| name | b2c-ecdn |
| description | Manage eCDN zones, security settings, and edge configuration for B2C Commerce storefronts. Use this skill whenever the user needs to purge CDN cache, provision SSL certificates, configure WAF or firewall rules, set up rate limiting, enable logpush or Page Shield, manage MRT routing, configure mTLS or cipher suites, or optimize edge performance. Also use when troubleshooting CDN-layer issues or managing zone settings -- even if they just say 'clear the cache' or 'block bot traffic on our storefront'. |
B2C eCDN Skill
Use the b2c CLI plugin to manage eCDN (embedded Content Delivery Network) zones, certificates, security settings, and more.
Tip: If b2c is not installed globally, use npx @salesforce/b2c-cli instead (e.g., npx @salesforce/b2c-cli ecdn zones list).
Configuration
Values like tenantId, clientId, and clientSecret resolve from dw.json / SFCC_* env vars / the active instance / configuration plugins. Examples below show minimal usage; add flags only to override configured values — passing --client-id/--client-secret/--tenant-id is usually unnecessary. If a required value is missing, the CLI emits an actionable error pointing at the flag, env var, and config key.
Run b2c setup inspect to see the resolved configuration and which source provided each value (--json for scripting, --unmask to reveal secrets). For precedence rules and troubleshooting, see the b2c-cli:b2c-config skill.
Prerequisites
- OAuth credentials with
sfcc.cdn-zones scope (read operations)
- OAuth credentials with
sfcc.cdn-zones.rw scope (write operations)
- Tenant ID for your B2C Commerce organization (from config or
--tenant-id)
Examples
List CDN Zones
b2c ecdn zones list
b2c ecdn zones list --json
b2c ecdn zones list --tenant-id zzxy_prd
Create a Storefront Zone
b2c ecdn zones create --domain-name example.com
Purge Cache
b2c ecdn cache purge --zone my-zone --path /products --path /categories
b2c ecdn cache purge --zone my-zone --tag product-123 --tag category-456
Manage Certificates
b2c ecdn certificates list --zone my-zone
b2c ecdn certificates add --zone my-zone --hostname www.example.com --certificate-file ./cert.pem --private-key-file ./key.pem
b2c ecdn certificates validate --zone my-zone --certificate-id abc123
Manage Rate Limiting Rules
b2c ecdn rate-limit list --zone my-zone
b2c ecdn rate-limit create --zone my-zone --description "Rate limit /checkout" --expression '(http.request.uri.path matches "^/checkout")' --characteristics cf.unique_visitor_id --action block --period 60 --requests-per-period 50 --mitigation-timeout 600
b2c ecdn rate-limit get --zone my-zone --rule-id 2c0fc9fa937b11eaa1b71c4d701ab86e
b2c ecdn rate-limit update --zone my-zone --rule-id 2c0fc9fa937b11eaa1b71c4d701ab86e --requests-per-period 100
b2c ecdn rate-limit delete --zone my-zone --rule-id 2c0fc9fa937b11eaa1b71c4d701ab86e --force
Security Settings
b2c ecdn security get --zone my-zone
b2c ecdn security update --zone my-zone --ssl-mode full --min-tls-version 1.2 --always-use-https
Speed Settings
b2c ecdn speed get --zone my-zone
b2c ecdn speed update --zone my-zone --browser-cache-ttl 14400 --auto-minify-html --auto-minify-css
Additional Topics
For less commonly used eCDN features, see the reference files:
- SECURITY.md — WAF (v1 and v2), custom firewall rules, rate limiting, and Page Shield (CSP policies, script detection, notification webhooks)
- ADVANCED.md — Logpush jobs, MRT routing rules, mTLS certificates, cipher suite configuration, and origin header modification
Configuration Overrides
The tenant ID can be overridden via flag or environment variable:
--tenant-id / SFCC_TENANT_ID / tenantId in dw.json
The --zone flag accepts either:
- Zone ID (32-character hex string)
- Zone name (human-readable, case-insensitive lookup)
OAuth Scopes
| Operation | Required Scope |
|---|
| Read operations | sfcc.cdn-zones |
| Write operations | sfcc.cdn-zones.rw |
More Commands
See b2c ecdn --help for a full list of available commands and options in the ecdn topic.
