In Power Pages, shell.getTokenDeferred() is part of the Power Pages runtime and is automatically available only when using authenticated pages that rely on the site authentication system (e.g., local authentication, Azure AD B2C, etc.).
If you’re building a custom JavaScript login, registration, or data API interaction, and you get an error like:
Uncaught ReferenceError: shell is not defined
It means the shell object isn’t available, which usually happens if:
- You are not on an authenticated page, or
- You are running JavaScript before the shell is loaded, or
- You’re on an unauthenticated web page (like custom /login page without being signed in)
✅ How to Properly Use shell.getTokenDeferred() in Power Pages
✔️ 1. Ensure the page is authenticated
You must be on a page where the user is logged in (authenticated). Pages where authentication is required expose the shell object for secure API interaction.
To do this:
- Go to Power Pages → Pages → Select your page
- Under Permissions, ensure the page is restricted to authenticated users
⚠️ If the page is anonymous (public), shell will not be available.
✔️ 2. Use shell.getTokenDeferred() safely in JavaScript
Once on an authenticated page, you can use the token like this:
shell.getTokenDeferred().done(function(token) {
console.log(“Token retrieved: “, token);
// Use token for secure AJAX call
$.ajax({
type: “GET”,
url: “/_api/contacts”,
headers: {
“__RequestVerificationToken”: token
},
success: function(data) {
console.log(“Data retrieved”, data);
}
});
}).fail(function(err) {
console.error(“Token fetch failed”, err);
});
✔️ 3. Wait until shell is loaded (just to be safe)
If you’re embedding this in a script that might run too early, wait for document ready:
$(document).ready(function () {
if (typeof shell !== ‘undefined’ && shell.getTokenDeferred) {
shell.getTokenDeferred().done(function (token) {
// Proceed with authenticated request
});
} else {
console.error(“shell is not available. Ensure user is authenticated.”);
}
});
❌ You Cannot Manually Define shell.getTokenDeferred()
You should not and cannot define shell.getTokenDeferred() manually for security reasons. It is injected by the Power Pages runtime only for authenticated sessions.
✅ Alternatives if You’re on an Anonymous Page (e.g. custom /login page)
If you’re building a custom login or registration page, you must:
- Use the Power Pages login API directly:
POST /_services/auth/login/local
Content-Type: application/json
{
“username”: “user@example.com”,
“password”: “yourPassword”
}
- Then redirect to an authenticated page (e.g., /dashboard) where shell becomes available.
You can’t call /_api endpoints from public pages — they’re secured and require an auth token.
✅ Summary
| Scenario | Can use shell.getTokenDeferred()? | Notes |
| Authenticated (signed-in) page | ✅ Yes | Use it to securely call Web API |
| Anonymous (public) page | ❌ No | shell is undefined |
| Custom login/registration | ❌ No | Use /auth/login/local, redirect |
Leave a comment