You are here:
Generate a JSON Web Token (JWT)
To obtain an access token, you need to generate a JWT with specific claims, and sign it using the RS256 algorithm with your private key.
Required Editions
| User Permissions Needed | |
|---|---|
| To generate an API token: | User with Enable API Access |
Step: 1 Get the token request endpoint URL
You first need to get the token request endpoint URL.
- Insert the discoveryEndpoint URL you obtained when generating the API token in Intelligence into your browser’s search bar.
- Press Enter.
-
Copy the returned value for the field “token_endpoint”.
Example for AWS US (aka US1):
"token_endpoint": "https://idp.intelligence.salesforce.com/us1/token"
Step 2: Sign the JWT
In order to sign the JWT, you must use the private key provided when generating the API Token in Intelligence to encode the payload.
Using Python the necessary modules we need are:
import jwt
import requests
import uuid
import time
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend
The Intelligence platform supports the JWT module - jwt 1.3.1
The JWT needs to be generated with specific claims and signed using the RS256 algorithm with your private key.
JWT Claims (payload):
{
"iss": "your-client-id",
"aud": "https://idp.intelligence.salesforce.com"",
"sub": "your-client-id",
"iat": 1690129371, (time when the token was issued)
"jti": "45911cd010b846f9810b150c969b0007"
}
"iss" and "sub": Equivalent to the serviceAccountId
"iat": Epoch time in seconds.
"jti": a random UUID without "-".
Example of JWT
# env can be us1 / us2 / eu1 / eu2
app = 'us1'
service_account_id = ''
private_key_str = '''-----BEGIN RSA PRIVATE KEY-----\nMIIEogI....REDACTED.....xweWOhhutft/sA=\n-----END RSA PRIVATE
KEY-----'''
private_key = serialization.load_pem_private_key(
private_key_str.encode(),
password=None,
backend=default_backend()
)
private_key_jwk = jwt.jwk_from_pem(private_key_str.encode())
payload = {
"iss": service_account_id,
"aud": "https://idp.intelligence.salesforce.com"",
"sub": service_account_id,
"iat": int(time.time()),
"jti": str(uuid.uuid4()).replace('-','')
}
jwt_object = jwt.JWT()
jwt_token = jwt_object.encode(payload, private_key_jwk, alg='RS256')
Step 3: Use the JWT to obtain a Platform Token
The Token Endpoint is available in the discoveryEndpoint URL obtained from your API client information.
"token_endpoint":
"https://idp.intelligence.salesforce.com/us1/token""
| Parameter | Type | Description |
|---|---|---|
| client_id | string | Your client ID (serviceAccountId). |
| client_assertion | string | Your JWT |
| client_assertion_type | string | The type of client assertion. (Fixed value: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer') |
| grant_type | string | The grant type. (Fixed value: 'client_credentials') |
Request structure
[token_endpoint_obtained_from_the_beginning_of_Step_2]?grant_type=client_credentials&client_assertion=[your_signed_jwt_token]&client_id=[your_client_id]&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
Example Response
{
"access_token": "eyJraWQ...",
"expires_in": 300
}
- “access_token”—The issued access token you use to make API calls.
- “expires_in”—The access token life time is 5 minutes (300 seconds).
