Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            OAuth Flow Enablement: Enable JWT Bearer Flow Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            OAuth Flow Enablement: Enable JWT Bearer Flow Control

            This security setting activates a certificate-based OAuth 2.0 flow that lets an application authenticate by signing a JSON Web Token (JWT) with a private key instead of using a static shared secret.

            Control Name

            External Client Apps: OAuth Flow Enablement: Enable JWT Bearer Flow

            Recommended Configuration

            Enable JWT Bearer Flow.

            Control Overview

            This security setting activates a certificate-based OAuth 2.0 flow that lets an application authenticate by signing a JSON Web Token (JWT) with a private key instead of using a static shared secret.

            Security Risk If Not Configured

            Without the JWT Bearer Flow, integrations often rely on less secure password-based or secret-based methods that are vulnerable to credential stuffing, brute-force attacks, and accidental exposure in source code or logs.

            Threat Scenarios

            An attacker intercepts or discovers a plaintext client secret and uses it to establish a persistent connection to the API, whereas a JWT-based system would require the attacker to possess the heavily guarded private key file.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Relying on static secrets rather than asymmetric cryptography increases the likelihood of a long-term data breach, as compromised secrets are harder to detect and rotate than digital certificates.

            Higher Risk When

            If the integration user has elevated administrative permissions and the connection is established over public or unmanaged network segments.

            Low Risk When

            If the org already uses a robust Key Management Service to protect the private keys and enforces strict IP allowlisting for all incoming JWT-signed requests.

            Business and Integration Considerations

            Implementing this flow requires developers to manage digital certificates and implement local code for signing tokens, which adds complexity compared to simple secret-based authentication.

            Recommended Remediation

            Go to the OAuth settings of the External Client App, upload a valid digital certificate, and select the checkbox to turn on the JWT Bearer Flow.

            Security Health Review Guidance

            Security Health Review identifies the use of asymmetric cryptography for machine-to-machine authentication as a mandatory standard for high-security environments, so that credentials cannot be easily cloned or intercepted.

            See Also

             
            Loading
            Salesforce Help | Article