Skip to main content

Configuring JWT Bearer Authentication

aprity uses the JWT Bearer authentication flow to securely connect to your Salesforce org. This is an industry-standard OAuth flow that uses a digital certificate instead of user credentials, meaning no passwords are stored or transmitted.

This guide walks you through the 7 steps to establish the connection.

Overview

The JWT Bearer flow works as follows:

  1. aprity holds a private key on its cloud platform.
  2. Your Salesforce org holds the corresponding public certificate via a Connected App.
  3. When aprity needs to read metadata, it signs a JWT token with the private key and exchanges it for an access token from Salesforce.

This approach is more secure than storing usernames and passwords, and it does not require user interaction to authenticate.

Step 1: Download the certificate from aprity

  1. Open the aprity app in Salesforce.
  2. Navigate to the Settings tab.
  3. In the JWT Configuration section, click Download Certificate.
  4. Save the .crt file to your computer. You will upload this to Salesforce in Step 3.

Download certificate button in aprity settings

:::warning Keep the certificate safe This certificate is unique to your aprity account. Do not share it publicly. If you need to regenerate it, contact aprity support. :::

Step 2: Create a Connected App in Salesforce

  1. Go to Setup > App Manager.
  2. Click New Connected App.
  3. Fill in the basic information:
    • Connected App Name: aprity
    • API Name: aprity
    • Contact Email: your admin email address

Connected App basic information

Step 3: Upload the certificate to the Connected App

  1. In the Connected App form, scroll to the API (Enable OAuth Settings) section.
  2. Check Enable OAuth Settings.
  3. Set the Callback URL to https://login.salesforce.com/services/oauth2/callback (this URL is not used by the JWT flow, but the field is required).
  4. Check Use digital signatures.
  5. Click Choose File and upload the .crt certificate you downloaded in Step 1.

Certificate upload in Connected App

Step 4: Configure OAuth scopes

In the same OAuth Settings section, add the following scopes:

  • Manage user data via APIs (api)
  • Perform requests at any time (refresh_token, offline_access)

These scopes allow aprity to read metadata from your org.

OAuth scopes selection

:::info Minimal permissions aprity only requires read access to your metadata. It does not modify data, create records, or change configuration in your org. :::

Click Save to create the Connected App. Salesforce may take 2 to 10 minutes to propagate the new Connected App settings.

Step 5: Copy the Consumer Key

  1. After saving, go to Setup > App Manager.
  2. Find the aprity Connected App in the list.
  3. Click the dropdown arrow on the right and select View.
  4. In the API (Enable OAuth Settings) section, click Manage Consumer Details.
  5. Salesforce may ask you to verify your identity (email verification code).
  6. Copy the Consumer Key (also called Client ID). You will need it in the next step.

Consumer Key location

:::warning Do not copy the Consumer Secret aprity only needs the Consumer Key. The Consumer Secret is not used in the JWT Bearer flow and should not be shared. :::

Step 6: Paste the Consumer Key in aprity

  1. Return to the aprity app in Salesforce.
  2. Go to the Settings tab.
  3. In the JWT Configuration section, paste the Consumer Key into the Consumer Key field.
  4. Click Save.

Paste Consumer Key in aprity

Step 7: Verify the connection

  1. Still on the Settings tab, click Test Connection.
  2. aprity will attempt to authenticate to your org using the JWT Bearer flow.
  3. If successful, you will see a green confirmation message: "Connection verified."

Successful connection test

:::danger Connection test failed? If the test fails, check the following:

  • The Connected App has been saved for at least 2 minutes (propagation delay).
  • The certificate uploaded in Step 3 matches the one downloaded from aprity in Step 1.
  • The OAuth scopes include api and refresh_token, offline_access.
  • The admin user running the test has the Aprity_Admin permission set. :::

Pre-authorize the Connected App (if needed)

Some Salesforce orgs require explicit pre-authorization for Connected Apps. If the connection test fails with an authorization error:

  1. Go to Setup > Connected Apps > Manage Connected Apps.
  2. Find aprity and click on it.
  3. Under OAuth Policies, set Permitted Users to Admin approved users are pre-authorized.
  4. Click Save.
  5. Under Profiles or Permission Sets, add the profiles or permission sets that should be allowed to use this Connected App.

Summary

You have now completed the security configuration. Here is what you set up:

ComponentLocationPurpose
CertificateDownloaded from aprity, uploaded to Connected AppAuthenticates JWT tokens
Connected AppSalesforce SetupAuthorizes aprity to access your org's API
Consumer KeyCopied from Connected App, saved in aprityIdentifies the Connected App during authentication

Next step

With the connection established, you are ready to generate documentation. Proceed to Running Your First Scan.