Access Tokens
Access tokens are your key to Salesforce APIs. When a client successfully completes an authorization flow, whether it’s a standard OAuth 2.0 flow or a headless identity flow, Salesforce issues an access token that can be used to access protected Salesforce data. Salesforce supports two types of access tokens: opaque tokens and JSON Web Token (JWT)-based access tokens. Each type has its own merits and limitations based on your use case.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: all editions |
Opaque Access Tokens
Salesforce traditionally issues opaque access tokens during authorization flows. The hallmark of these tokens is that they’re hard to read without additional help. From the perspective of your client apps, an opaque token is an inscrutable string of random characters. Your clients can’t understand or validate the data represented by the token unless they call a Salesforce endpoint. Typically, to get information about an opaque access token, you call the Salesforce introspection or User Info endpoints.
JWT-Based Access Tokens
JWT-based access tokens are less traditional, but that doesn’t mean they’re less capable. Instead of being an opaque string, a JWT access token is formatted as a JSON object with all the information necessary to validate it. JWT-based access tokens can be introspected locally, without calling a Salesforce endpoint.
When to Use Each Token Type
If you’re only interacting with one Salesforce instance, opaque tokens are more appropriate. You can easily make calls to Salesforce endpoints without slowing performance. You can also use opaque tokens to access the Salesforce user interface, which you can’t do with JWT-based access tokens.
By comparison, JWT-based access tokens are better suited for use cases where you have a wide range of third-party services and you need a Salesforce token that works with all of them. Because you can introspect the tokens locally, you can avoid multiple, repeated callouts to Salesforce endpoints, which can slow performance when you’re working with a range of APIs.
Comparing Token Types
Besides the major distinction between these token types, this table summarizes the key functional differences between opaque and JWT-based access tokens. Before using either type, make sure that you thoroughly understand their differences and their impact.
| Functionality | Opaque Token | JWT-Based Token |
|---|---|---|
| Validation and introspection | Can be validated and introspected only with a call to a Salesforce endpoint. As a result, they’re ideal for use cases with just one Salesforce instance but poorly suited for use cases with multiple services. | Can be locally validated and introspected, making them more compatible with external services |
| UI access |
|
|
| Timeout | Each time the token is used, its validity is extended. | The timeout value is fixed and can’t be extended. |
| User deactivation | If the user holding the token is deactivated, the token immediately stops working because any calls to Salesforce endpoints fail. | If a user is deactivated, the token is still technically valid until it times out. |
| Enablement | Enabled by default | Must be enabled on your external client app or connected app |
| Headless Guest User Flow and unique visitor ID (UVID) | Not supported | Required to use the guest user flow and UVID |
- JWT-Based Access Tokens
Salesforce supports two types of access tokens: opaque tokens and JSON Web Tokens (JWT)-based access tokens. An opaque access token is formatted as a string that you can’t decode unless you call the Salesforce User Info endpoint. A JWT-based access token is formatted as a JSON object that contains all of the information required to authorize an app. This transparent format makes JWT-based access tokens easier to use for services built outside of the Salesforce platform. You can easily parse and validate JWT-based access tokens locally on your off-platform service, without calling a Salesforce endpoint. By locally introspecting tokens, you can improve the performance and efficiency of your authorization flows. - Issue JWT-Based Access Tokens
Enable a Salesforce external client app or connected app to issue JSON Web Token (JWT)-based access tokens instead of opaque tokens. Unlike opaque tokens, JWT-based access tokens have a transparent format, so you can introspect them without calling a Salesforce endpoint. This functionality makes them handy for use cases where you’re calling multiple external systems. - Revoke All JSON Web Token (JWT)-Based Access Tokens
If necessary, you can revoke all JSON Web Token (JWT)-based access tokens issued by all external client apps and connected apps. Revoking JWT-based access tokens invalidates their signing keys, which makes the tokens unusable. - Revoke OAuth Tokens
Revoke an OAuth token if you don’t want a client to access Salesforce data or if you don’t trust the client to discontinue access on its own.
