SalesforceCommerceCloud
diff --git a/‎docs/api-readme.md‎
Lines changed: 57 additions & 2 deletions b/‎docs/api-readme.md‎
Lines changed: 57 additions & 2 deletions
diff --git a/‎docs/cli/account-manager.md‎
Lines changed: 266 additions & 2 deletions b/‎docs/cli/account-manager.md‎
Lines changed: 266 additions & 2 deletions
diff --git a/‎docs/cli/index.md‎
Lines changed: 2 additions & 1 deletion b/‎docs/cli/index.md‎
Lines changed: 2 additions & 1 deletion
@@ -243,7 +243,7 @@ const { data, error } = await instance.ocapi.PATCH('/code_versions/{code_version
 
 ## Account Manager Operations
 
-The SDK provides a unified client for managing users, roles, and organizations through the Account Manager API.
+The SDK provides a unified client for managing users, roles, organizations, and API clients through the Account Manager API.
 
 ### Authentication
 
@@ -253,7 +253,7 @@ For CI/CD and automation, you can also use **OAuth client credentials flow** (re
 
 ### Unified Client (Recommended)
 
-The recommended approach is to use the unified `createAccountManagerClient` which provides access to all Account Manager APIs (users, roles, and organizations):
+The recommended approach is to use the unified `createAccountManagerClient`, which provides access to all Account Manager APIs (users, roles, organizations, and API clients):
 
 ```typescript
 import { createAccountManagerClient } from '@salesforce/b2c-tooling-sdk/clients';
@@ -296,6 +296,19 @@ const orgs = await client.listOrgs({ size: 25, page: 0 });
 const org = await client.getOrg('org-id');
 const orgByName = await client.getOrgByName('My Organization');
 const auditLogs = await client.getOrgAuditLogs('org-id');
+
+// API Clients API (service accounts for programmatic access)
+const apiClients = await client.listApiClients({ size: 20, page: 0 });
+const apiClient = await client.getApiClient('api-client-uuid', ['organizations', 'roles']);
+await client.createApiClient({
+  name: 'my-client',
+  organizations: ['org-id'],
+  password: 'SecureP@ss12',
+  active: false,
+});
+await client.updateApiClient('api-client-uuid', { name: 'new-name', active: true });
+await client.changeApiClientPassword('api-client-uuid', 'oldPassword', 'newPassword12');
+await client.deleteApiClient('api-client-uuid'); // Client must be disabled 7+ days first
 ```
 
 ### Client Credentials Flow (Alternative)
@@ -329,6 +342,7 @@ import {
   createAccountManagerUsersClient,
   createAccountManagerRolesClient,
   createAccountManagerOrgsClient,
+  createAccountManagerApiClientsClient,
 } from '@salesforce/b2c-tooling-sdk/clients';
 import { ImplicitOAuthStrategy } from '@salesforce/b2c-tooling-sdk/auth';
 
@@ -353,6 +367,12 @@ const orgsClient = createAccountManagerOrgsClient(
   { accountManagerHost: 'account.demandware.com' },
   auth,
 );
+
+// API Clients client (service accounts)
+const apiClientsClient = createAccountManagerApiClientsClient(
+  { accountManagerHost: 'account.demandware.com' },
+  auth,
+);
 ```
 
 ### User Operations
@@ -446,6 +466,41 @@ const allOrgs = await client.listOrgs({ all: true });
 const auditLogs = await client.getOrgAuditLogs('org-123');
 ```
 
+### API Client Operations
+
+Manage Account Manager API clients (service accounts for programmatic access). API clients are created inactive by default and must be disabled for at least 7 days before deletion.
+
+```typescript
+import { createAccountManagerClient } from '@salesforce/b2c-tooling-sdk/clients';
+import { ImplicitOAuthStrategy } from '@salesforce/b2c-tooling-sdk/auth';
+
+const auth = new ImplicitOAuthStrategy({ clientId: 'your-client-id' });
+const client = createAccountManagerClient({}, auth);
+
+// List API clients with pagination
+const result = await client.listApiClients({ size: 20, page: 0 });
+
+// Get API client by ID (optionally expand organizations and roles)
+const apiClient = await client.getApiClient('api-client-uuid', ['organizations', 'roles']);
+
+// Create a new API client (created inactive by default)
+const newClient = await client.createApiClient({
+  name: 'my-client',
+  organizations: ['org-id'],
+  password: 'SecureP@ss12',
+  active: false,
+});
+
+// Update an API client (only provided fields are updated)
+await client.updateApiClient('api-client-uuid', { name: 'new-name', active: true });
+
+// Change API client password
+await client.changeApiClientPassword('api-client-uuid', 'oldPassword', 'newPassword12');
+
+// Delete an API client (must have been disabled for at least 7 days)
+await client.deleteApiClient('api-client-uuid');
+```
+
 ### Required Permissions
 
 Account Manager operations require:
 
@@ -1,10 +1,10 @@
 ---
-description: Commands for managing Account Manager resources including users, roles, and organizations.
+description: Commands for managing Account Manager resources including users, roles, organizations, and API clients.
 ---
 
 # Account Manager Commands
 
-Commands for managing Account Manager resources including users, roles, role assignments, and organizations.
+Commands for managing Account Manager resources including users, roles, role assignments, organizations, and API clients.
 
 ## Global Flags
 
@@ -792,3 +792,267 @@ Displays a table of audit log records with the selected columns. Timestamps are
 - If organization is not found, an error is returned
 - If no audit records are found, a message is displayed
 - Timestamps are displayed in a human-readable format with zero-padding for consistent spacing
+
+---
+
+## API Client Management
+
+Commands for managing Account Manager API clients (service accounts for programmatic access). API clients can be assigned roles and organizations, support client credentials or JWT authentication, and are created inactive by default. They must be disabled for at least 7 days before they can be deleted.
+
+### b2c am clients list
+
+List Account Manager API clients with pagination.
+
+#### Usage
+
+```bash
+b2c am clients list [FLAGS]
+```
+
+#### Flags
+
+| Flag | Description | Default |
+|------|-------------|---------|
+| `--page` | Page number (0-based) | `0` |
+| `--size`, `-s` | Number of results per page (1-4000) | `20` |
+| `--columns`, `-c` | Comma-separated list of columns to display | Default columns |
+| `--extended`, `-x` | Show all available columns | `false` |
+| `--json` | Output results as JSON | `false` |
+
+#### Default Columns
+
+- ID
+- Name
+- Description
+- Active
+- Auth Method
+- Created
+
+#### Extended Columns
+
+- Last Auth
+- Disabled
+
+#### Examples
+
+```bash
+b2c am clients list
+b2c am clients list --size 50 --page 1
+b2c am clients list --extended --json
+```
+
+#### Notes
+
+- Created and Disabled dates are formatted as `MM/DD/YYYY HH:MM:SS` with zero-padding for equal column width (e.g. `09/10/2020 14:30:00`)
+- Page size must be between 1 and 4000
+- Page number must be a non-negative integer (0-based)
+
+---
+
+### b2c am clients get
+
+Get details of a single Account Manager API client by ID.
+
+#### Usage
+
+```bash
+b2c am clients get <API-CLIENT-ID> [FLAGS]
+```
+
+#### Arguments
+
+| Argument | Description | Required |
+|----------|-------------|----------|
+| `API-CLIENT-ID` | API client UUID | Yes |
+
+#### Flags
+
+| Flag | Description |
+|------|-------------|
+| `--expand` | Comma-separated fields to expand. Valid values: `organizations`, `roles` |
+| `--json` | Output results as JSON |
+
+#### Examples
+
+```bash
+b2c am clients get <api-client-id>
+b2c am clients get <api-client-id> --expand organizations,roles --json
+```
+
+#### Output
+
+When not using `--json`, displays formatted API client information including:
+
+- **API Client Details**: ID, Name, Description, Active, Auth Method, Password Modified, Created, Disabled
+- **Redirect URLs**: List of allowed redirect URLs (if present)
+- **Scopes**: OAuth scopes (if present)
+- **Default Scopes**: Default OAuth scopes (if present)
+- **Organizations**: Organization IDs or full objects (if expanded)
+- **Roles**: Role IDs or full objects (if expanded)
+- **Role Tenant Filters**: Role-to-tenant mappings (if present)
+- **Version Control**: Version control identifiers (if present)
+
+#### Notes
+
+- Invalid `--expand` values return an error listing the valid options (`organizations`, `roles`)
+- If the API client is not found, an error is returned
+
+---
+
+### b2c am clients create
+
+Create a new Account Manager API client. Clients are created inactive by default and must be explicitly activated (e.g. via update).
+
+#### Usage
+
+```bash
+b2c am clients create [FLAGS]
+```
+
+#### Required Flags
+
+| Flag | Description |
+|------|-------------|
+| `--name`, `-n` | API client name (max 200 characters) |
+| `--organizations`, `-o` | Comma-separated organization IDs |
+| `--password`, `-p` | Password (12–128 characters) |
+
+#### Optional Flags
+
+| Flag | Description |
+|------|-------------|
+| `--description`, `-d` | Description (max 256 characters) |
+| `--roles`, `-r` | Comma-separated role IDs (e.g. SALESFORCE_COMMERCE_API) |
+| `--role-tenant-filter` | Role tenant filter (format: ROLE:realm_instance,realm_instance;ROLE2:... e.g. SALESFORCE_COMMERCE_API:abcd_prd) |
+| `--active` | Create as active (default: false) |
+| `--redirect-urls` | Comma-separated list of allowed redirect URLs for OAuth flows |
+| `--scopes` | Comma-separated OAuth scopes |
+| `--default-scopes` | Comma-separated default OAuth scopes |
+| `--version-control` | Comma-separated version control system identifiers |
+| `--token-endpoint-auth-method` | Token endpoint auth method: `private_key_jwt`, `client_secret_post`, `client_secret_basic`, or `none` |
+| `--jwt-public-key` | Public key for JWT authentication (PEM or inline) |
+| `--json` | Output results as JSON |
+
+#### Examples
+
+```bash
+b2c am clients create --name my-client --organizations org-id-1 --password "SecureP@ss123"
+b2c am clients create -n my-client -o org-id-1 -p "SecureP@ss123" -r SALESFORCE_COMMERCE_API
+b2c am clients create -n my-client -o org-id-1 -p "SecureP@ss123" --scopes "mail,openid" --default-scopes "mail"
+```
+
+#### Notes
+
+- Name must be non-empty and at most 200 characters; description at most 256 characters
+- Password must be 12–128 characters
+- Role tenant filter must match pattern: `ROLE:realm_instance(,realm_instance)*(;ROLE:...)*` (e.g. SALESFORCE_COMMERCE_API:abcd_prd)
+- At least one organization ID is required
+
+---
+
+### b2c am clients update
+
+Update an existing Account Manager API client. Only provided fields are updated; omitted fields keep their current values.
+
+#### Usage
+
+```bash
+b2c am clients update <API-CLIENT-ID> [FLAGS]
+```
+
+#### Arguments
+
+| Argument | Description | Required |
+|----------|-------------|----------|
+| `API-CLIENT-ID` | API client UUID | Yes |
+
+#### Flags
+
+| Flag | Description |
+|------|-------------|
+| `--name`, `-n` | API client name (max 200 characters) |
+| `--description`, `-d` | Description (max 256 characters) |
+| `--organizations`, `-o` | Comma-separated organization IDs |
+| `--roles`, `-r` | Comma-separated role IDs |
+| `--role-tenant-filter` | Role tenant filter (format: ROLE:realm_instance,realm_instance;ROLE2:... e.g. SALESFORCE_COMMERCE_API:abcd_prd) |
+| `--active` | Set active (true/false) |
+| `--redirect-urls` | Comma-separated list of allowed redirect URLs for OAuth flows |
+| `--scopes` | Comma-separated OAuth scopes |
+| `--default-scopes` | Comma-separated default OAuth scopes |
+| `--version-control` | Comma-separated version control system identifiers |
+| `--token-endpoint-auth-method` | Token endpoint auth method: `private_key_jwt`, `client_secret_post`, `client_secret_basic`, or `none` |
+| `--jwt-public-key` | Public key for JWT authentication (PEM or inline) |
+| `--json` | Output results as JSON |
+
+#### Examples
+
+```bash
+b2c am clients update <api-client-id> --name new-name
+b2c am clients update <api-client-id> --active
+b2c am clients update <api-client-id> --scopes "mail,openid" --default-scopes "mail"
+```
+
+#### Notes
+
+- At least one flag must be provided
+- Name at most 200 characters; description at most 256 characters
+- Role tenant filter must match pattern: `ROLE:realm_instance(,realm_instance)*(;ROLE:...)*`
+
+---
+
+### b2c am clients delete
+
+Delete an Account Manager API client. The client must have been disabled for at least 7 days before it can be deleted.
+
+#### Usage
+
+```bash
+b2c am clients delete <API-CLIENT-ID>
+```
+
+#### Arguments
+
+| Argument | Description | Required |
+|----------|-------------|----------|
+| `API-CLIENT-ID` | API client UUID | Yes |
+
+#### Examples
+
+```bash
+b2c am clients delete <api-client-id>
+```
+
+---
+
+### b2c am clients password
+
+Change the password for an Account Manager API client.
+
+#### Usage
+
+```bash
+b2c am clients password <API-CLIENT-ID> [FLAGS]
+```
+
+#### Arguments
+
+| Argument | Description | Required |
+|----------|-------------|----------|
+| `API-CLIENT-ID` | API client UUID | Yes |
+
+#### Flags
+
+| Flag | Description | Required |
+|------|-------------|----------|
+| `--current`, `-c` | Current password | Yes |
+| `--new`, `-n` | New password (12–128 characters) | Yes |
+
+#### Examples
+
+```bash
+b2c am clients password <api-client-id> --current "OldP@ss" --new "NewP@ss123"
+```
+
+#### Notes
+
+- New password must be 12–128 characters
@@ -55,12 +55,13 @@ These flags are available on all commands that interact with B2C instances:
 
 ### Account Management
 
-- [Account Manager Commands](./account-manager) - Manage Account Manager users, roles, and organizations
+- [Account Manager Commands](./account-manager) - Manage Account Manager users, roles, organizations, and API clients
 
 All Account Manager commands are under the `am` topic:
 - `b2c am users ...` - User management commands
 - `b2c am roles ...` - Role management commands
 - `b2c am orgs ...` - Organization management commands
+- `b2c am clients ...` - API client management (list, get, create, update, delete, password)
 
 ### Utilities