Admin APIs: Authentication via Salesforce Connected App<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #7057C7; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: block; max-width: ; width: auto; height: auto; } } Logik.io administration APIs are useful to facilitate new product introduction, data transfer, test-to-production operations, etc. Relevant to use cases in which Logik.io leverages Salesforce for user authentication, this video walks you through the steps required to build a Salesforce Connected App and retrieve a JSON Web Token [JWT] that can be used to authenticate calls to Logik.io administration APIs. Please note: The release of Admin API Keys has made this setup unnecessary and is now the recommended method of authentication of Admin API calls. Click here for more information Note 2: If you have implemented the JWT method recommended before February 2025, Salesforce has deprecated that method and you will need to follow the updated steps in this article The valid JWT can be used as a bearer token to authenticate Logik.io administration APIs to: Manipulate Managed Tables Write rules Deploy Blueprints ...and much, much more Walk-through Instructions Creating/Updating Connected App for JWT Authentication If you’re updating an existing app, these instructions assume that you’ve created a Connected App following the instructions in the Legacy Asset Token Flow (see deprecated section below for the previous version of this article). Go to Salesforce Setup, Apps → App Manager Create a new Connected App, or update your existing JWT app to match the image below Select ‘Manage’ on your JWT connected app. Edit policies There will be a new section labeled ‘Client Credentials Flow’. Select your integration user in the Run As option. There will be a second new section labeled ‘JWT-Based Access Token Settings for Named Users’. Check ‘Issue JSON Web Token (JWT)-based access tokens' Select a default timeout. Save. Your policies should look like: Generating the JWT The attached Postman collection can be used to generate a JWT for your instance. In depth instructions can be found here: OAuth 2.0 Client Credentials Flow for Server-to-Server Integration. The client id and secret can by found by viewing the Connected App you created above on the field ‘Consumer Key and Secret’ → ‘Manage Consumer Details’ The biggest thing to note here versus the legacy flow is that there’s only a single call to Salesforce to generate a token. Based on the ‘Issue JSON Web Token (JWT)-based access tokens for named users’ setting on your Connected App the access_token returned here will be a JWT that can be used as a bearer token for Logik’s APIs. Troubleshooting The Salesforce Authentication call is returning a Status: 400 Bad Request. Inspect the permissions of this OAuth App, as defined in Salesforce. Navigation: Salesforce Setup -> App Manager -> For your connected app, select "Manage" from the drop-down menu on the right -> Review OAuth Policies. A common mistake: IP Relaxation may be set to "Enforce IP restrictions". Set this to "Relax IP restrictions". When using the JWT to authenticate a Logik.io administration API call, you get a 302 Found error with no body. Resolution: Make sure that you insert the string, "Bearer" before the JWT access_token text in the Authorization value. Legacy Asset Token Flow Prerequisites: The Tenant will need to exist in our database, and we will need the MyDomain value for the Organization the connected app is being installed on set as that Tenant’s issuer. Create a Connected App with the following OAuth2 values: The important part is to Click “Enable Asset Tokens” You will need to have a Certificate to upload. 1b. Optionally, specify the User. You can create Custom Attributes under the “Manage” page for the Connected App NOTE: If you want to do this, you will need to click the checkbox visible in the first step that says “Include Custom Permissions”. (It is not checked in the screenshot) Get an Access Token Make a request to Salesforce specifying your Connected App with the Username/Password flow (optionally, a more involved way would be using a full OAuth2 flow) curl https://MyDomainName.my.salesforce.com/services/oauth2/token -d 'grant_type=password' -d 'client_id=consumer-key' <-- From the Connected App -d 'client_secret=consumer-secret' <-- From the Connected App -d 'username=my-login@domain.com' -d 'password=my-password' Exchange Access Token for JWT Make a request to the MyDomain like the following: POST Request to URL: https://{my-domain}.my.salesforce.com/services/oauth2/token with a form-urlencoded body (not a json body), example values: "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange" "subject_token_type": "urn:ietf:params:oauth:token-type:access_token" "subject_token": {access token from first call} Response will be in the format of { "access_token": "this will be a jwt!", "issued_token_type": "urn:ietf:params:oauth:token-type:jwt", "token_type": "Bearer", "expires_in": 60 } Send the JWT in the Authorization header as a “Bearer “ token to our Admin APIs.