Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Key Pair entry
How-to guide

Set up a key pair for JWT OAuth

Setting up a key pair for a Salesforce integration is a coordinated effort across the integration side and the Salesforce configuration. The steps below cover the standard JWT OAuth flow setup.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated May 19, 2026

Setting up a key pair for a Salesforce integration is a coordinated effort across the integration side and the Salesforce configuration. The steps below cover the standard JWT OAuth flow setup.

  1. Generate the key pair

    On the integration side, generate an RSA 2048-bit (or stronger) key pair. OpenSSL command: openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out public.crt

  2. Secure the private key

    Store the private key in a secure vault on the integration side. Restrict file permissions; rotate the wrapping passphrase if applicable.

  3. Create a Connected App

    Setup > App Manager > New Connected App. Enable OAuth. Upload the public certificate (public.crt). Configure scopes (api, refresh_token, etc.) and Use Digital Signatures.

  4. Approve the Connected App

    Edit Policies > Permitted Users > Admin approved users are pre-authorized. Assign profiles or permission sets that should be able to use this Connected App.

  5. Build the JWT in the integration

    Construct a JWT with iss (Connected App consumer key), sub (Salesforce username), aud (login URL), exp (expiration). Sign with the private key. Submit to the token endpoint.

  6. Verify the flow works

    Test the full flow end-to-end. Confirm Salesforce returns an access token and the integration can call subsequent APIs.

  7. Plan rotation cadence

    Set a calendar reminder for key pair rotation. Annual is common; align with certificate expiration. Coordinate the rollover with the integration team to avoid downtime.

Key options
RSA 2048-bitremember

Standard key size. Sufficient for most enterprise use cases.

RSA 4096-bitremember

Stronger key. Slower but more resistant to future cryptanalysis.

ECDSAremember

Elliptic curve. Smaller key size for equivalent security.

Self-signed certificateremember

Acceptable for cooperating internal integrations. Public-facing scenarios need CA signing.

CA-signed certificateremember

Signed by a Certificate Authority. Standard for public-facing scenarios.

Gotchas
  • Private key leakage is catastrophic. Treat private key storage with the same rigor as production passwords; use vaults, restrict permissions.
  • Smaller key sizes (1024-bit RSA, deprecated algorithms) are rejected by modern security policies. Use 2048-bit RSA or stronger.
  • Rotation requires coordination across both sides. New public key must be deployed before the new private key is used; otherwise verification fails.
  • Certificate expiration is the silent killer of integrations. The integration works until the day the certificate expires; set monitoring well before expiration.
  • Self-signed certificates do not provide third-party trust. Acceptable for cooperating internal scenarios; not for public-facing.

See the full Key Pair entry

Key Pair includes the definition, worked example, deep dive, related terms, and a quiz.