---
editLink: false
lastUpdated: false
---

[@salesforce/b2c-tooling-sdk](../../modules.md) / [auth](../index.md) / JwtOAuthStrategy

# Class: JwtOAuthStrategy

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:82](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/67fb8580ac3c5b372617ee3ec3fc8f2bc9f16174/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L82)

OAuth 2.0 JWT Bearer authentication strategy.

Implements RFC 7523 (JSON Web Token (JWT) Profile for OAuth 2.0 Client
Authentication and Authorization Grants).

Key differences from client credentials flow:
- Uses public/private key pair instead of client secret
- Sends JWT as `client_assertion` in POST body (not Authorization header)
- JWT is self-signed and short-lived (60 seconds)

## Example

```typescript
const strategy = new JwtOAuthStrategy({
  clientId: 'my-client-id',
  certPath: './cert.pem',
  keyPath: './key.pem',
  accountManagerHost: 'account.demandware.com',
});

const response = await strategy.fetch('https://api.example.com/data');
```

## Implements

- [`AuthStrategy`](../interfaces/AuthStrategy.md)

## Constructors

### Constructor

> **new JwtOAuthStrategy**(`config`): `JwtOAuthStrategy`

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:100](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/67fb8580ac3c5b372617ee3ec3fc8f2bc9f16174/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L100)

Creates a new JwtOAuthStrategy instance.

Validates the provided configuration and caches the private key during construction
to avoid repeated file I/O during token requests.

#### Parameters

##### config

[`JwtOAuthConfig`](../interfaces/JwtOAuthConfig.md)

JWT OAuth configuration containing clientId, certificate/key file paths, and Account Manager host

#### Returns

`JwtOAuthStrategy`

#### Throws

Error if clientId, certPath, keyPath, or accountManagerHost are missing

#### Throws

Error if certificate or key files do not exist, are unreadable, or have invalid PEM format

#### Throws

Error if the private key is encrypted but no passphrase is provided, or the passphrase is incorrect

## Methods

### fetch()

> **fetch**(`url`, `init`): `Promise`\<`Response`\>

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:210](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/67fb8580ac3c5b372617ee3ec3fc8f2bc9f16174/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L210)

Performs a fetch request with JWT Bearer authentication.
Automatically injects the Authorization header with a fresh access token.
Includes 401 retry logic and x-dw-client-id header.

#### Parameters

##### url

`string`

##### init

[`FetchInit`](../type-aliases/FetchInit.md) = `{}`

#### Returns

`Promise`\<`Response`\>

#### Implementation of

[`AuthStrategy`](../interfaces/AuthStrategy.md).[`fetch`](../interfaces/AuthStrategy.md#fetch)

***

### getAuthorizationHeader()

> **getAuthorizationHeader**(): `Promise`\<`string`\>

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:240](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/67fb8580ac3c5b372617ee3ec3fc8f2bc9f16174/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L240)

Returns the Authorization header value for legacy clients.

#### Returns

`Promise`\<`string`\>

#### Implementation of

[`AuthStrategy`](../interfaces/AuthStrategy.md).[`getAuthorizationHeader`](../interfaces/AuthStrategy.md#getauthorizationheader)

***

### getJWT()

> **getJWT**(): `Promise`\<[`DecodedJWT`](../interfaces/DecodedJWT.md)\>

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:248](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/67fb8580ac3c5b372617ee3ec3fc8f2bc9f16174/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L248)

Gets the decoded JWT payload.

#### Returns

`Promise`\<[`DecodedJWT`](../interfaces/DecodedJWT.md)\>

***

### getTokenResponse()

> **getTokenResponse**(): `Promise`\<[`AccessTokenResponse`](../interfaces/AccessTokenResponse.md)\>

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:272](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/67fb8580ac3c5b372617ee3ec3fc8f2bc9f16174/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L272)

Gets the full token response including expiration and scopes.
Useful for commands that need to display or return token metadata.

#### Returns

`Promise`\<[`AccessTokenResponse`](../interfaces/AccessTokenResponse.md)\>

***

### invalidateToken()

> **invalidateToken**(): `void`

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:287](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/67fb8580ac3c5b372617ee3ec3fc8f2bc9f16174/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L287)

Invalidates the cached access token, forcing re-authentication on next request.

#### Returns

`void`

#### Implementation of

[`AuthStrategy`](../interfaces/AuthStrategy.md).[`invalidateToken`](../interfaces/AuthStrategy.md#invalidatetoken)

***

### withAdditionalScopes()

> **withAdditionalScopes**(`additionalScopes`): `JwtOAuthStrategy`

Defined in: [packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts:260](https://github.com/SalesforceCommerceCloud/b2c-developer-tooling/blob/67fb8580ac3c5b372617ee3ec3fc8f2bc9f16174/packages/b2c-tooling-sdk/src/auth/oauth-jwt.ts#L260)

Creates a new JwtOAuthStrategy with additional scopes merged in.
Used by clients that have specific scope requirements.

#### Parameters

##### additionalScopes

`string`[]

Scopes to add to this strategy's existing scopes

#### Returns

`JwtOAuthStrategy`

A new JwtOAuthStrategy instance with merged scopes
