This content originally appeared on Level Up Coding - Medium and was authored by Sugavasilakshmisahithi
If you’re building a web or mobile experience that embeds Salesforce Enhanced Chat (Messaging for In-App and Web), generateAccessTokenForUnauthenticatedUser is the API call that gives a short-lived JWT to an unverified guest (no login) so the client can start messaging (create conversations, send messages, open SSE streams) without a full authentication flow.
Below I’ll walk through what it does, why it’s useful, and a clear step-by-step of how to call it and what to do with the result.
Why use an unauthenticated access token?
- Fast onboarding: let visitors start a support chat without forcing a sign-in flow (better UX for simple help or sales chat).
- Lightweight client flow: the client only needs a single POST to get a JWT it can use for subsequent messaging API calls.
- Controlled access: you can restrict what guest tokens allow (e.g., no sensitive actions) while still enabling conversational experiences.
Use authenticated tokens if you need verified identity, personalization, or to unlock sensitive operations.
Preconditions — what must be configured first
- Embedded Service deployment type must be Custom Client (the deployment should be configured to accept API requests; when correctly configured, responses show deploymentType: "api").
- The Messaging channel associated with that deployment must have User Verification turned OFF for unauthenticated tokens to work. If you need authenticated users, turn User Verification ON and use the authenticated token flow instead. As shown in the figure.
Make sure you have your Salesforce org ID, the Embedded Service developer name (API name), and the scrt-url (the domain for your Enhanced Chat custom client deployment). I found these details in the Salesforce Enhanced Chat documentation, and I’ll provide a full-fledged blog about this through the link .
Step-by-step: how to call generateAccessTokenForUnauthenticatedUser
1) Build the POST request
Endpoint
POST https://{scrt-url}/iamessage/api/v2/authorization/unauthenticated/access-tokenReplace {scrt-url} with your deployment URL (example: mycompanyname.salesforce-scrt.com).
Headers:
Content-Type: application/json
Authorization: Bearer {authenticated-access-token}
Body (JSON) — required fields:
{
"orgId": "00DgL00000ApqdC",
"esDeveloperName": "CustomAgentUI_ESD",
"capabilitiesVersion": "1",
"platform": "Web",
"context": {
"appName": "salesApp",
"clientVersion": "1.2.3"
},
"captchaToken": ""
}- orgId: 15-char Salesforce org ID.
- esDeveloperName: Embedded Service deployment API name (alphanumeric + underscores).
- deviceId and context: used to tie the token to the client session and for telemetry.
- captchaToken (optional/conditional): include if you’re using CAPTCHA on the client to mitigate abuse.
2) Example cURL
curl "https://mycompanyname.salesforce-scrt.com/iamessage/api/v2/authorization/unauthenticated/access-token" \
-X POST \
-H "Content-Type: application/json" \
-d '{ ...JSON body above... }'
(You’ll get a JSON response like this.)
Response and what to do next
A successful response returns a JWT in the accessToken field plus lastEventId and context that includes deployment config and device info. Use the returned accessToken as the Bearer token for subsequent Enhanced Chat calls (for example createConversation, sendMessage, and SSE/stream endpoints). Example: set header Authorization: Bearer <accessToken> when calling POST /iamessage/api/v2/conversation or sending messages.
If you need to support multiple tabs or want a token that helps coordinate multi-tab behavior without extending expiry, consider the Generate continuation token endpoint (it creates a JWT for multi-tab scenarios and doesn’t extend expiration).
Common Troubleshooting Issues
1. Deployment Type Mismatch
Problem: API calls fail or don’t behave as expected Solution: Verify your Embedded Service deployment is set to “Custom Client” type
2. User Verification Conflicts
Problem: Unauthenticated tokens are rejected Solution: Ensure User Verification is disabled in your Messaging channel settings
3. Invalid Org ID or Developer Name
Problem: Authentication failures or “not found” errors Solution: Double-check your orgId and esDeveloperName values in Salesforce Setup
4. Missing Authorization Header
Problem: 401 Unauthorized responses Solution: Include a valid authenticated access token in the Authorization header
Security notes
Guest tokens are for convenience — they are less trustworthy than authenticated tokens. Don’t rely on them for actions that require identity verification (account changes, billing, PII access). If you need identity, switch to the authenticated token flow which requires verifying the end user.
Conclusion
The Salesforce Enhanced Chat API’s unauthenticated access token feature provides an excellent foundation for implementing guest chat functionality. By following this guide, you can create seamless chat experiences that engage visitors without requiring registration.
Remember to balance convenience with security by implementing proper validation, monitoring, and upgrading to authenticated flows when handling sensitive operations.
Salesforce Enhanced Chat API -generateAccessTokenForUnauthenticatedUser was originally published in Level Up Coding on Medium, where people are continuing the conversation by highlighting and responding to this story.
This content originally appeared on Level Up Coding - Medium and was authored by Sugavasilakshmisahithi
Sugavasilakshmisahithi | Sciencx (2025-09-24T03:18:43+00:00) Salesforce Enhanced Chat API -generateAccessTokenForUnauthenticatedUser. Retrieved from https://www.scien.cx/2025/09/24/salesforce-enhanced-chat-api-generateaccesstokenforunauthenticateduser/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.