docs: document SFCC_REDIRECT_URI and SFCC_OAUTH_LOCAL_PORT env vars

clavery · clavery · commit f6e46dd87b3c · 2026-03-24T10:43:21.000-04:00
Add proxy/redirect URI documentation to:
- Configuration guide (env vars table)
- Authentication guide (redirect URLs section)
- b2c-config skill (authentication section)
diff --git a/docs/guide/authentication.md b/docs/guide/authentication.md
@@ -152,6 +152,10 @@ For **User Authentication** (implicit flow), configure redirect URLs in your API
 
 **Note:** Redirect URLs are not required for API clients using only Client Credentials authentication.
 
+::: tip Running Behind a Proxy
+If you're running the CLI behind a proxy where `localhost:8080` isn't reachable by the browser, set `SFCC_REDIRECT_URI` to the proxy URL (e.g., `https://proxy.example.com:8080`). The proxy should forward traffic to the CLI's local server. You can also change the local server port with `SFCC_OAUTH_LOCAL_PORT`. Make sure to add your proxy URL to the API client's redirect URLs in Account Manager.
+:::
+
 ## OCAPI Configuration
 
 For operations that interact with B2C Commerce instances (code deployment, jobs, sites), you need to configure OCAPI permissions on each instance.
diff --git a/docs/guide/configuration.md b/docs/guide/configuration.md
@@ -70,6 +70,8 @@ You can configure the CLI using environment variables:
 | `SFCC_SHORTCODE`              | SCAPI short code                                               |
 | `SFCC_TENANT_ID`              | Organization/tenant ID for SCAPI                               |
 | `SFCC_ACCOUNT_MANAGER_HOST`   | Account Manager hostname for OAuth                             |
+| `SFCC_REDIRECT_URI`           | Override redirect URI for implicit OAuth flow (e.g., when behind a proxy) |
+| `SFCC_OAUTH_LOCAL_PORT`       | Local port for the implicit OAuth redirect server (default: `8080`) |
 | `SFCC_USERNAME`               | Basic auth username                                            |
 | `SFCC_PASSWORD`               | Basic auth password                                            |
 | `SFCC_CERTIFICATE`            | Path to PKCS12 certificate for two-factor auth (mTLS)          |
diff --git a/skills/b2c-cli/skills/b2c-config/SKILL.md b/skills/b2c-cli/skills/b2c-config/SKILL.md
@@ -35,6 +35,8 @@ b2c auth token --user-auth
 
 Coding agents can also use `--user-auth` — the browser flow works in any environment where a browser can be opened. The flag is exclusive with `--auth-methods`.
 
+**Running behind a proxy:** If `localhost:8080` isn't reachable by the browser (e.g., running in a container or behind a reverse proxy), set `SFCC_REDIRECT_URI` to the proxy URL. The local OAuth server still listens on the default port (or `SFCC_OAUTH_LOCAL_PORT`), but the redirect URI sent to Account Manager will use your proxy URL. Add the proxy URL to the API client's redirect URLs in Account Manager.
+
 ## Tenant ID and Organization ID
 
 B2C Commerce uses two related identifiers:
