Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure an External Client App to Issue JWT-Based Access Tokens

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure an External Client App to Issue JWT-Based Access Tokens

            Enable JWT-based access tokens for an existing external client app that you either created as a developer or installed from a managed package as an admin. Use the External Client Apps Manager in Setup. Or configure your external client app via Metadata API.

            Required Editions

            Available in: Lightning Experience
            Available in: Group, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To configure both settings and policies as an external client app developer: Create, edit, and delete External Client Apps
            To manage external client app policies as an external client app admin: View all External Client Apps, view their settings, and edit their policies
            Note
            Note Connected apps creation is restricted as of Spring ‘26. You can continue to use existing connected apps during and after Spring ‘26. However, we recommend using external client apps instead. If you must continue creating connected apps, contact Salesforce Support.

            See New connected apps can no longer be created in Spring ‘26 for more details.

            If you use a JWT-based access token for session authentication, you can’t use $Api.Session_ID or GETSESSIONID() to return the user’s session ID.

            • Use the External Client App Manager
              In the External Client App Manager in Setup, enable an app to issue JWT-based access tokens instead of opaque access tokens.
            • Use Metadata API
              Use Metadata API to enable an external client app to issue JWT-based access tokens.

            Use the External Client App Manager

            In the External Client App Manager in Setup, enable an app to issue JWT-based access tokens instead of opaque access tokens.

            Note
            Note Connected apps creation is restricted as of Spring ‘26. You can continue to use existing connected apps during and after Spring ‘26. However, we recommend using external client apps instead. If you must continue creating connected apps, contact Salesforce Support.

            See New connected apps can no longer be created in Spring ‘26 for more details.

            The external client app must be OAuth-enabled.

            1. If you’re a developer, enable JWT-based access tokens in the external client app settings. If you’re a subscriber admin, your developer enables this setting for you, so you can skip this step.
              1. From Setup, in the Quick Find box, enter External Client Apps, and then select External Client App Manager. Next to your app, click Dropdown arrow and select Edit Settings.
              2. In OAuth Settings, in the Security section, select Issue JSON Web Token (JWT)-based access tokens for named users.
              3. Save the change.
              The app now issues JWT-based access tokens instead of opaque access tokens. For installed apps, when you enable this setting, you expose a policy to set the token timeout.
            2. In the external client app policies, set the token timeout for named users. If you're a subscriber admin, you control this value for installed apps.
              1. From Setup, in the Quick Find box, enter External Client Apps, and then select External Client App Manager. Or, if you're already on the Settings tab, click Policies.
              2. If you're in the External Client App Manager, next to your app, click Dropdown arrow and select Edit Policies. If you're already on the Policies page for the app, click Edit Policies.
              3. In the App Authorization section, under Named User JWT-Based Access Token Settings, select an option for the token timeout. This value defines the amount of time before a user's session expires. The timeout for a JWT-based access token is fixed and doesn’t change based on when the token was last active.
              • Use the user's default session timeout—With this option, Salesforce uses the timeout defined in the user's profile session settings in the Session Times Out After field. If there's no profile session timeout for the user, Salesforce uses the value from the Timeout Value field from your org session settings. If both are defined, Salesforce defaults to the profile session timeout.
              • Set app-specific token timeout—With this option, select a timeout value that applies only to this app.
            3. If you use the app for the headless guest user flow, set a token timeout value for guest users. If you use the app only for named user flows, skip this step.
              1. In the external client app policies page, find OAuth Flows and External Client App Enhancements.
              2. For Guest User JWT-Based Access Token Timeout, select an option for the token timeout.
              • Use the Experience Cloud guest user timeout—With this option, Salesforce uses the timeout defined in the guest user's profile session settings in the Session Times Out After field. If there's no profile session timeout for the user, Salesforce uses the value from the Timeout Value field from your org session settings. If both are defined, Salesforce defaults to the profile session timeout.
              • Set app-specific token timeout—With this option, select a timeout value that applies only to this app.
            4. Save your changes.
              Now, when your app successfully completes an OAuth flow, it issues JWT-based access tokens with the token timeout values that you configured.

            Use Metadata API

            Use Metadata API to enable an external client app to issue JWT-based access tokens.

            Note
            Note Connected apps creation is restricted as of Spring ‘26. You can continue to use existing connected apps during and after Spring ‘26. However, we recommend using external client apps instead. If you must continue creating connected apps, contact Salesforce Support.

            See New connected apps can no longer be created in Spring ‘26 for more details.

            To use JWT-based access tokens, the OAuth plugin must be enabled for your external client app. For more information, see these resources.

            1. (Developers only) Edit the JWT-based access tokens in the external client app’s global OAuth settings file.
              1. Set the isNamedUserJwtEnabled field to true.
              2. Deploy your changes.
            2. (Developers and subscribers) Set the token timeout value for named users in the configurable OAuth policies. This value defines the amount of time before the user's session expires. The timeout for a JWT-based access token is fixed and doesn’t change based on when the token was last active. There are two ways to configure the token timeout.
              Named User token Timeout Option Configuration
              Use the user's default session timeout. With this option, Salesforce uses the timeout defined in the user's profile session settings in the Session Times Out After field. If there's no profile session timeout for the user, Salesforce uses the value from the Timeout Value field from your org session settings. If both are defined, Salesforce defaults to the profile session timeout. Set the namedUserJwtSessionTimeoutType field to UserSession.
              Set a timeout value that applies only to this app.
              • Set the namedUserJwtSessionTimeoutType field to Custom.
              • For the namedUserJwtTimeout field, set a timeout value in minutes. For a list of valid values, see ExtlClntAppOauthConfigurablePolicies in the Metadata API Developer Guide.
            3. If you use the app for the headless guest user flow, set a token timeout value for guest users. If you use the app only for named user flows, skip this step.
              Guest User token Timeout Option Configuration
              Use the Experience Cloud guest user timeout—With this option, Salesforce uses the timeout defined in the guest user's profile session settings in the Session Times Out After field. If there's no profile session timeout for the user, Salesforce uses the value from the Timeout Value field from your org session settings. If both are defined, Salesforce defaults to the profile session timeout. Set the guestJwtSessionTimeoutType field to UserSession.
              Set a timeout value that applies only to this app.
              • Set the guestJwtSessionTimeoutType field to Custom.
              • For the guestJwtTimeout field, set a timeout value in minutes. For a list of valid values, see ExtlClntAppOauthConfigurablePolicies in the Metadata API Developer Guide.
            4. Deploy your changes.
             
            Loading
            Salesforce Help | Article