Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            API (Enable OAuth Settings): Enable Asset Tokens Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            API (Enable OAuth Settings): Enable Asset Tokens Control

            Asset Tokens are a specialized JWT-based authentication method that link a Salesforce session directly to a specific physical device or "asset".

            Control Name

            Connected Apps: API (Enable OAuth Settings): Enable Asset Tokens

            Recommended Configuration

            Enable Asset Tokens.

            Control Overview

            Asset Tokens are a specialized JWT-based authentication method that link a Salesforce session directly to a specific physical device or "asset" rather than just a user, providing granular identity for the Internet of Things (IoT).

            Security Risk If Not Configured

            Without Asset Tokens, companies often fall back on generic service account credentials for devices, which can't verify if the requesting hardware is the specific, authorized device it claims to be.

            Threat Scenarios

            An attacker "clones" the credentials from a legitimate IoT device and uses them to register a rogue, unauthorized device that sends fraudulent sensor data or extracts sensitive telemetry from your Salesforce Org.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            The absence of device-level identity leads to a loss of data integrity and "non-repudiation," making it impossible to prove which specific piece of hardware performed an action or accessed a record.

            Higher Risk When

            The risk is significantly higher when devices are deployed in unsecured physical environments (like public kiosks or remote sensors) where the hardware can be tampered with or the local storage can be scraped for static credentials.

            Low Risk When

            The scenario is lower risk when Asset Tokens are implemented with Certificate-Based Authentication, making sure that the device must prove possession of a unique hardware-bound private key to receive a token.

            Business and Integration Considerations

            Implementing Asset Tokens requires a strategy for "Device Provisioning," making sure that every physical asset is correctly registered as an Asset record in Salesforce before it attempts to authenticate.

            Recommended Remediation

            Go to the Connected App OAuth Settings, select the checkbox for "Enable Asset Tokens," and configure the Asset Token Handler (Apex) to validate the incoming device claims.

            Security Health Review Guidance

            Security Health Review identifies Asset Tokens as the gold standard for "Device-as-a-User" security, moving organizations away from shared service accounts toward a unique, verifiable identity for every physical endpoint.

            See Also

             
            Loading
            Salesforce Help | Article