ERROR running force:auth:web:login: Invalid login URL
The Salesforce CLI couldn't authenticate against the URL you gave it. Either the URL is wrong (typo, missing https, hitting a non-Salesforce host), the org has My Domain enforced and you're trying to use the generic login URL, or your Connected App config is rejecting the device-code/browser flow.
Also seen asInvalid login URL·ERROR running force:auth:web:login·INVALID_LOGIN_URL·sf cli authentication failed
The CLI's auth flow is straightforward when it works and frustrating when it doesn't, because the same error message covers several distinct causes.
What URL the CLI expects
| Target | URL |
|---|---|
| Production | https://login.salesforce.com |
| Sandbox | https://test.salesforce.com |
| My Domain (production) | https://yourdomain.my.salesforce.com |
| My Domain (sandbox) | https://yourdomain--sandboxname.sandbox.my.salesforce.com |
The CLI defaults to login.salesforce.com. To target a sandbox you must override:
sf org login web --instance-url https://test.salesforce.com --alias mySandbox
Or for a My Domain'd sandbox:
sf org login web \
--instance-url https://yourdomain--sandboxname.sandbox.my.salesforce.com \
--alias mySandbox
Common causes of the auth error
1. The instance URL is wrong
If you copy/pasted from a browser, you may have grabbed https://yourdomain.lightning.force.com. The CLI doesn't authenticate against lightning.force.com; it wants my.salesforce.com. The mapping:
yourdomain.lightning.force.com → yourdomain.my.salesforce.com
Replace lightning.force.com with my.salesforce.com and try again.
2. The org has Enhanced Domains and the URL changed
Salesforce migrated all orgs to "Enhanced Domains" through 2023. After enhancement, a sandbox URL like mycompany--dev.cs1.my.salesforce.com becomes mycompany--dev.sandbox.my.salesforce.com. If your CI scripts reference the old form, they break post-enhancement. Update to the new form and re-authenticate.
3. The browser flow can't reach localhost
The web flow opens a browser, signs you in at Salesforce, and redirects to http://localhost:1717/.... If your laptop is locked down and can't bind that port, or you're running the CLI in a remote container, the flow hangs. Use the device flow instead:
sf org login device --instance-url https://login.salesforce.com
It prints a code; you visit a URL on any device, type the code, approve the connected app. No localhost binding required.
4. Connected App "API Enabled" is unchecked
The CLI uses a built-in connected app called "Salesforce CLI." If your admin disabled it (you'd see this in Setup → Apps → Connected Apps OAuth Usage), CLI auth fails. Either re-enable it, or use a custom connected app you control:
sf org login jwt \
--client-id YOUR_CONNECTED_APP_CONSUMER_KEY \
--jwt-key-file server.key \
--username integration@example.com \
--instance-url https://yourdomain.my.salesforce.com
JWT is the right choice for headless CI. Generate a key pair, upload the public cert to your Connected App's Digital Signatures, and your CI authenticates without ever touching a password.
When you need to start over
A bad cached auth state can be sticky. Nuke and retry:
sf org logout --target-org alias --no-prompt
sf org login web --instance-url URL --alias alias
Or remove the alias from ~/.sf directly if logout itself fails.