JWT Bearer Flow in Salesforce

What it is

• An OAuth 2.0 flow for server-to-server integrations.

• No user interaction (no username/password, no UI login).

• Relies on a JWT assertion signed with a private key.

• Salesforce verifies it with the public key stored in the Connected App.

---

When to use

• Backend integrations that run without user intervention.

• Scheduled jobs (e.g., middleware → Salesforce).

• CI/CD pipelines.

• Machine-to-machine API calls.

---

Step-by-Step Flow

1. Setup in Salesforce

   • Create a Connected App.

   • Enable JWT Bearer Flow.

   • Upload your public key certificate.

2. Prepare JWT Assertion (by the client)

   • The external app generates a JWT token with:

     • iss → Consumer Key (Client ID of Connected App)

     • sub → Salesforce username (integration user)

     • aud → Salesforce login URL (login.salesforce.com or test.salesforce.com)

     • exp → Expiration (short-lived, e.g., 3–5 mins)

   • The JWT is signed using the app’s private key.

3. Send Token Request

   • The client posts to Salesforce token endpoint:

     POST https://login.salesforce.com/services/oauth2/token
     grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
     assertion=<JWT>
     

4. Salesforce Validates

   • Checks signature against the public key.

   • Verifies issuer, subject, audience, and expiration.

5. Access Token Issued

   • If valid, Salesforce responds with an access token.

   • The client uses this token in API calls.

---

🔹 Example Interview Q&A

Q1. Why would you use JWT Bearer Flow instead of Username-Password flow?

A:

• JWT is more secure → no need to store username/password.

• Credentials are based on certificates instead of static secrets.

• Better for server-to-server integrations and compliance.

---

Q2. How does Salesforce verify the JWT?

A:

• The client signs JWT with its private key.

• Salesforce uses the public key uploaded in Connected App.

• If signature + claims (iss, sub, aud, exp) are valid, token is issued.

---

Q3. What happens if the certificate expires?

A:

• Salesforce won’t validate JWT signed with an expired cert.

• You must rotate certificates before expiry.

• Best practice → automate cert monitoring/rotation.

---

Q4. Can JWT Bearer Flow be used for external users (like Community)?

A:

• Typically used for internal integration users.

• For external/community users → different flows (OAuth Web Server / SAML).

---

Q5. How do you revoke access in JWT Bearer Flow?

A:

• Remove user access to the Connected App.

• Revoke the user’s OAuth token.

• Remove the public key certificate from the Connected App.

---

Q6. What are security best practices?

A:

• Store private keys securely (e.g., AWS Secrets Manager, Vault).

• Keep JWT short-lived (few minutes).

• Rotate certificates regularly.

• Use dedicated integration users with least privilege access.

---

Q7. What’s the difference between JWT Bearer Flow and OAuth Client Credentials Flow?

A:

• JWT Bearer Flow → Salesforce-specific, certificate-based, and tied to a Salesforce user (sub).

• Client Credentials Flow → More general OAuth flow, not tied to a Salesforce user; uses client_id + client_secret.

---

👉 Punchline for interview:
"JWT Bearer Flow is Salesforce’s secure, certificate-based OAuth flow for server-to-server integrations. It eliminates the need for passwords, reduces risk, and is the preferred approach over legacy Username-Password flows."