Complete MFA Challenges for Automation Users

Salesforce requires multi-factor authentication (MFA) for all UI logins, including logins from automation users. For automation use cases such as Robotic Process Automation (RPA), you can programmatically complete MFA using third-party authenticator apps that generate time-based one-time passwords (TOTPs).

Required Editions

Available in: Salesforce Classic and Lightning Experience

Available in: All editions

When you connect a third-party authenticator app to a user account, Salesforce shares a secret key that can generate TOTPs. With this key, you can write a script that uses TOTPs to complete MFA without any human interaction.

Important Don't use programmatic TOTP challenges for user accounts that have the System Administrator profile or the Modify All Data, View All Data, Customize Application, or Author Apex user permissions. These accounts are required to use phishing-resistant MFA methods (passkeys such as built-in authenticators or security keys) starting in June 2026. When the phishing-resistant MFA requirement is enforced, these user accounts can't use authenticator apps.

Here’s how to connect a third-party authenticator app and get a key that can generate TOTPs. Getting the key is a manual process that you complete one time.

Note These steps aren't supported for Salesforce Authenticator.

Log in to the automation user account.
Go to the user’s personal settings and click Advanced User Details.
Find the "App Registration: One-Time Password Authenticator" setting and click Connect.
On the screen to connect an authenticator app, click I Can’t Scan the QR Code.

Salesforce directs you to a page to connect the app using a key.
Before you connect the authenticator app, copy the key and securely store it. Treat this key as a secret and make sure to follow Salesforce best practices for storing sensitive data.
Follow the instructions on the screen to connect the app to Salesforce.

To complete TOTP challenges programmatically, write a script that uses the key to generate TOTPs. Include a method to retrieve the autogenerated TOTPs and complete UI logins. Here’s a JavaScript example that uses the open-source otplib library from npm. In this example, the secret key is stored in the AUTOMATION_TOTP_SECRET variable. This code sample is for demonstration only—make sure to write and test your own custom code.

// This example assumes the otplib package has been installed ($ npm i otplib)
const { authenticator } = require('otplib');

// Store the Base32 secret securely (environment variable, secrets manager, etc.)
// This should be the "Key" shown in the UI after clicking "I Can't Scan the QR Code"
const TOTP_SECRET = process.env.AUTOMATION_TOTP_SECRET;

function getTotpCode() {
  if (!TOTP_SECRET) {
    throw new Error('Missing AUTOMATION_TOTP_SECRET');
  }

  // otplib's authenticator expects a Base32 secret by default;
  // 30s step, 6 digits, SHA1 are the common defaults
  return authenticator.generate(TOTP_SECRET);
}

// Example usage in an auth flow:
async function completeMfaChallenge({ enterCode }) {
  const code = getTotpCode();
  await enterCode(code); // customer supplies their UI interaction
}

module.exports = { getTotpCode, completeMfaChallenge };

Did this article solve your issue?

Let us know so we can improve!

Complete MFA Challenges for Automation Users

Required Editions

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List

Product Area

Feature Impact

Edition

Experience

Complete MFA Challenges for Automation Users

Required Editions