docs: JWT authorizations documentation #170
Open
+449
−19
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ication - Added a new section on JWT Authorization, detailing its use for headless authentication in CI/CD pipelines. - Included step-by-step instructions for generating RSA key pairs, configuring Connected Apps in Salesforce, and adding JWT authorization via CLI. - Enhanced the table of contents to reflect new sections and commands related to JWT authorization for both Salesforce and Data Cloud. - Updated command descriptions and examples for clarity and consistency.
mandelbro
force-pushed
the
montes/docs/jwt-auth-documentation
branch
from
dd839f9 to
9df705a
Compare
mandelbro
changed the title
Signed-off-by: Chris Montes <cmontes@heroku.com>
…ected App configuration
heicheng18
reviewed
Nov 3, 2025
|
|
||
| - [@heroku-cli/plugin-applink](#heroku-cliplugin-applink) | ||
| - [Usage](#usage) | ||
| - [JWT Authorization (Headless Authentication)](#jwt-authorization-headless-authentication) |
There was a problem hiding this comment.
Can this whole section be in a Dev Center article instead? For example, I put the info in a draft: https://devcenter.heroku.com/articles/jwt-heroku-applink?preview_key=35c92d2249f1e86e60eaf0f11bbb0d40652e3830d3f420ea4ec06960c80e8340
| # JWT Authorization (Headless Authentication) | ||
|
|
||
| The AppLink plugin supports JWT (JSON Web Token) authorization for headless | ||
| authentication in CI/CD pipelines and automated workflows. This eliminates the |
There was a problem hiding this comment.
Suggested change
| authentication in CI/CD pipelines and automated workflows. This eliminates the | |
| authentication in CI/CD pipelines and automated workflows. JWT authorization eliminates the |
| # Generate private key and self-signed certificate | ||
| openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes | ||
|
|
||
| # Extract public key for Connected App |
There was a problem hiding this comment.
Suggested change
| # Extract public key for Connected App | |
| # Extract public key for connected app |
| ### 2. Configure Connected App in Salesforce | ||
|
|
||
| Follow the official Salesforce documentation to create and configure your | ||
| Connected App: |
There was a problem hiding this comment.
Suggested change
| Connected App: | |
| connected app: |
|
|
||
| ### 3. Pre-authorize Users | ||
|
|
||
| Follow the official guide for |
There was a problem hiding this comment.
Suggested change
| Follow the official guide for | |
| Follow the official Salesforce documentation for |
| required: true, | ||
| description: 'path to file containing private key to authorize with', | ||
| description: | ||
| 'Path to file containing RSA private key in PEM format. Generate with: openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes', |
There was a problem hiding this comment.
Suggested change
| 'Path to file containing RSA private key in PEM format. Generate with: openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes', | |
| 'path to file containing RSA private key in PEM format to authorize with', |
| char: 'l', | ||
| description: 'Salesforce login URL', | ||
| description: | ||
| 'Salesforce login URL (default: https://login.salesforce.com for production, https://test.salesforce.com for sandboxes)', |
There was a problem hiding this comment.
Suggested change
| 'Salesforce login URL (default: https://login.salesforce.com for production, https://test.salesforce.com for sandboxes)', | |
| 'Salesforce login URL', |
| required: true, | ||
| description: 'username for authorization', | ||
| description: | ||
| 'Salesforce username that has been authorized for the Connected App. Must be a valid user in the target org.', |
There was a problem hiding this comment.
Suggested change
| 'Salesforce username that has been authorized for the Connected App. Must be a valid user in the target org.', | |
| 'Salesforce username authorized for the connected app', |
| alias: flags.string({ | ||
| description: | ||
| 'alias for the authorization (defaults to applink:{developer_name})', | ||
| 'Alias for the authorization (defaults to applink:{developer_name}). Used to retrieve credentials via SDK.', |
There was a problem hiding this comment.
Suggested change
| 'Alias for the authorization (defaults to applink:{developer_name}). Used to retrieve credentials via SDK.', | |
| '[default: applink:{developer_name}] alias for authorization to retrieve credentials via SDK', |
| Follow the official guide for | ||
| [Managing Connected App Policies](https://help.salesforce.com/s/articleView?id=sf.connected_app_manage_oauth.htm): | ||
|
|
||
| In your Connected App settings, click **Manage** > **Edit Policies**: |
There was a problem hiding this comment.
Suggested change
| In your Connected App settings, click **Manage** > **Edit Policies**: | |
| In your connected app settings, click **Manage** > **Edit Policies**: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This pull request adds the documentation JWT (headless) authentication in the Heroku AppLink plugin, providing examples for CI/CD and automation scenarios.
WI
Replace this text with a summary of the change(s) including relevant
motivations, context, and or links.
📋 Documentation Requiring CX Review
README.md Section: Lines 28-196 (the entire JWT Authorization section)
Source Files
src/lib/jwtAuthCommand.ts(base command with shared text)src/commands/salesforce/authorizations/add/jwt.tssrc/commands/datacloud/authorizations/add/jwt.tsLive Commands:
Local installation and manual testing instructions