feat: embed default public client ID for zero-config platform commands

Sandbox, Account Manager, and SLAS commands now work without requiring
a pre-configured client ID. The CLI falls back to a built-in public
client for implicit OAuth flows (browser-based login) when no client
ID is configured.

Author: clavery

.changeset/default-public-client.md

@@ -0,0 +1,6 @@
+---
+'@salesforce/b2c-cli': minor
+'@salesforce/b2c-tooling-sdk': minor
+---
+
+Embed a default public client ID for implicit OAuth flows. Account Manager, Sandbox, and SLAS commands now work without requiring a pre-configured client ID — the CLI will automatically use a built-in public client for browser-based authentication.

docs/cli/account-manager.md

@@ -16,32 +16,27 @@ These flags are available on all Account Manager commands:
 
 ## Authentication
 
-Account Manager commands require an API client or can be executed through an implicit workflow that seamlessly handles user authentication and associated flows.
+Account Manager commands work out of the box using the CLI's built-in public client, which authenticates via browser login (implicit flow). No API client configuration is required for interactive use.
 
-### Required Configuration
-
-| Flag | Environment Variable | Description |
-|------|---------------------|-------------|
-| `--client-id` | `SFCC_CLIENT_ID` | OAuth client ID for Account Manager |
-| `--client-secret` | `SFCC_CLIENT_SECRET` | OAuth client secret for Account Manager |
+For automation or CI/CD, you can provide your own API client credentials.
 
 ### Required Roles
 
 | Auth Method | Role | Configured On |
 |-------------|------|---------------|
+| Built-in client (default) | Uses your user account's roles | Your user account |
 | Client Credentials | `User Administrator` or higher | The API client |
 
-User authentication is handled via the implicit flow, utilizing the access rights granted to the user.
-
 ### Configuration
 
 ```bash
-# Set Account Manager host
-export SFCC_ACCOUNT_MANAGER_HOST=account.demandware.com
+# No configuration needed — opens browser for login
+b2c am users list
 
-# Set OAuth credentials
+# Client Credentials (for automation)
 export SFCC_CLIENT_ID=my-client-id
 export SFCC_CLIENT_SECRET=my-client-secret
+b2c am users list
 ```
 
 ---

docs/cli/sandbox.md

@@ -37,30 +37,30 @@ These flags are available on all sandbox commands:
 
 ## Authentication
 
-Sandbox commands require an Account Manager API Client.
+Sandbox commands work out of the box using the CLI's built-in public client, which authenticates via browser login (implicit flow). No API client configuration is required for interactive use.
+
+For automation or CI/CD, you can provide your own API client credentials.
 
 ### Required Roles
 
 | Auth Method | Role | Configured On |
 |-------------|------|---------------|
+| Built-in client (default) | `Sandbox API User` | Your user account |
 | User Authentication | `Sandbox API User` | Your user account |
 | Client Credentials | `Sandbox API User` | The API client |
 
-**User Authentication**: Used when only `--client-id` is provided. Opens a browser for login. The `Sandbox API User` role must be assigned to your user account in Account Manager.
-
-**Client Credentials**: Used when both `--client-id` and `--client-secret` are provided. The `Sandbox API User` role must be assigned to the API client.
-
-### Tenant Filter
-
-The API client's roles must have a tenant filter configured for the realm(s) you wish to manage. In Account Manager, under each role (e.g., `Sandbox API User`), add the realm IDs you need to access to the **Tenant Filter**.
+The `Sandbox API User` role must have a **tenant filter** configured for the realm(s) you wish to manage.
 
 ### Configuration
 
 ```bash
-# User Authentication (opens browser)
+# No configuration needed — opens browser for login
+b2c sandbox list
+
+# Or provide your own client ID
 b2c sandbox list --client-id xxx
 
-# Client Credentials
+# Client Credentials (for automation)
 export SFCC_CLIENT_ID=my-client
 export SFCC_CLIENT_SECRET=my-secret
 b2c sandbox list

docs/cli/slas.md

@@ -16,30 +16,30 @@ These flags are available on all SLAS commands:
 
 ## Authentication
 
-SLAS commands require an Account Manager API Client.
+SLAS commands work out of the box using the CLI's built-in public client, which authenticates via browser login (implicit flow). No API client configuration is required for interactive use.
+
+For automation or CI/CD, you can provide your own API client credentials.
 
 ### Required Roles
 
 | Auth Method | Role | Configured On |
 |-------------|------|---------------|
+| Built-in client (default) | `SLAS Organization Administrator` | Your user account |
 | User Authentication | `SLAS Organization Administrator` | Your user account |
 | Client Credentials | `Sandbox API User` | The API client |
 
-**User Authentication**: Used when only `--client-id` is provided. Opens a browser for login. Roles must be assigned to your user account in Account Manager.
-
-**Client Credentials**: Used when both `--client-id` and `--client-secret` are provided. Roles must be assigned to the API client.
-
-### Tenant Filter
-
-The API client's roles must have a tenant filter configured for the organization you wish to manage. In Account Manager, under each role (e.g., `Sandbox API User`, `SLAS Organization Administrator`), add the organization IDs you need to access to the **Tenant Filter**.
+The role must have a **tenant filter** configured for the organization you wish to manage.
 
 ### Configuration
 
 ```bash
-# User Authentication (opens browser)
+# No configuration needed — opens browser for login
+b2c slas client list --tenant-id abcd_123
+
+# Or provide your own client ID
 b2c slas client list --tenant-id abcd_123 --client-id xxx
 
-# Client Credentials
+# Client Credentials (for automation)
 export SFCC_CLIENT_ID=my-client
 export SFCC_CLIENT_SECRET=my-secret
 b2c slas client list --tenant-id abcd_123

docs/guide/authentication.md

@@ -16,10 +16,15 @@ The CLI uses different authentication mechanisms depending on the operation:
 | [Code](/cli/code) list, activate, delete | OAuth + OCAPI | [API Client](#account-manager-api-client) + [OCAPI](#ocapi-configuration) |
 | [Jobs](/cli/jobs), [Sites](/cli/sites) | OAuth + OCAPI | [API Client](#account-manager-api-client) + [OCAPI](#ocapi-configuration) |
 | SCAPI commands ([schemas](/cli/scapi-schemas), [custom-apis](/cli/custom-apis), [eCDN](/cli/ecdn)) | OAuth + SCAPI scopes | [API Client](#account-manager-api-client) + [SCAPI Scopes](#scapi-authentication) |
-| [SLAS](/cli/slas) client management | OAuth | [API Client](#account-manager-api-client) with appropriate roles |
-| [Sandbox](/cli/sandbox) management | OAuth | [API Client](#account-manager-api-client) with `Sandbox API User` role |
+| [SLAS](/cli/slas) client management | OAuth | None (uses built-in client) or [API Client](#account-manager-api-client) |
+| [Sandbox](/cli/sandbox) management | OAuth | None (uses built-in client) or [API Client](#account-manager-api-client) |
+| [Account Manager](/cli/account-manager) | OAuth | None (uses built-in client) or [API Client](#account-manager-api-client) |
 | [MRT](/cli/mrt) commands | MRT API Key | [MRT API Key](#managed-runtime-api-key) |
 
+::: tip Zero-Config for Platform Commands
+Sandbox, SLAS, and Account Manager commands work out of the box without any client configuration. The CLI includes a built-in public client that authenticates via browser login (implicit flow). You only need to configure an API client if you want to use client credentials for automation/CI or need specific scopes.
+:::
+
 ::: tip
 Each CLI command page documents its specific authentication requirements. See the [CLI Reference](/cli/) for details.
 :::

docs/guide/configuration.md

@@ -300,6 +300,10 @@ When using the `--cloud-origin` flag to specify a different MRT endpoint, the CL
 
 By default, the CLI automatically detects available credentials and tries authentication methods in this order: `client-credentials`, then `implicit`. You can override this behavior to control which methods are used.
 
+::: tip Default Public Client
+For platform-level commands (Sandbox, SLAS, and Account Manager), the CLI includes a built-in public client ID. If no `--client-id` is configured, these commands automatically use the built-in client with the implicit flow, opening a browser for authentication. This means you can use these commands with zero configuration.
+:::
+
 ### Available Auth Methods
 
 - `client-credentials` - OAuth 2.0 client credentials flow (requires client ID and secret). Used for SCAPI/OCAPI and WebDAV.

packages/b2c-cli/src/utils/slas/client.ts

@@ -6,7 +6,7 @@
 import {Command, ux} from '@oclif/core';
 import cliui from 'cliui';
 import {OAuthCommand} from '@salesforce/b2c-tooling-sdk/cli';
-import {createSlasClient, getApiErrorMessage, type SlasClient, type SlasComponents} from '@salesforce/b2c-tooling-sdk';
+import {createSlasClient, getApiErrorMessage, DEFAULT_PUBLIC_CLIENT_ID, type SlasClient, type SlasComponents} from '@salesforce/b2c-tooling-sdk';
 import {t} from '../../i18n/index.js';
 
 export type Client = SlasComponents['schemas']['Client'];
@@ -100,6 +100,10 @@ export function formatApiError(error: unknown, response: Response): string {
  * Provides common flags and helper methods.
  */
 export abstract class SlasClientCommand<T extends typeof Command> extends OAuthCommand<T> {
+  protected override getDefaultClientId(): string {
+    return DEFAULT_PUBLIC_CLIENT_ID;
+  }
+
   /**
    * Ensure tenant exists, creating it if necessary.
    * This is required before creating SLAS clients.

packages/b2c-tooling-sdk/src/cli/am-command.ts

@@ -8,6 +8,7 @@ import {OAuthCommand} from './oauth-command.js';
 import {createAccountManagerClient} from '../clients/am-api.js';
 import type {AccountManagerClient} from '../clients/am-api.js';
 import type {AuthMethod} from './config.js';
+import {DEFAULT_PUBLIC_CLIENT_ID} from '../defaults.js';
 
 /**
  * Base command for Account Manager operations.
@@ -32,6 +33,10 @@ import type {AuthMethod} from './config.js';
  * }
  */
 export abstract class AmCommand<T extends typeof Command> extends OAuthCommand<T> {
+  protected override getDefaultClientId(): string {
+    return DEFAULT_PUBLIC_CLIENT_ID;
+  }
+
   /**
    * Override default auth methods to prioritize implicit flow for Account Manager.
    * Gets the default methods from parent class, then ensures 'implicit' is first.

packages/b2c-tooling-sdk/src/cli/oauth-command.ts

@@ -102,19 +102,32 @@ export abstract class OAuthCommand<T extends typeof Command> extends BaseCommand
     return DEFAULT_OAUTH_AUTH_METHODS;
   }
 
+  /**
+   * Returns a default client ID for implicit OAuth flows when no client ID is configured.
+   * Returns undefined by default. Subclasses (AmCommand, OdsCommand, etc.) override this
+   * to return DEFAULT_PUBLIC_CLIENT_ID for platform-level commands that support public client tokens.
+   */
+  protected getDefaultClientId(): string | undefined {
+    return undefined;
+  }
+
   /**
    * Gets an OAuth auth strategy based on allowed auth methods and available credentials.
    *
    * Iterates through allowed methods (in priority order) and returns the first
    * strategy for which the required credentials are available.
    *
+   * For the implicit flow, falls back to getDefaultClientId() when no client ID
+   * is explicitly configured.
+   *
    * @throws Error if no allowed method has the required credentials configured
    */
   protected getOAuthStrategy(): OAuthStrategy | ImplicitOAuthStrategy {
     const config = this.resolvedConfig.values;
     const accountManagerHost = this.accountManagerHost;
     // Use getDefaultAuthMethods() to get default array, allowing subclasses to override
     const allowedMethods = config.authMethods || this.getDefaultAuthMethods();
+    const defaultClientId = this.getDefaultClientId();
 
     for (const method of allowedMethods) {
       switch (method) {
@@ -129,15 +142,20 @@ export abstract class OAuthCommand<T extends typeof Command> extends BaseCommand
           }
           break;
 
-        case 'implicit':
-          if (config.clientId) {
+        case 'implicit': {
+          const effectiveClientId = config.clientId ?? defaultClientId;
+          if (effectiveClientId) {
+            if (!config.clientId && defaultClientId) {
+              this.logger.debug('Using default B2C CLI public client for authentication');
+            }
             return new ImplicitOAuthStrategy({
-              clientId: config.clientId,
+              clientId: effectiveClientId,
               scopes: config.scopes,
               accountManagerHost,
             });
           }
           break;
+        }
 
         // 'basic' and 'api-key' are not applicable for OAuth strategies
         // They would be handled by different command bases (e.g., InstanceCommand, MRTCommand)
@@ -157,10 +175,11 @@ export abstract class OAuthCommand<T extends typeof Command> extends BaseCommand
 
   /**
    * Check if OAuth credentials are available.
-   * Returns true if clientId is configured (with or without clientSecret).
+   * Returns true if clientId is configured (with or without clientSecret),
+   * or if a default client ID is available for implicit flows.
    */
   protected hasOAuthCredentials(): boolean {
-    return this.resolvedConfig.hasOAuthConfig();
+    return this.resolvedConfig.hasOAuthConfig() || this.getDefaultClientId() !== undefined;
   }
 
   /**

packages/b2c-tooling-sdk/src/cli/ods-command.ts

@@ -8,7 +8,7 @@ import {OAuthCommand} from './oauth-command.js';
 import {loadConfig, extractOdsFlags} from './config.js';
 import type {ResolvedB2CConfig} from '../config/index.js';
 import {createOdsClient, type OdsClient} from '../clients/ods.js';
-import {DEFAULT_ODS_HOST} from '../defaults.js';
+import {DEFAULT_ODS_HOST, DEFAULT_PUBLIC_CLIENT_ID} from '../defaults.js';
 import {isUuid, parseFriendlySandboxId, SandboxNotFoundError} from '../operations/ods/sandbox-lookup.js';
 
 /**
@@ -33,6 +33,10 @@ import {isUuid, parseFriendlySandboxId, SandboxNotFoundError} from '../operation
  * }
  */
 export abstract class OdsCommand<T extends typeof Command> extends OAuthCommand<T> {
+  protected override getDefaultClientId(): string {
+    return DEFAULT_PUBLIC_CLIENT_ID;
+  }
+
   static baseFlags = {
     ...OAuthCommand.baseFlags,
     'sandbox-api-host': Flags.string({