Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Revoke All JSON Web Token (JWT)-Based Access Tokens

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Revoke All JSON Web Token (JWT)-Based Access Tokens

            If necessary, you can revoke all JSON Web Token (JWT)-based access tokens issued by all external client apps and connected apps. Revoking JWT-based access tokens invalidates their signing keys, which makes the tokens unusable.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience

            Connected Apps can be created in: Group, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer Editions

            Connected Apps can be installed in: All editions
            Note
            Note Connected apps creation is restricted as of Spring ‘26. You can continue to use existing connected apps during and after Spring ‘26. However, we recommend using external client apps instead. If you must continue creating connected apps, contact Salesforce Support.

            See New connected apps can no longer be created in Spring ‘26 for more details.

            After you revoke all JWT-based access tokens, it can take up to 30 minutes for the token revocation to propagate to all systems. The token revocation process doesn't delete associated sessions. Clients that have direct access to associated sessions, such as clients that use hybrid OAuth flows, continue to retain access even when their tokens are revoked.

            To revoke JWT-based access tokens for an individual user, see Revoke OAuth Tokens Programmatically.

            Revoking all JWT-based access tokens doesn’t automatically revoke all refresh tokens. To revoke refresh tokens for an external client app, see External Client App OAuth Usage. To revoke all refresh tokens issued by a connected app, see Manage Current OAuth Connected App Sessions. Revoke refresh tokens for all apps that can issue JWT-based access tokens.

            1. From Setup, in the Quick Find box, enter OAuth, and then select OAuth and OpenID Connect Settings.
            2. Click Revoke Tokens.
            3. If you accept the warning, click Revoke again.
             
            Loading
            Salesforce Help | Article