Loading
Ongoing maintenance for Salesforce HelpRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            API (Enable OAuth Settings): Use Digital Signatures - Selected Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            API (Enable OAuth Settings): Use Digital Signatures - Selected Control

            This security setting mandates the use of asymmetric cryptography by requiring the connected application to sign authentication requests with a validated private key.

            Control Name

            Connected Apps: API (Enable OAuth Settings): Use Digital Signatures - Selected

            Recommended Configuration

            Use Digital Signatures - Selected.

            Control Overview

            This security setting mandates the use of asymmetric cryptography by requiring the connected application to sign authentication requests with a private key that is validated against a public certificate uploaded to the Salesforce platform.

            Security Risk If Not Configured

            The absence of digital signatures for application access verification leads to a vulnerability where forged identity assertions allow for unauthorized application impersonation and the potential bypass of standard credential-based security.

            Threat Scenarios

            A malicious actor intercepts or guesses a client secret and attempts to impersonate a trusted integration to execute administrative API calls without the secondary layer of cryptographic proof provided by a unique digital certificate.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Failure to enforce digital signatures facilitates persistent unauthorized access to the organizational data tier, as static credentials are significantly easier to compromise and reuse than short-lived, signed assertions.

            Higher Risk When

            When the integration is granted administrative scopes or when the organization uses legacy authentication flows that rely solely on shared secrets transmitted over the network.

            Low Risk When

            If the org implements a robust certificate lifecycle management process that enforces short expiration periods and uses hardware security modules to protect private keys.

            Business and Integration Considerations

            Transitioning to digital signatures requires the external application to possess a valid X.509 certificate and the capability to perform RSA or ECDSA signing during the OAuth JWT bearer flow.

            Recommended Remediation

            Go to the API (Enable OAuth Settings) section of the Connected App, select Use Digital Signatures, and upload the corresponding public certificate to be used for identity verification.

            Security Health Review Guidance

            Security Health Review identifies the enforcement of digital signatures as a strongly recommended standard to replace static shared secrets with certificate-based authentication to prevent impersonation and ensure the integrity of all integration requests.

            See Also

             
            Loading
            Salesforce Help | Article