI6ImRldi51cy5zaG9wcGVyLmNjLnNhbGVzZm9yY2UuY29tIiwibmFtZSI6ImJsYWlyLnNsYXMudGVzdEBnbWFpbC5jb20iLCJleHAiOjE1OTExMTE0MzgsImlhdCI6MTU5MTEwOTYzOCwiZW1haWwiOiJibGFpci5zbGFzLnRlc3RAZ21haWwuY29tIn0.KgpAcq-G9Lz7IGnjkJlaFLFXYncVCwcVrRIuy3bEfgzRozqaDRvAori4oOz4RtgYjmoc5x2euoisHL0mVnHgPKOdYBty1wTJqneJEQt6hP4Kp0KFciID_ILCi-DE8VWS5t0NknnMP_iKhIkqcRL48iwPFUWkWA6AEWxE_yvJLNRLithsSxsx7EfBfpD8Hr2b5tMEwImQNmJNYGRTI4LSmcYspBORvJoAnfGpMC0kglxl40bhf5j4ItX4_DiWQC4zaGYD-HJV4BDr6C7iGCs5ZVPypF0yQD3iBio26fwj9Ys5WF9XMtPtqET2kqsz6fDC5GkE6HTUHH_r87jxbDq-8w
        refresh_token: EgMYpjfFKdlSy-a3PYeyihmP95IpIp3FaDpPmVH1yu8.lahomBi7zJbRa6yKAuAAiKu3lprTPsEueKwqcBvhRLU
        expires_in: 900
        token_type: Bearer
        refresh_token_expires_in: 7776000
        usid: 18cda486-fe32-4e27-888b-6e4f89938e67
        customer_id: '1000005'
        enc_user_id: 45D39A8499A95288F82855427EBA99B5
        idp_access_token: ''
    BadMissingAccessOrRefreshToken400:
      value:
        error: invalid_request
        error_description: Bad or missing access token or refresh token
    BadParameters400:
      value:
        error: invalid_request
        error_description: Bad or missing request parameters.
    getPasswordLessAccessTokenSuccess:
      value:
        access_token: eyJ2ZXIiOiIxLjAiLCJraWQiOiJTTEFTIiwidHlwIjoiand0IiwiY2x2IjoiSjIuMS4wIiwiYWxnIjoiRVMyNTYifQ.eyJhdWQiOiJjb3JlL2Rldi9idGluZ2V5bHRtMiIsImF1dCI6IkdVSUQiLCJzdWIiOiJ1c2lkOjo1NGFkMmM1YS05MWYwLTQ0YWItODE3Yy03M2Q2Yjg2ODcyZDk6OnVwbjpndWVzdCIsIm5iZiI6MTU4Mjg0NTYyNCwiY3R4Ijoic2ZkYy5jb21tZXJjZWNsb3VkIiwiaXNzIjoiY29yZS9kZXYvYnRpbmdleWx0bTIiLCJzdHkiOiJVc2VyIiwiaXN0IjoxLCJleHAiOjE1ODI4NDU3NDQsImlhdCI6MTU4Mjg0NTY1NCwianRpIjoiQzJDOTA0ODg2NDA3MDkwNDg4NjQwNzMyMjExNzQ1ODEyMTQzIn0.2a6lMBSY17PrhDO8pvEk7PCXW_nkguMHi4J-Tuirkz-ETB6rnKyuRjF5yD6B55tMvm8dO8ulAHyDYqjObMxLJg
        id_token: eyJraWQiOiI3NGU2YjMxZS1lYTczLTQ3OTYtOWRkYi1jMDJmZGI4ZDgwYmUiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2lkOmQ1MDBhMzY5LTc1MWQtNDkzYy1iNDAzLThmOThmYjg3MTdiNiIsImF1ZCI6IjU1M2FjOGFjLTRkYjktNGVkMy04MjVjLTNhZTNiZjVkMzI3YiIsImlzcyI6ImRldi51cy5zaG9wcGVyLmNjLnNhbGVzZm9yY2UuY29tIiwibmFtZSI6ImJsYWlyLnNsYXMudGVzdEBnbWFpbC5jb20iLCJleHAiOjE1OTExMTE0MzgsImlhdCI6MTU5MTEwOTYzOCwiZW1haWwiOiJibGFpci5zbGFzLnRlc3RAZ21haWwuY29tIn0.KgpAcq-G9Lz7IGnjkJlaFLFXYncVCwcVrRIuy3bEfgzRozqaDRvAori4oOz4RtgYjmoc5x2euoisHL0mVnHgPKOdYBty1wTJqneJEQt6hP4Kp0KFciID_ILCi-DE8VWS5t0NknnMP_iKhIkqcRL48iwPFUWkWA6AEWxE_yvJLNRLithsSxsx7EfBfpD8Hr2b5tMEwImQNmJNYGRTI4LSmcYspBORvJoAnfGpMC0kglxl40bhf5j4ItX4_DiWQC4zaGYD-HJV4BDr6C7iGCs5ZVPypF0yQD3iBio26fwj9Ys5WF9XMtPtqET2kqsz6fDC5GkE6HTUHH_r87jxbDq-8w
        refresh_token: EgMYpjfFKdlSy-a3PYeyihmP95IpIp3FaDpPmVH1yu8.lahomBi7zJbRa6yKAuAAiKu3lprTPsEueKwqcBvhRLU
        expires_in: 900
        refresh_token_expires_in: 7776000
        token_type: Bearer
        usid: 18cda486-fe32-4e27-888b-6e4f89938e67
        customer_id: '1000005'
        enc_user_id: 45D39A8499A95288F82855427EBA99B5
        idp_access_token: ''
    TokenActionRequestBody:
      value:
        token: ry5XU_WHX20S6Cn6W7keFIs7Pzkv4wTZJS9Yvh0Ve9A.cdBxoCY9Q3jffQQOFnb_qghbSmSRnn9-2H4GwFTDMTk
        token_type_hint: refresh_token
    revokeTokenSuccess:
      value:
        access_token: ''
        id_token: 'null'
        refresh_token: EnL9U2f3-WiVPwL60CFBI21UY_oxWAwX5JkgO-X12Vs
        expires_in: 0
        refresh_token_expires_in: 0
        token_type: Bearer
        usid: 'null'
        customer_id: 'null'
        enc_user_id: 'null'
        idp_access_token: ''
    BadOrMissingRefreshToken400:
      value:
        error: invalid_request
        error_description: Bad or missing refresh token.
    introspectTokenSuccess:
      value:
        active: true
        client_id: 553ac8ac-4db9-4ed3-825c-3ae3bf5d327b
        exp: 1602523099
        iat: 1594747099
        iss: https://localhost:9000/
        scope: offline_access openid
        sub: usid:edbf780a-2d83-4e82-9f64-8d051e3538d2::uido:Google::upn:blair.slas.test@gmail.com::uidn:Foo SLAS-Test
        token_type: refresh_token
    getUserInfoSuccess:
      value:
        customer_id: abxHc1lblIlKwRl0k1mqYYkewY
        email: slas-okta-test@test.org
        external_id: okta-00u38qdjnScLOB1mq5d6
        family_name: Test
        given_name: Slas
        name: Slas Test
        sub: 98a84e4b-be50-422a-ab04-e9034e859eb9
        validated: true
    getWellknownOpenidConfigurationSuccess:
      value:
        authorization_endpoint: https://stg.us.shopper.cc.salesforce.com/api/v1/organizations/zzzz_tst/oauth2/authorize
        claims_supported:
          - email
          - name
          - given_name
          - family_name
          - sub
        code_challenge_methods_supported:
          - S256
        grant_types_supported:
          - authorization_code
          - authorization_code_pkce
          - client_credentials
          - refresh_token
        id_token_encryption_enc_values_supported:
          - A256GCM
        issuer: https://stg.us.shopper.cc.salesforce.com/api/v1/organizations/zzzz_tst/oauth2
        jwks_uri: https://stg.us.shopper.cc.salesforce.com/api/v1/organizations/zzzz_tst/oauth2/jwks
        response_types_supported:
          - code
          - token
          - token id_token
        revocation_endpoint: https://stg.us.shopper.cc.salesforce.com/api/v1/organizations/zzzz_tst/oauth2/revoke
        scopes_supported:
          - email
          - openid
          - profile
        subject_types_supported:
          - public
        token_endpoint: https://stg.us.shopper.cc.salesforce.com/api/v1/organizations/zzzz_tst/oauth2/token
        userinfo_endpoint: https://stg.us.shopper.cc.salesforce.com/api/v1/organizations/zzzz_tst/oauth2/userinfo
    MalformedTenantId400:
      value:
        error: invalid_request
        error_description: Tenant Id Exception - Must be a well-formed tenantId
    getJwksSuccess:
      value:
        keys:
          - crv: P-256
            kid: 2d670fa8-0f28-44a1-b8b4-87a6d2feb1d8
            kty: EC
            use: sig
            x: _2tPqxGhgX6cA5Qg7v6UH_9om8OR3-OehkgXXWraTp8
            'y': DAykmQPtf282buIcL0rLwKYbK6ApgripMjazdAthUFw
          - crv: P-256
            kid: eb70508f-4d64-46f7-a3d5-b36558d6e6b6
            kty: EC
            use: sig
            x: VV0JVJFhkz71wY0E73Z-snorZ5oJf1QOdkIbCjyMqLs
            'y': QLkqBVSPPrkd7HjaSEMgMU9Ob-FDpg1W-oLq5I4ExqQ
          - crv: P-256
            kid: 0f2016af-1388-4972-b54d-31cb9e3704ed
            kty: EC
            use: sig
            x: KpmPoZTFXs80Uxy7QcOQ9aaqW35xgT3Qyakee8zR7gA
            'y': P87TZ52rjnOGlmjaPeUGbLaOqiB7FHnoEzULIw6QlfJ
    startWebauthnUserRegistrationSuccess:
      value:
        extensions: {}
        attestation: none
        challenge: qcjjr4ZckSHuiSd1nShZkVt12I1udQO_7MAkynXP8Nk
        authenticatorSelection:
          userVerification: preferred
          requireResidentKey: false
          residentKey: preferred
        user:
          name: darth.vader
          id: GyOH81kDRxJBvHPQkkbmTagOADuixhp_37P_UnSwHAI
          displayName: Darth Vader
        rp:
          name: SLAS Service
          id: localhost
        timeout: 90000
        excludeCredentials: []
        pubKeyCredParams:
          alg: -7
          type: public-key
    webauthnAuthenticationStartSuccess:
      value:
        challenge: V2FsdGVyIFdoaXRlIFRlc3QgQ2hhbGxlbmdl
        timeout: 60000
        rpId: localhost
        allowCredentials:
          - type: public-key
            id: AQIDBAUGBwgJCgsMDQ4PEA
            transports:
              - usb
              - nfc
        userVerification: preferred
        extensions: {}
    UserNotFound404:
      value:
        error: not_found
        error_description: User Not Found
    webauthnAuthenticationFinishSuccess:
      value:
        credentialId: AQIDBAUGBwgJCgsMDQ4PEA
        username: user@example.com
        success: true
        tokenResponse:
          access_token: eyJ2ZXIiOiIxLjAiLCJraWQiOiJTTEFTIiwidHlwIjoiand0IiwiY2x2IjoiSjIuMS4wIiwiYWxnIjoiRVMyNTYifQ.eyJhdWQiOiJjb3JlL2Rldi9idGluZ2V5bHRtMiIsImF1dCI6IkdVSUQiLCJzdWIiOiJ1c2lkOjo1NGFkMmM1YS05MWYwLTQ0YWItODE3Yy03M2Q2Yjg2ODcyZDk6OnVwbjpndWVzdCIsIm5iZiI6MTU4Mjg0NTYyNCwiY3R4Ijoic2ZkYy5jb21tZXJjZWNsb3VkIiwiaXNzIjoiY29yZS9kZXYvYnRpbmdleWx0bTIiLCJzdHkiOiJVc2VyIiwiaXN0IjoxLCJleHAiOjE1ODI4NDU3NDQsImlhdCI6MTU4Mjg0NTY1NCwianRpIjoiQzJDOTA0ODg2NDA3MDkwNDg4NjQwNzMyMjExNzQ1ODEyMTQzIn0.2a6lMBSY17PrhDO8pvEk7PCXW_nkguMHi4J-Tuirkz-ETB6rnKyuRjF5yD6B55tMvm8dO8ulAHyDYqjObMxLJg
          id_token: eyJraWQiOiI3NGU2YjMxZS1lYTczLTQ3OTYtOWRkYi1jMDJmZGI4ZDgwYmUiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2lkOmQ1MDBhMzY5LTc1MWQtNDkzYy1iNDAzLThmOThmYjg3MTdiNiIsImF1ZCI6IjU1M2FjOGFjLTRkYjktNGVkMy04MjVjLTNhZTNiZjVkMzI3YiIsImlzcyI6ImRldi51cy5zaG9wcGVyLmNjLnNhbGVzZm9yY2UuY29tIiwibmFtZSI6ImJsYWlyLnNsYXMudGVzdEBnbWFpbC5jb20iLCJleHAiOjE1OTExMTE0MzgsImlhdCI6MTU5MTEwOTYzOCwiZW1haWwiOiJibGFpci5zbGFzLnRlc3RAZ21haWwuY29tIn0.KgpAcq-G9Lz7IGnjkJlaFLFXYncVCwcVrRIuy3bEfgzRozqaDRvAori4oOz4RtgYjmoc5x2euoisHL0mVnHgPKOdYBty1wTJqneJEQt6hP4Kp0KFciID_ILCi-DE8VWS5t0NknnMP_iKhIkqcRL48iwPFUWkWA6AEWxE_yvJLNRLithsSxsx7EfBfpD8Hr2b5tMEwImQNmJNYGRTI4LSmcYspBORvJoAnfGpMC0kglxl40bhf5j4ItX4_DiWQC4zaGYD-HJV4BDr6C7iGCs5ZVPypF0yQD3iBio26fwj9Ys5WF9XMtPtqET2kqsz6fDC5GkE6HTUHH_r87jxbDq-8w
          refresh_token: EgMYpjfFKdlSy-a3PYeyihmP95IpIp3FaDpPmVH1yu8.lahomBi7zJbRa6yKAuAAiKu3lprTPsEueKwqcBvhRLU
          expires_in: 900
          refresh_token_expires_in: 7776000
          token_type: Bearer
          usid: 18cda486-fe32-4e27-888b-6e4f89938e67
          customer_id: '1000005'
          enc_user_id: 45D39A8499A95288F82855427EBA99B5
          idp_access_token: ''
    getPasskeyUserByLoginIdSuccess:
      value:
        id: 26
        userName: user@example.com
        displayName: John Doe
        userHandle: yRU-7pWyWUE6nw8hztqqUZG635p7UKDDb2lbC1FyF78
        slasUserId: 10000
        credentials:
          - id: 21
            userId: 26
            credentialId: t5Awv5pJ_kM7K8U2-5ijw5rSKNkHFHTTg_gAbdrod8c
            nickName: Fingerprint
            publicKey: pQECAyYgASFYIKIpY59lUthC1dDw_9WXKCOaLNCB2WSoGrK0kAZG33s3IlggxTvdmk2QC_HPjAwf_eHdoxIBvfN3c376ws8xUaxlJ4A
            userHandle: yRU-7pWyWUE6nw8hztqqUZG635p7UKDDb2lbC1FyF78
            signatureCount: '2'
          - id: 22
            userId: 26
            credentialId: SVKfbUGBXofb2JzliJrMtZDENYByWgq_j4-p2M_3wC4
            nickName: YubiKey
            publicKey: pQECAyYgASFYIHM_4IKLMC8dboiRNfD0E0Gk4LmCTIgEyCTr-9SyHHeIIlggfn5_AzAl67kttLXWb-_Ts6MG7WHKoXzlKtame_wEYPE
            userHandle: yRU-7pWyWUE6nw8hztqqUZG635p7UKDDb2lbC1FyF78
            signatureCount: '5'
x-sdk-classname: ShopperLogin