JWT Verification Fails
aprity uses JWT Bearer authentication to securely connect to your Salesforce org. If JWT verification fails, the scan cannot retrieve metadata. This guide walks through the most common causes and how to fix each one.
Step-by-step diagnosis
1. Certificate mismatch
The certificate uploaded to the Salesforce Connected App does not match the private key aprity is using to sign the JWT.
How to verify:
- In Salesforce, go to Setup > App Manager > aprity Connected App > Edit.
- Under Use digital signatures, confirm the uploaded certificate file.
- The certificate must be the exact
.crtfile that corresponds to the private key stored in your aprity configuration.
Solution:
- Re-upload the correct certificate to the Connected App.
- If you have regenerated certificates, update both sides: the certificate in Salesforce and the private key in aprity.
2. Consumer Key mismatch
The Consumer Key configured in aprity does not match the one assigned to your Connected App.
How to verify:
- In Salesforce, go to Setup > App Manager > aprity Connected App > View.
- Copy the Consumer Key value.
- In aprity, verify this matches the value stored during registration.
Solution:
- Update the Consumer Key in your aprity JWT configuration to match the Salesforce Connected App.
3. Connected App not enabled for OAuth
The Connected App exists but OAuth settings are not properly configured.
How to verify:
- In Salesforce, go to Setup > App Manager > aprity Connected App > Edit.
- Under OAuth Settings, confirm that Enable OAuth Settings is checked.
- Confirm that the required OAuth scopes are selected (at minimum:
api,refresh_token).
Solution:
- Enable OAuth settings and add the required scopes.
- Save the Connected App and wait 2-10 minutes for changes to propagate.
Salesforce can take up to 10 minutes to propagate Connected App changes. If you just made a change, wait and retry before further troubleshooting.
4. Digital signatures not enabled
The Connected App is not configured to accept JWT Bearer token authentication.
How to verify:
- In the Connected App settings, confirm that Use digital signatures is checked.
Solution:
- Check the Use digital signatures checkbox and upload the certificate.
5. User not pre-authorized
The Salesforce user account aprity connects as has not been pre-authorized for the Connected App.
How to verify:
- In Salesforce, go to Setup > Connected Apps > Manage Connected Apps > aprity.
- Under Permitted Users, confirm it is set to Admin approved users are pre-authorized.
- Under Profiles or Permission Sets, confirm the integration user's profile or permission set is listed.
Solution:
- Add the integration user's profile to the Connected App's authorized profiles.
- Alternatively, assign the appropriate permission set to the integration user and add that permission set to the Connected App.
6. Username or login URL incorrect
The JWT assertion specifies the wrong username or targets the wrong Salesforce instance.
How to verify:
- Confirm the username in aprity matches the full Salesforce username (e.g.,
admin@company.comoradmin@company.com.sandbox). - For sandboxes, ensure the login URL is
https://test.salesforce.com(nothttps://login.salesforce.com).
Solution:
- Update the username and login URL in your aprity JWT configuration.
Sandbox usernames include the sandbox name as a suffix (e.g., user@company.com.mysandbox). Using the production username for a sandbox will fail.
Verifying the fix
After applying changes:
- Wait 2-10 minutes for Salesforce to propagate Connected App updates.
- In the aprity app, navigate to Settings > Connection and click Test Connection.
- If the test succeeds, run a scan to confirm full metadata access.
Still not working?
Collect the following and send to support@aprity.ai:
- The exact error message from the aprity app or scan log.
- Your Salesforce Org ID (Setup > Company Information).
- Whether you are connecting to a production org or sandbox.
- The Connected App name and Consumer Key (not the Consumer Secret).