B2C Account Manager Skill
Use the b2c am commands to manage Account Manager resources: API clients, users, roles, and organizations.
Tip: If
b2cis not installed globally, usenpx @salesforce/b2c-cliinstead (e.g.,npx @salesforce/b2c-cli am clients list).
Authentication
Account Manager commands work out of the box with no configuration. The CLI uses a built-in public client and opens a browser for login.
- Zero-config (browser login): Default. Just run the commands -- the CLI opens a browser for login.
- Client credentials: For CI/CD and automation. The CLI auto-discovers
clientId/clientSecretfromSFCC_*env vars,dw.json(in the current or a parent directory),package.json, or configuration plugins — passing--client-id/--client-secretflags is usually unnecessary. - Force browser login (
--user-auth): When client credentials are configured but you need browser-based login (required for org and client management).
Run
b2c setup inspectto confirm which credentials the CLI sees and where they came from. For precedence and troubleshooting, see theb2c-cli:b2c-configskill.
Role Requirements
| Operations | Client Credentials (roles on API client) | User Auth (roles on user account) |
|---|---|---|
| AM Users & Roles | User Administrator | Account Administrator or User Administrator |
| AM Organizations | Not supported -- use --user-auth | Account Administrator |
| AM API Clients | Not supported -- use --user-auth | Account Administrator or API Administrator |
Organization and API client management are only available with user authentication. For Business Manager administration (BM roles, users, access keys, whoami), see the b2c-cli:b2c-bm-users-roles skill.
API Clients
List Clients
b2c am clients list
# with pagination
b2c am clients list --size 50 --page 2
# JSON output
b2c am clients list --json
Get Client
# by UUID
b2c am clients get <api-client-id>
# with expanded organizations and roles
b2c am clients get <api-client-id> --expand organizations,roles
Create Client
Clients are created inactive by default. Requires user auth.
b2c am clients create \
--name "My API Client" \
--orgs <org-id> \
--password "securePassword123"
# with roles, role tenant filter, and redirect URLs
b2c am clients create \
--name "CI/CD Pipeline" \
--orgs <org-id> \
--password "securePassword123" \
--roles SALESFORCE_COMMERCE_API \
--role-tenant-filter "SALESFORCE_COMMERCE_API:zzxy_prd" \
--redirect-urls "https://example.com/callback" \
--active
Update Client
Partial update -- only specified fields are changed.
b2c am clients update <api-client-id> --name "New Name"
b2c am clients update <api-client-id> --active
Change Client Password
b2c am clients password <api-client-id> --current "oldPass" --new "newSecurePass123"
Delete Client
Client must be disabled for 7+ days before deletion. Destructive operation (safe mode check).
b2c am clients delete <api-client-id>
Users
List Users
b2c am users list
# with extended columns (roles, organizations)
b2c am users list --extended
# JSON output with pagination
b2c am users list --size 100 --json
Get User
b2c am users get user@example.com
# with expanded roles and organizations
b2c am users get user@example.com --expand-all
Create User
b2c am users create \
--org "My Organization" \
--mail user@example.com \
--first-name Jane \
--last-name Doe
The --org flag accepts either an org ID or org name. Users are created in INITIAL state with no roles.
Update User
b2c am users update user@example.com --first-name Janet --last-name Smith
Delete User
Soft-deletes by default. Use --purge for hard delete (user must already be in DELETED state).
# soft delete
b2c am users delete user@example.com
# hard delete (purge)
b2c am users delete developer@example.com --purge
Reset User Password
Resets password to INITIAL state, clearing expiration. Destructive operation (safe mode check).
b2c am users reset user@example.com
Roles
List Roles
b2c am roles list
# filter by target type
b2c am roles list --target-type User
b2c am roles list --target-type ApiClient
Get Role
b2c am roles get bm-admin
b2c am roles get SLAS_ORGANIZATION_ADMIN
Grant Role to User
b2c am roles grant user@example.com --role bm-admin
# with tenant scope
b2c am roles grant user@example.com --role bm-admin --scope zzzz_001,zzzz_002
Revoke Role from User
# revoke entire role
b2c am roles revoke user@example.com --role bm-admin
# revoke specific tenant scopes only
b2c am roles revoke user@example.com --role bm-admin --scope zzzz_001
Organizations
List Organizations
b2c am orgs list
# all organizations (max page size)
b2c am orgs list --all
# extended columns
b2c am orgs list --extended
Get Organization
Accepts org ID or name.
b2c am orgs get <org-id>
b2c am orgs get "My Organization"
Business Manager Administration
BM-side resources (instance roles, instance users, access keys, whoami) live in the b2c-cli:b2c-bm-users-roles skill. Use it for:
b2c bm roles— list/get/create/delete instance access roles, grant/revoke users, manage permissionsb2c bm users— list, get, search, update, and delete instance users via the OCAPI/usersresourceb2c bm whoami— show the BM user the current OAuth token resolves tob2c bm access-key— provision and rotate WebDAV/OCAPI/Storefront access keys for SSO-managed users
Defer to that skill for BM examples and patterns. AM-side onboarding flows (creating an AM user, granting AM roles scoped to tenants) stay here.
Common Workflows
User Onboarding
# Create the user
b2c am users create --org $ORG_ID --mail developer@example.com \
--first-name Alex --last-name Developer
# Grant Business Manager Admin role scoped to a specific tenant
b2c am roles grant developer@example.com --role bm-admin --scope zzxy_prd
User Offboarding
# Revoke roles
b2c am roles revoke developer@example.com --role bm-admin
# Soft delete the user
b2c am users delete developer@example.com
# Permanent deletion (user must be in DELETED state first)
b2c am users delete developer@example.com --purge
Bulk Operations with JSON
# Export all users as JSON
b2c am users list --size 4000 --json
# Pipe to jq for filtering
b2c am users list --json | jq '.[] | select(.userState == "ACTIVE")'
Common Patterns
All am commands support --json for programmatic output. List commands support --columns, --extended, --size, and --page for pagination and column control.
Destructive operations (user delete, user reset, client delete) check safe mode. Only delete or purge users when explicitly requested.
More Commands
See b2c am --help for a full list of available commands and options.