Salesforce DX Developer Guide

How Salesforce Developer Experience Changes the Way You Work
Enable Dev Hub Features in Your Org
Project Setup
Authorization
Authorize an Org Using a Browser
Authorize an Org Using the JWT Flow
Create a Private Key and Self-Signed Digital Certificate
Create a Connected App in Your Org
Use the Default Connected App Securely
Use an Existing Access Token
Authorization Information for an Org
Log Out of an Org
Metadata Coverage
Scratch Orgs
Sandboxes
Track Changes Between Your Project and Org
Development
Build and Release Your App
Unlocked Packages
Continuous Integration
Troubleshoot Salesforce DX
Limitations for Salesforce DX
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Use the Default Connected App Securely

If you authorize an org with the org login web command, but don't specify the --client-id flag, Salesforce CLI creates a default connected app in the org called Salesforce CLI. However, its refresh tokens are set to never expire. As a security best practice, Salesforce recommends that refresh tokens in your org expire after 90 days or fewer. Another security best practice is to set an expiration for the access token to 15 minutes. Similar to refresh tokens, the access token in the default connected app is set to never expire. To continue using this default connected app in a secure way, configure its policies.
  1. Log in to your org.
  2. From Setup, enter OAuth in the Quick Find box, then select Connected Apps OAuth Usage.
  3. Select the Salesforce CLI app and click Install. Confirm by clicking Install again.
  4. Click Edit Policies.
  5. In the OAuth Policies section, for the Refresh Token Policy field, click Expire refresh token after: and enter 90 Days or less.
  6. In the Session Policies section, set Timeout Value to 15 minutes.
  7. Click Save.
If you run a CLI command against an org whose refresh token has expired, you get an error. For example:
1ERROR running org open: Error authenticating with the refresh token due to: expired access/refresh token
The org list command also displays expired refresh token information in the CONNECTED STATUS column. To continue using the org, reauthorize it with the org login web or org login jwt command.

Salesforce CLI automatically handles an expired access token by referring to the refresh token.