Authorize an Org Using the JWT Flow
The JWT flow requires a digital certificate, also called a digital signature, to sign the JWT request. You can use your own certificate or create a self-signed certificate using OpenSSL.
-
If you don’t have your own private key and digital certificate, you can use OpenSSL to create the key and a self-signed certificate.
It’s assumed in this task that your private key file is named server.key and your digital certificate is named server.crt.
-
Create a connected app, and configure it for
Salesforce DX.
This task includes uploading the server.crt digital certificate file. Make note of the consumer key when you save the connected app because you need it later.
- Open a terminal (macOS and Linux) or command prompt (Windows).
-
Run the org login jwt CLI command. We recommend
using the --alias flag to make it easy to refer to
the org later.
Specify the consumer key from your connected app with the --client-id flag, the path to the private JWT key file (server.key), and the username for your org. For example:
sf org login jwt --client-id 04580y4051234051 --jwt-key-file /Users/jdoe/JWT/server.key --username jdoe@myorg.com --alias my-hub-org
Use the --set-default flag if you want the org to be the default for commands that accept the --target-org flag. If you’re authorizing a Dev Hub org, use the --set-default-dev-hub flag instead. See the org login jwt command for examples.
If the URL that you use to log in to your org isn’t the default (login.salesforce.com), update your project configuration file (sfdx-project.json). Set the sfdcLoginUrl option to your enhanced My Domain login URL. For example:
"sfdcLoginUrl" : "https://MyDomainName.my.salesforce.com"
This example is for a sandbox.
"sfdcLoginUrl" : "https://MyDomainName--SandboxName.sandbox.my.salesforce.com"
Alternatively, you can use the --instance-url flag of the org login jwt command to specify the URL. This value overrides the login URL you specified in the sfdx-project.json file. For example:
sf org login jwt --client-id 04580y4051234051 --jwt-key-file /Users/jdoe/JWT/server.key --username jdoe@myorg.com --alias my-hub-org --instance-url https://mydomain--mysandbox.sandbox.my.salesforce.com
Authorize a Scratch Org Using the JWT Flow
Before you begin, we assume that:
- You previously authorized your Dev Hub org with the org login jwt command.
- The private key file you used when authorizing your Dev Hub org is accessible and in /Users/jdoe/JWT/server.key.
- You’ve created a scratch org and have its administration user’s username, such as test-wvkpnfm5z113@example.com.
- You know the scratch org’s instance URL. If you don’t know it, you can query your Dev
Hub org. For
example:
sf data query --target-org my-dev-hub --query "SELECT SignupUsername,LoginUrl FROM ScratchOrgInfo WHERE SignupUsername='test-wvkpnfm5z113@example.com'"
-
Copy the consumer key from the connected app that you created in your Dev Hub
org.
- Log in to your Dev Hub org.
- From Setup, enter App Manager in the Quick Find box to get to the Lightning Experience App Manager.
- Locate the connected app in the apps list, then click the dropdown menu on the right side, and select View.
-
In the API (Enable OAuth Settings) section, click Manage Consumer
Details
If prompted, verify your identity by entering the verification code that was automatically sent to your email address.
- Copy the Consumer Key to your clipboard. The consumer key is a long string of numbers, letters, and characters, such as 3MVG9szVa2Rx_sqBb444p50Yj (example shortened for clarity.)
- Open a terminal (macOS and Linux) or command prompt (Windows).
-
Run the org login jwt CLI command. The --client-id and --jwt-key-file flag values are the same as when you ran the command to
authorize a Dev Hub org. Set --username to the
scratch org’s admin username and set --instance-url
to the scratch org’s instance URL, such as https://energy-enterprise-2539-dev-ed.scratch.my.salesforce.com. For
example:
sf org login jwt --client-id 3MVG9szVa2Rx_sqBb444p50Yj \ --jwt-key-file /Users/jdoe/JWT/server.key --username test-wvkpnfm5z113@example.com \ --instance-url https://energy-enterprise-2539-dev-ed.scratch.my.salesforce.com
If you get an error that the user isn’t approved, it means that the scratch org information hasn’t yet been replicated. Wait a short time and try again.