Set Up JWT Claims for External Credentials
If your external credential uses JWT authentication, configure JWT (JSON Web Token) claims.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: all editions |
Note This table doesn’t apply to legacy named credentials. For legacy named credentials,
see Define a Legacy Named Credential.
External credentials that use JWT authentication have JWT (JSON Web Token) claims. JWT claims assert attributes about tokens, such as time of expiration. You can modify some default claims for an external credential as well as create your own custom claims.
| Claim Name | Description | Notes |
|---|---|---|
| alg | The algorithm used to sign the token. Valid values are RS256 and RS512. | Default is RS256, an asymmetric algorithm that uses a private/public pair. |
| aud | (Audience) Recipient for whom the token is intended. | Added when claims are edited. Editable through the JWT Claims panel on the editable credential. |
| exp | (Expiration) Time after which the token expires. Expressed as a NumericDate value, representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds. | Set on external credential creation through the Expiration field. If no expiration number is provided, a default of two minutes in the future is set. |
| iat | (Issued At Time): Time at which the token was issued. Can be used to determine age of the token. Expressed as a NumericDate value, representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds. | Added automatically on external credential creation. Not editable. |
| iss | Issuer of the token. For example, to return the Email ID, use the
formula {!$User.Email}. |
Added when claims are edited. Editable through the JWT Claims panel on the editable credential. |
| kid | (Key ID) Used to match a specific key. | Added automatically on external credential creation. Editable through the JWT Claims panel on the editable credential. |
| nbf | (Not Before Time) Time before which the token must not be accepted for processing. Expressed as a NumericDate value, representing the number of seconds from 1970-01-01T00:00:00Z UTC until the specified UTC date/time, ignoring leap seconds. | Added automatically on external credential creation. Not editable. |
| sub | Subject of the token (the user). Supports a static value or a formula for both the Named Principal and Per User identity types. | Added when claims are edited. Editable through the JWT Claims panel on the editable credential. |
| typ | (Type) The media type of the token. | Added automatically on external credential creation. The value is set to ‘JWT’. Not editable. |
To modify default JWT claims or to create custom claims:
- From Setup, in the Quick Find box, enter Named Credentials, and then select Named Credentials.
- On the Named Credentials page, click External Credential.
- Select the external credential you created.
- Scroll to JWT Claims.
- Click Edit.
- Optionally, assign a value to these claims: iss,
sub, and aud.You can make a callout without configuring iss, sub, and aud, and your JWT payload doesn’t contain them. However, if you edit any preset claims or add custom claims, you must provide values for all three of these claims.
- Optionally, modify the value of the kid claim. You can also delete this claim.
- Optionally, add a custom claim of your own. Provide a name, description, and value for the claim, and select either JWT Body Claim or JWT Header Claim as the type.
- Save the edited claims.
You’ve finished the main steps in creating an external credential that uses a JWT authentication protocol. Next, create the named credential. For an overview of all of the steps required to configure a named credential, see Create Named Credentials and External Credentials.
Did this article solve your issue?
Let us know so we can improve!
