B2B Token

The B2B Token embeds a customer’s selected legal entity in their authorization token, enabling consistent access control and data visibility without re-login.

In B2B scenarios, the customers frequently represent more than one company. They can belong to more than one legal entity that they act and make purchases on behalf of. Therefore, the storefront needs to identify which legal entity a user is acting on behalf of during each session to properly resolve the right data access and scope level.

Example use cases:

Orders: The customer's assigned legal entity can be crucial for accessing orders information. B2B customers need to access their own orders, but also the orders assigned to their legal entity.
Products availability: With customer segments, product visibility can become segment-based. Therefore, the endpoint responsible for retrieving products on the storefront has to return only these products that the customer has access to with the selected legal entity.

Legal entity in authorization token

To ensure that the storefront properly reads a B2B customer's selected legal entity and determines the relevant access to resources, the authorization token generated by the Customer Service gets updated with the legalEntityId parameter. The token-based approach to pass the legalEntityId parameter guarantees that the relevant services use that information to retrieve relevant data. The legalEntityId header is injected in the requests.

Passing the legalEntityId parameter in the authorization token is the proper way to handle the B2B customer legal entity information across services. The token approach ensures a consistent user experience, and centralized security enforcement while enabling the required legal entity-based access control.

How it works

Selection and verification

When a B2B customer logs in, they choose the specific legal entity they want to represent for that session. The Customer Service then verifies that the user is assigned to this selected entity.

Token generation

Upon verification, the Customer Service issues a new refresh token that embeds the legalEntityId parameter.

Data access and scope

This updated token is passed to other services to determine the correct scopes and data visibility for the user. The legalEntityId header is injected into requests, ensuring the user only accesses relevant data, such as orders or segment-based product visibility tied to that specific legal entity.

Seamless switching

If the customer needs to change the legal entity they are acting on behalf of, they do not need to log in again. The storefront simply triggers the Refreshing a customer token endpoint to generate a new token based on the previous one, but with the updated legalEntityId information.

The diagram shows how the legal entity information is fetched and passed:

Find out more about the Customer Service and token generation in the API reference Customer Service (Customer Managed) documentation.

Last updated 1 day ago

Was this helpful?

Good afternoon

hashtagLegal entity in authorization token

hashtagHow it works

hashtagSelection and verification

hashtagToken generation

hashtagData access and scope