Salesforce DX Developer Guide

How Salesforce Developer Experience Changes the Way You Work
Enable Dev Hub Features in Your Org
Project Setup
Authorization
Authorize an Org Using the Web Server Flow
Authorize an Org Using the JWT Bearer Flow
Create a Private Key and Self-Signed Digital Certificate
Create a Connected App in Your Org
Use the Default Connected App Securely
Use an Existing Access Token instead of Authorizing
Authorization Information for an Org
Log Out of an Org
Metadata Coverage
Scratch Orgs
Sandboxes
Track Changes Between Your Project and Org
Development
Build and Release Your App
First-Generation Managed Packages
Second-Generation Managed Packages
Partner Licensing Platform (Developer Preview)
Unlocked Packages
Continuous Integration
Troubleshoot Salesforce DX
Limitations for Salesforce DX
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Use the Default Connected App Securely

If you authorize an org with the auth:web:login command, but don't specify the --clientid parameter, Salesforce CLI creates a default connected app in the org called Salesforce CLI. However, its refresh tokens are set to never expire. As a security best practice, Salesforce recommends that refresh tokens in your org expire after 90 days or less. Another security best practice is to set an expiration for the access token to 15 minutes. Similar to refresh tokens, the access token in the default connected app is set to never expire. To continue using this default connected app in a secure way, configure its policies.
  1. Log in to your org.
  2. From Setup, enter OAuth in the Quick Find box, then select Connected Apps OAuth Usage.
  3. Select the Salesforce CLI app and click Install. Confirm by clicking Install again.
  4. Click Edit Policies.
  5. In the OAuth Policies section, for the Refresh Token Policy field, click Expire refresh token after: and enter 90 Days or less.
  6. In the Session Policies section, set Timeout Value to 15 minutes.
  7. Click Save.
If you run a CLI command against an org whose refresh token has expired, you get an error. For example:
1ERROR running force:org:open: Error authenticating with the refresh token due to: expired access/refresh token
The force:org:list command also displays expired refresh token information in the CONNECTED STATUS column. To continue using the org, reauthorize it with the auth:web:login or auth:jwt:grant command.

Salesforce CLI automatically handles an expired access token by referring to the refresh token.