LWR is the default in 2026
Lightning Web Runtime (LWR) replaces Aura templates for all new sites. Benefits that matter:
- First contentful paint < 1s on mid-tier mobile
- Static SSR + hydration (no giant Aura framework payload)
- Real Node build with SFDX +
sfdx experience:site:build - LWC everywhere; no Aura fallback
The only reason to start on Aura today is deep dependency on CMS Layouts that haven't been ported.
Partner licenses & sharing
Partner licenses have different sharing behavior than internal users:
- Partner Community License — up to 10 roles per partner account
- Sharing — external users get sharing via the Account role hierarchy only; role-based rules don't cross
- Super User — grant read on all records owned by users below them in the partner account
Model your data with this in mind:
Partner Account (Channel Partner)
├─ Partner User: Sales Lead (Super User)
├─ Partner User: Sales Rep
└─ Deal_Registration__c (OWD: Private)
▲ shared via partner role hierarchy
Auth patterns
- Username/password — dying, but still common. Enforce MFA.
- Social sign-on — LinkedIn/Google via Auth. Providers
- SSO (SAML/OIDC) — partner IdP, JIT provisioning
- Passwordless (magic link + OTP) — best UX for low-frequency partners
Wire JIT provisioning with a Registration Handler class so first login creates the Contact + User atomically.
Building an LWR page
force-app/main/default/experiences/PartnerPortal/
├─ views/
│ └─ deals.json # route → components
├─ routes/
│ └─ deals.json # /deals
├─ theme/
│ └─ theme.json # design tokens (color, spacing, typography)
└─ config.json
A view is JSON — components + regions:
{
"regions": {
"main": {
"components": [
{ "definition": "market:navigation" },
{ "definition": "c:dealRegistrationList", "properties": { "recordLimit": 25 } }
]
}
}
}
Ship the LWC with SFDX, reference it in the JSON. Preview locally with sfdx experience:site:serve.
Performance budget
Set a real budget in the theme config:
- JS < 200 KB gzipped, first render
- LCP < 2.5s on 4G
- CLS < 0.1
Enforce with Lighthouse CI on every PR that touches the site metadata.
Security checklist
- CSP locked to
self+ explicit CDNs; nounsafe-inline - Guest User Profile: read on the 3–5 objects the marketing pages need; nothing else
- Sharing sets rather than manual sharing for high-volume portals
- Every custom Apex controller marked
with sharingand covered by permission-set-based tests - Rate limits on public Apex REST endpoints via a Custom Metadata throttle table
Experience CloudLWRPortals
