Authentication from Lightning Out

Lightning Out doesn’t handle authentication. Instead, you manually provide a Salesforce session ID or authentication token when you initialize a Lightning Out app.
There are two supported ways to obtain an authentication token for use with Lightning Out.
  • On a Visualforce page, using Lightning Components for Visualforce, you can obtain the current Visualforce session ID using the expression {! $Api.Session_ID }. This session is intended for use only on Visualforce pages.
  • Elsewhere, an authenticated session is obtained using OAuth, following the same process you’d use to obtain an authenticated session to use with the Force.com REST API. In this case, you obtain an OAuth token, and can use it anywhere.

The key thing to understand is that Lightning Out isn’t in the business of authentication. The $Lightning.use() function simply passes along to the security subsystem whatever authentication token you provide it. For most organizations, this will be a session ID or an OAuth token.