Newer Version Available

This content describes an older version of this product. View Latest

Authorize an Org Using the JWT-Based Flow

Continuous integration (CI) environments are fully automated and don’t support the human interactivity of a web-based flow. In this case, you must use the JWT-based flow to authorize a Dev Hub.

The JWT-based authorization flow requires first generating a digital certificate and creating a connected app. You execute these tasks only once. After that, you can authorize the Dev Hub in a script that runs in your CI environment.

For information about using JWT-based authorization with the Travis CI), see the Continuous Integration Using Salesforce DX Trailhead module.

  1. If you do not have your own private key and digital certificate, use OpenSSL to create the key and a self-signed certificate. It is assumed in this task that your private key file is named server.key and your digital certificate is named server.crt.
  2. Create a connected app, and configure it for Salesforce DX. This task includes uploading the server.crt digital certificate file. Make note of the consumer key when you save the connected app because you need it later.
  3. If the org you are authorizing is not hosted on https://login.salesforce.com, update your project configuration file (sfdx-project.json). Set the sfdcLoginUrl parameter to the login URL. Examples of other login URLs are your custom subdomain or https://test.salesforce.com for sandboxes. For example:
    1"sfdcLoginUrl" : "https://test.salesforce.com"

    Alternatively, use the --instanceUrl parameter of the force:auth:jwt:grant command, as shown in the next step, to specify the URL.

  4. Run the force:auth:jwt:grant CLI command. Specify the client identifier from your connected app (also called the consumer key), the path to the private key file (server.key), and the JWT authentication username. When you authorize a Dev Hub, set it as the default with the --setdefaultdevhubusername parameter. For example:
    1sfdx force:auth:jwt:grant --clientid 04580y4051234051 --jwtkeyfile /Users/jdoe/JWT/server.key --username jdoe@acdxgs0hub.org --setdefaultdevhubusername --setalias my-hub-org

    To specify a different login URL:

    1sfdx force:auth:jwt:grant --clientid 04580y4051234051 --jwtkeyfile /Users/jdoe/JWT/server.key --username jdoe@acdxgs0hub.org --setdefaultdevhubusername --setalias my-hub-org --instanceUrl https://test.salesforce.com