Connected App Management
The Connected App is a critical component of aprity's security model. It enables the JWT Bearer authentication flow that allows aprity to securely access your Salesforce org's metadata without storing user credentials.
This guide covers ongoing management tasks for the Connected App after initial setup. For the step-by-step creation process, see Configuring JWT Bearer Authentication.
Connected App Components
The aprity Connected App consists of three key elements:
| Component | Purpose | Location |
|---|---|---|
| Digital certificate | Public key used to verify JWT tokens signed by aprity | Connected App > OAuth Settings |
| Consumer Key | Unique identifier for the Connected App | Connected App > API details |
| OAuth scopes | Permissions granted to aprity | Connected App > OAuth Settings |
Required OAuth Scopes
aprity requires exactly two OAuth scopes:
- Manage user data via APIs (api) -- Allows aprity to read metadata through the Salesforce API.
- Perform requests at any time (refresh_token, offline_access) -- Allows authentication without user interaction.
:::info Minimal access
aprity only reads metadata. It does not create, update, or delete records in your org. The api scope is the minimum required for metadata access.
:::
Locating the Consumer Key
If you need to retrieve the Consumer Key after initial setup:
- Go to Setup > App Manager.
- Find the aprity Connected App in the list.
- Click the dropdown arrow and select View.
- Click Manage Consumer Details in the API section.
- Complete the identity verification if prompted.
- The Consumer Key is displayed on the resulting page.
Do not share the Consumer Secret. The JWT Bearer flow does not use the Consumer Secret, and exposing it introduces unnecessary risk.
Managing Pre-Authorization
Depending on your org's security policies, you may need to pre-authorize the Connected App for specific users or profiles.
Check current policy
- Go to Setup > Connected Apps > Manage Connected Apps.
- Click on the aprity Connected App.
- Review the Permitted Users setting under OAuth Policies.
Pre-authorization options
| Setting | Behavior |
|---|---|
| All users may self-authorize | Any user with the correct permission set can use the Connected App. Salesforce prompts for consent on first use. |
| Admin approved users are pre-authorized | Only users in explicitly assigned Profiles or Permission Sets can use the Connected App. No consent prompt. |
For most organizations, Admin approved users are pre-authorized is recommended. Add the Aprity_Admin permission set to the allowed list to restrict access to authorized administrators.
Certificate Management
The digital certificate uploaded to the Connected App has an expiration date. When the certificate expires, aprity can no longer authenticate to your org.
Checking certificate expiration
The certificate expiration date is not directly visible in the Connected App UI. To check:
- Open the
.crtfile you originally downloaded from aprity. - Use a certificate viewer or run the following command (on macOS/Linux):
openssl x509 -in aprity.crt -noout -enddate
- Alternatively, check the aprity Settings tab, which displays the certificate validity period.
Rotating the certificate
When a certificate is approaching expiration, follow the Certificate Rotation Guide for step-by-step instructions on downloading a new certificate and uploading it to the Connected App.
Modifying the Connected App
Adding or removing OAuth scopes
If you accidentally removed a required scope or need to verify the configuration:
- Go to Setup > App Manager.
- Find aprity and click Edit.
- In the API section, verify both required scopes are selected.
- Click Save.
After modifying OAuth settings, Salesforce may take 2 to 10 minutes to propagate changes. Test the connection from the aprity Settings tab after waiting.
Revoking access
To temporarily disable aprity's access to your org:
- Go to Setup > Connected Apps > Manage Connected Apps.
- Click on the aprity Connected App.
- Click Block to prevent all authentication through this Connected App.
To re-enable, return to the same page and click Unblock.
Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| "invalid_grant" error | Certificate mismatch or expired certificate | Re-download and re-upload the certificate. See Certificate Rotation. |
| "user hasn't approved this consumer" | Connected App not pre-authorized for the user | Add the user's profile or permission set to the pre-authorized list. |
| Connection test fails after 2+ minutes | OAuth scopes missing | Verify both api and refresh_token, offline_access scopes are selected. |
For additional troubleshooting, see JWT Verification Fails.