doc updates

Author: clavery

docs/.vitepress/config.mts

@@ -7,6 +7,7 @@ const guideSidebar = [
     items: [
       { text: 'Introduction', link: '/guide/' },
       { text: 'Installation', link: '/guide/installation' },
+      { text: 'Authentication Setup', link: '/guide/authentication' },
       { text: 'Configuration', link: '/guide/configuration' },
     ],
   },

docs/cli/auth.md

@@ -84,42 +84,57 @@ b2c auth token | pbcopy  # macOS: copy to clipboard
 
 ## Authentication Overview
 
-The CLI supports multiple authentication methods depending on the operation:
+The CLI supports multiple authentication methods depending on the operation.
 
-### OAuth Client Credentials
+### Account Manager API Client (OAuth)
 
-Most commands use OAuth client credentials authentication:
+Most instance operations require an Account Manager API Client. The CLI supports two OAuth flows:
+
+| Auth Method | Description | Use Case |
+|-------------|-------------|----------|
+| User Authentication | Interactive browser-based login | Development, manual operations |
+| Client Credentials | Non-interactive with client ID/secret | CI/CD, automation, scripts |
 
 ```bash
+# Client Credentials
 export SFCC_CLIENT_ID=my-client
 export SFCC_CLIENT_SECRET=my-secret
 ```
 
-Required for:
+Used by:
 - Code management (`code list`, `code activate`, `code delete`)
 - Job operations (`job run`, `job search`, `job import`, `job export`)
 - Site operations (`sites list`)
-- ODS operations
-- SLAS operations
-- MRT operations
+- ODS operations (requires `Sandbox API User` role)
+- SLAS operations (requires `SLAS Organization Administrator` or `Sandbox API User` role)
 
 ### Basic Auth (WebDAV)
 
-WebDAV operations support Basic Auth for better performance:
+WebDAV operations support Basic Auth using your Business Manager username and WebDAV access key:
 
 ```bash
 export SFCC_USERNAME=my-user
-export SFCC_PASSWORD=my-access-key
+export SFCC_PASSWORD=my-webdav-access-key
 ```
 
 Used by:
 - `code deploy` (file upload)
 - `code watch` (file upload)
 - `webdav` commands
 
+### MRT API Key
+
+Managed Runtime commands use a separate API key obtained from the MRT dashboard:
+
+```bash
+export SFCC_MRT_API_KEY=your-mrt-api-key
+```
+
+See [MRT Commands](./mrt#authentication) for details.
+
 ### Mixed Authentication
 
-Some commands (like `code deploy`) require both OAuth and WebDAV access. You can provide both:
+Some commands (like `code deploy` with `--reload`) require both OAuth and WebDAV access:
 
 ```bash
 export SFCC_CLIENT_ID=my-client
@@ -131,7 +146,7 @@ b2c code deploy --reload
 
 ### Configuration File
 
-Credentials can also be stored in a `dw.json` file:
+Credentials can be stored in a `dw.json` file:
 
 ```json
 {
@@ -143,3 +158,7 @@ Credentials can also be stored in a `dw.json` file:
 ```
 
 Use `--config` to specify a custom config file path, or `--instance` to select a named instance configuration.
+
+### Tenant Scope
+
+For ODS and SLAS operations, your API client must have tenant scope configured for the realm/organization you wish to manage. This is set up in Account Manager when creating or editing the API client.

docs/cli/mrt.md

@@ -21,6 +21,40 @@ MRT commands resolve configuration in the following order of precedence:
 3. `dw.json` file (`mrtProject`, `mrtEnvironment` fields)
 4. `~/.mobify` config file (for `api_key`)
 
+## Authentication
+
+MRT commands use API key authentication. The API key is configured in the Managed Runtime dashboard and grants access to specific projects.
+
+### Getting an API Key
+
+1. Log in to the [Managed Runtime dashboard](https://runtime.commercecloud.com/)
+2. Navigate to **Account Settings** > **API Keys**
+3. Create a new API key or use an existing one
+4. The API key grants access to all projects in your organization
+
+### Configuration
+
+Provide the API key via one of these methods (in order of precedence):
+
+1. **Command-line flag**: `--api-key your-api-key`
+2. **Environment variable**: `export SFCC_MRT_API_KEY=your-api-key`
+3. **Mobify config file**: `~/.mobify` with `api_key` field
+
+### Example ~/.mobify File
+
+```json
+{
+  "api_key": "your-mrt-api-key"
+}
+```
+
+### Project Access
+
+Your API key provides access to all projects in your MRT organization. Specify the project using:
+
+- `--project` flag or `SFCC_MRT_PROJECT` environment variable
+- `mrtProject` field in `dw.json`
+
 ---
 
 ## b2c mrt push
@@ -339,25 +373,3 @@ b2c mrt env var delete MY_VAR --project acme-storefront --environment production
 # Short form
 b2c mrt env var delete OLD_API_KEY -p my-project -e staging
 ```
-
----
-
-## Authentication
-
-All MRT commands use API key authentication. You can provide credentials in several ways:
-
-1. **Command-line flag**: `--api-key your-api-key`
-2. **Environment variable**: `export SFCC_MRT_API_KEY=your-api-key`
-3. **Mobify config file**: `~/.mobify` with `api_key` field
-
-### Getting an API Key
-
-Obtain your MRT API key from the Managed Runtime dashboard in your Salesforce Commerce Cloud account.
-
-### Example ~/.mobify File
-
-```json
-{
-  "api_key": "your-mrt-api-key"
-}
-```

docs/cli/ods.md

@@ -10,9 +10,34 @@ These flags are available on all ODS commands:
 |------|---------------------|-------------|
 | `--sandbox-api-host` | `SFCC_SANDBOX_API_HOST` | ODS API hostname (default: admin.dx.commercecloud.salesforce.com) |
 
-### Authentication
+## Authentication
 
-ODS commands require OAuth authentication. Provide `--client-id` and `--client-secret` or set the corresponding environment variables.
+ODS commands require an Account Manager API Client with appropriate roles.
+
+### Required Roles
+
+| Auth Method | Role | Description |
+|-------------|------|-------------|
+| User Authentication | `Sandbox API User` | For interactive/browser-based authentication |
+| Client Credentials | `Sandbox API User` | For automated/service authentication |
+
+### Tenant Scope
+
+The API client must have tenant scope configured for the realm(s) you wish to manage. This is configured in Account Manager when setting up the API client.
+
+### Configuration
+
+Provide credentials via flags or environment variables:
+
+```bash
+# Client Credentials
+export SFCC_CLIENT_ID=my-client
+export SFCC_CLIENT_SECRET=my-secret
+b2c ods list
+
+# Or via flags
+b2c ods list --client-id xxx --client-secret yyy
+```
 
 ---
 

docs/cli/slas.md

@@ -10,9 +10,34 @@ These flags are available on all SLAS commands:
 |------|---------------------|-------------|
 | `--tenant-id` | `SFCC_TENANT_ID` | (Required) SLAS tenant ID (organization ID) |
 
-### Authentication
+## Authentication
 
-SLAS commands require OAuth authentication. Provide `--client-id` and `--client-secret` or set the corresponding environment variables.
+SLAS commands require an Account Manager API Client with appropriate roles.
+
+### Required Roles
+
+| Auth Method | Role | Description |
+|-------------|------|-------------|
+| User Authentication | `SLAS Organization Administrator` | For interactive/browser-based authentication |
+| Client Credentials | `Sandbox API User` | For automated/service authentication |
+
+### Tenant Scope
+
+The API client must have tenant scope configured for the realm/organization you wish to manage. This is configured in Account Manager when setting up the API client.
+
+### Configuration
+
+Provide credentials via flags or environment variables:
+
+```bash
+# Client Credentials
+export SFCC_CLIENT_ID=my-client
+export SFCC_CLIENT_SECRET=my-secret
+b2c slas client list --tenant-id abcd_123
+
+# Or via flags
+b2c slas client list --tenant-id abcd_123 --client-id xxx --client-secret yyy
+```
 
 ---
 

docs/cli/webdav.md

@@ -24,12 +24,47 @@ Available roots:
 - `logs` - Log files
 - `securitylogs` - Security log files
 
-### Authentication
+## Authentication
+
+WebDAV commands require authentication to access instance files.
+
+### Basic Auth (Recommended)
+
+Basic Auth provides better performance for WebDAV operations using your Business Manager username and WebDAV access key:
+
+```bash
+export SFCC_USERNAME=my-user
+export SFCC_PASSWORD=my-webdav-access-key
+b2c webdav ls
+```
+
+Or via flags:
+
+```bash
+b2c webdav ls -u my-user -p my-access-key
+```
 
-WebDAV commands support both Basic Auth and OAuth authentication:
+### OAuth
 
-- **Basic Auth** (recommended for performance): `--username` and `--password`
-- **OAuth**: `--client-id` and `--client-secret`
+OAuth can also be used with an Account Manager API Client:
+
+```bash
+export SFCC_CLIENT_ID=my-client
+export SFCC_CLIENT_SECRET=my-secret
+b2c webdav ls
+```
+
+### Mixed Authentication
+
+For operations that require both WebDAV and OCAPI (like `code deploy`), you can provide both:
+
+```bash
+export SFCC_USERNAME=my-user
+export SFCC_PASSWORD=my-access-key
+export SFCC_CLIENT_ID=my-client
+export SFCC_CLIENT_SECRET=my-secret
+b2c code deploy
+```
 
 ---
 
@@ -291,47 +326,3 @@ b2c webdav unzip --root=cartridges my-cartridge.zip
 
 - Contents are extracted to the same directory as the zip file
 - This operation is performed server-side
-
----
-
-## Authentication
-
-WebDAV commands require authentication to access instance files.
-
-### Basic Auth (Recommended)
-
-Basic Auth provides better performance for WebDAV operations:
-
-```bash
-export SFCC_USERNAME=my-user
-export SFCC_PASSWORD=my-access-key
-b2c webdav ls
-```
-
-Or via flags:
-
-```bash
-b2c webdav ls -u my-user -p my-access-key
-```
-
-### OAuth
-
-OAuth can also be used:
-
-```bash
-export SFCC_CLIENT_ID=my-client
-export SFCC_CLIENT_SECRET=my-secret
-b2c webdav ls
-```
-
-### Mixed Authentication
-
-For operations that require both WebDAV and OCAPI (like `code deploy`), you can provide both:
-
-```bash
-export SFCC_USERNAME=my-user
-export SFCC_PASSWORD=my-access-key
-export SFCC_CLIENT_ID=my-client
-export SFCC_CLIENT_SECRET=my-secret
-b2c code deploy
-```