Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure a Connected App to Issue JWT-Based Access Tokens

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure a Connected App to Issue JWT-Based Access Tokens

            Enable JWT-based access tokens for an existing connected app that you either created or installed from a managed package.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: All Editions
            User Permissions Needed
            To read, create, update, or delete connected apps:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To update Profiles, Permission Sets, and Service Provider SAML Attributes: Customize Application AND Modify All Data AND Manage Profiles and Permission Sets
            To rotate the consumer key and consumer secret: Allow consumer key and secret rotation
            To install and uninstall connected apps:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To install and uninstall packaged connected apps:

            Download AppExchange Packages AND Customize Application AND either

            Modify All Data OR Manage Connected Apps
            Note
            Note Connected apps creation is restricted as of Spring ‘26. You can continue to use existing connected apps during and after Spring ‘26. However, we recommend using external client apps instead. If you must continue creating connected apps, contact Salesforce Support.

            See New connected apps can no longer be created in Spring ‘26 for more details.

            If you use a JWT-based access token for session authentication, you can’t use $Api.Session_ID or GETSESSIONID() to return the user’s session ID.

            1. If you’re an app developer, edit the connected app OAuth settings. If you’re a subscriber admin, the app developer completes this step for you.
              1. From Setup, in the Quick Find box, enter App, and then select App Manager.
              2. Next to your app, click Dropdown arrow, and then select Edit.
              3. Under API (Enable OAuth Settings), select Issue JSON Web Token (JWT)-based access tokens for named users.
              4. Save the change.
              The app now issues JWT-based access tokens instead of opaque access tokens. When you enable this setting, you expose a policy to set the token timeout. Subscriber admins can access this policy in installed apps.
            2. In the connected app policies, set the token timeout for named users. If you're a subscriber admin, you control this value for installed apps.
              1. From Setup, in the Quick Find box, enter App, and then select App Manager. Next to your app, click Dropdown arrow, and then select Manage.
                Or, if you’re on the connected app page already, click Manage.
              2. Click Edit Policies.
              3. Under Session Policies, in the Named User JWT-Based Access Token Timeout section, select an option for the token timeout. This value defines the amount of time before the user's session expires. The timeout for a JWT-based access token is fixed and doesn’t change based on when the token was last active.
              • Use the user's default session timeout—With this option, Salesforce uses the timeout defined in the user's profile session settings in the Session Times Out After field. If there's no profile session timeout for the user, Salesforce uses the value from the Timeout Value field from your org session settings. If both are defined, Salesforce defaults to the profile session timeout.
              • Set app-specific token timeout—With this option, select a timeout value that applies only to this app.
            3. If you use the app for the headless guest user flow, set a token timeout value for guest users. If you use the app only for named user flows, skip this step.
              1. In the connected app policies page, find Authorization Code and Credentials Flow.
              2. Select an option for the guest user token timeout.
              • Use the Experience Cloud guest user timeout—With this option, Salesforce uses the timeout defined in the guest user's profile session settings in the Session Times Out After field. If there's no profile session timeout for the user, Salesforce uses the value from the Timeout Value field from your org session settings. If both are defined, Salesforce defaults to the profile session timeout.
              • Set app-specific token timeout—With this option, select a timeout value that applies only to this app.
            4. Save your changes.
              Now, when your app successfully completes an OAuth flow, it issues JWT-based access tokens with the token timeout values that you configured.
             
            Loading
            Salesforce Help | Article