The Salesforce Developers website will undergo maintenance on May 29, 2024 from 3:00 a.m. UTC to 10:00 a.m. UTC. The maintenance process may affect the availability of our documentation. Please plan accordingly.

OAuth 2.0 Bearer Flow JWT Claims

This table doesn’t apply to legacy named credentials.

Claim NameDescriptionNotes
algThe algorithm used to sign the tokenDefault is RS256, an asymmetric algorithm that uses a private/public pair. Added automatically on external credential creation. Not editable.
aud(Audience) Recipient for whom the token is intended.Added when claims are edited. Editable through the JWT Claims panel on the editable credential
exp(Expiration) Time after which the token expires. Expressed as a NumericDate value, representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.Set on external credential creation through the Expiration field. If no expiration number is provided, a default of 2 minutes in the future is set.
iat(Issued At Time): Time at which the token was issued. Can be used to determine age of the token. Expressed as a NumericDate value, representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.Added automatically on external credential creation. Not editable.
issIssuer of the token.Added automatically on external credential creation. Editable through the JWT Claims panel on the editable credential.
nbf(Not Before Time) Time before which the token must not be accepted for processing. Expressed as a NumericDate value, representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds.Added automatically on external credential creation. Not editable
subSubject of the token (the user). The subject is a string when the identity type is named principal, and it’s a formula when the identity type is per user.Added when claims are edited. Editable through the JWT Claims panel on the editable credential.
typ(Type) The media type of the token.Added automatically on external credential creation. The value is set to 'JWT'. Not editable.