Create or Edit a JWT External Credential
To manage your authentication into the external system with a JSON Web Token (JWT), create an external credential that uses the JWT authentication protocol. The JWT authentication protocol supports server-to-server integration.
Required Editions
| Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience |
| Available in: all editions |
| User Permissions Needed | |
|---|---|
| To view external credentials: | View Setup and Configuration |
| To create, edit, or delete external credentials: | Manage Named Credentials or Customize Applications |
- From Setup, in the Quick Find box, enter Named Credentials, and then select Named Credentials.
- Click External Credentials.
- To create a new external credential, click New. To edit an existing external credential, click its link in the list of external credentials and then click Edit.
- Complete the fields.
Field Description Label A user-friendly name for the external credential that’s shown in the Salesforce user interface, such as in list views. Name A unique identifier that’s used to refer to this external credential from callout definitions and through the API.
The name can contain only underscores and alphanumeric characters. It must be unique, begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores.
Authentication Protocol Select JWT.
For a complete list of JWT claims, see Set Up JWT Claims for Named Credentials.
Issuer (iss) Specify who issued the JWT, which is a formula. For example, to return the email ID, use the formula {!$User.Email}.Subject (sub) Specify the subject of the token (the user), which is a formula. Audience (aud) Specify the recipient for whom the token is intended. JWT Expiration (Seconds) Specify the time after which the token expires. Expressed as a NumericDate value, representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds. Signing Certificate Specify the certificate that’s used to verify the JWT’s authenticity to external systems. Signing Algorithm Specify the algorithm used to sign the token. Valid values are RS256 (default) and RS512. - Save the external credential.
Create Principals for JWT
After you create an external credential that uses JWT authentication, create principals for it. To grant access, you map the principals to permission sets or profiles. A user making a callout must have permission to the principal.
- On the Named Credentials page, click External Credential.
- Select the external credential that you created.
- Scroll to Principals.
- To create a principal for the external credential, click New or
select Edit from the Actions menu of an existing principal.When editing an existing principal, not all the fields listed here are modifiable.
- Enter the information for the principal.
Field Description Parameter Name Enter a name for the principal, such as Admin or Marketing Group. Sequence Number Assign a sequence number. A sequence number specifies the order of principals to apply when a user participates in more than one principal. For example, a user could be part of multiple permission sets that are applicable for a credential provider. Priority is from lower to higher numbers. Identity Type Choose either Named Principal or Per User Principal.
You can set up each external credential to use an org-wide named principal or per-user authentication. A named principal applies the same credential or authentication configuration for the entire org, while per-user authentication provides access control at the individual user level.
- Save the principal.You can’t modify the Principal Name and Identity Type of an existing principal. To change these parameters, delete the principal and recreate it.
Now that you created the external credential and its principal, it’s time to create the connected name credential. See Create or Edit a Named Credential. For an overview of all of the steps required to configure a named credential, see Create Named Credentials and External Credentials.
