Loading

Default Salesforce CLI OAuth 2.0 Device Flow Removal

Publish Date: May 25, 2026
Description

Salesforce has removed support for the OAuth 2.0 Device Flow in the default Salesforce CLI (Command Line Interface) Connected App. This change is permanent — there will be no exceptions or extensions.

This change is part of Salesforce's commitment to making products and services secure-by-default.

Effective Date: Starting August 28, 2025, new and existing authorizations to any org using the OAuth 2.0 Device Flow with the default Salesforce CLI connected app will be blocked.

Who Is Affected: Users who use the org login device CLI command with the default Salesforce CLI connected app. Starting August 28, 2025, these authorizations will be blocked.

Announcement
https://github.com/forcedotcom/cli/issues/3368

Resolution

Recommended Alternative Flows

[1] Web Server Flow

Use the Web Server Flow for interactive authentication with browser access:

[2] JWT Bearer Flow

Use the JWT (JSON Web Token) Bearer Flow for headless environments such as CI/CD pipelines where browser authentication is not available:

Important Note:

You cannot work around this restriction by re-enabling the Device Flow in a custom connected app, because the Enable for Device Flow option in the API (Enable OAuth Settings) section has been permanently disabled by Salesforce. Additionally, Org Admins must now install the Salesforce CLI connected app themselves — this can no longer be done by standard users.

Knowledge Article Number

005135030

 
Loading
Salesforce Help | Article