Pub/Sub API supports any authentication mechanism that enables retrieving the session ID, including OAuth, and username and password authentication.

The OAuth access token value or session ID is part of the authentication metadata header that the client passes to the Pub/Sub API RPC methods. For more information about gRPC metadata, see Metadata in Core concepts, architecture and lifecycle in the gRPC documentation. For more information about authorizing your app with OAuth, see OAuth Authorization Flows in Salesforce Help.

In each RPC method, use these key-value pairs in the metadata headers. For more information about using headers in Pub/Sub API, see Include Authorization Headers in RPC Method Calls.

Metadata Header NameMetadata Header Value
accesstokenThe access token if using OAuth, or the Salesforce session ID if using username and password authentication
instanceurlURL of the Salesforce instance. For example,
tenantidThe Salesforce org ID

If you use OAuth, the access token expiration is controlled by the Salesforce session timeout value in the connected app, or if not set, in the user’s profile or the session settings. The session times out after 2 hours of inactivity by default, unless a custom timeout value is set. For more information, see Manage Session Policies for a Connected App in Salesforce Help. However, the session timeout doesn’t matter for a subscriber client because the Subscribe RPC method keeps the connection alive through keepalive messages if there are still pending events to be delivered. For more details, see Subscribe Keepalive Behavior. For the PublishStream RPC method, the connection closes if no new publish request is sent within a short time. See PublishStream RPC Method. The rest of the RPC methods execute promptly and don’t need a long-lived connection.