Overview of Change

To improve security posture and reduce the risk of accidental credential exposure, Salesforce is changing how Salesforce CLI commands output sensitive authentication artifacts (Access Tokens, Passwords, and SFDX Auth URLs.)

Starting in the 2.136 stable release (on May 27, 2026), Sales will remove the secrets from the standard human-readable and --json outputs of existing commands. We’re introducing new dedicated commands designed specifically for explicit credential retrieval. A temporary environment variable workaround will be available to prevent immediate pipeline breakage, but Salesforce will strictly decommission it at a later date.

See the full announcement on GitHub. This knowledge article provides a summary of the changes. 

Why Is Salesforce Making This Change?

A recent security review identified elevated risks associated with sensitive credentials being exposed through standard CLI workflows. While historically designed for developer convenience, these outputs present a heightened vulnerability in modern AI-assisted and agentic development environments.

AI coding agents and automated systems often store execution logs in plain text. If an AI agent runs a standard command that returns a credential, that secret may be permanently recorded in unencrypted chat history. To align with broader platform security goals, we’re shifting toward an explicit model for retrieving a credential that requires deliberate user intent and is clearly labeled as a high-risk operation. These new explicit commands can be deny-listed from a coding agent's permitted execution.

What's Changing?

Credential Redaction (Effective May 27, 2026)

Sensitive credentials (access tokens, passwords, and SFDX Auth URLs) will be redacted from standard human-readable and --json outputs in commands including:

• org display
• org list
  
• org create scratch
• org login commands (jwt, web, sfdx-url, access-token)
• org display user
• org list users

New Commands to Explicitly Show Credentials

We’re introducing three new commands for explicit credential retrieval:

• org auth show-access-token
• org auth show-sfdx-auth-url
• org auth show-user-password
  

These commands include interactive security warnings and require explicit flags for use in CI/CD environments.

Next Steps

For timeline, migration instructions, command examples, temporary workaround options, and the complete list of affected commands, see the full announcement on GitHub.

To provide feedback on how your team uses credentials in workflows, participate in the community discussion.