Authentication in the Sitecore XC solution is based on tokens or on specific authenticated identities. Security is enforced at the controller level, and is based on a token or on a user's Sitecore credentials. Every user or application must be authenticated to call any controller from the Commerce Engine.

Sitecore Identity provides authentication service using bearer token authentication.


Certificate authentication is no longer supported with Sitecore XC 9.3 release.

Additional security considerations include:

  • HTTPS:// and SSL support

  • No credit card storage option

  • PCI Level 1 DSS 2.0 Certified Tokenization

  • Strong password enforcement

  • 90-day forced administrator password changes

  • Back office geographical and proximity real-time validations

  • Back office IP restriction access