circle-info
Read on newly released AI assisted Insights
flxbl docsarrow-up-right
search
Learn CD Concepts using LabsslackGitHub

SFDX Auth URL

The SFDX Auth URL is the credential format that enables automated Salesforce authentication. Understanding how it works helps you configure orgs correctly and troubleshoot authentication issues.

hashtag
What is an SFDX Auth URL?

An SFDX Auth URL is a URL-formatted credential containing OAuth2 tokens that allow non-interactive authentication with Salesforce. It's the standard credential format used by Salesforce CLI and sfp for automation.

hashtag
URL Format

force://<clientId>:<clientSecret>:<refreshToken>@<instanceUrl>
Component
Description

force://

Protocol identifier

clientId

OAuth2 Connected App Client ID

clientSecret

OAuth2 Client Secret (often empty for CLI apps)

refreshToken

Long-lived token for obtaining access tokens

instanceUrl

Salesforce instance (e.g., login.salesforce.com)

hashtag
Example

force://PlatformCLI::[email protected]

  • clientId: PlatformCLI (Salesforce CLI's default Connected App)

  • clientSecret: Empty (not required)

  • refreshToken: 5Aep861_XXXXX.YYYYY

  • instanceUrl: login.salesforce.com

hashtag
How sfp-server Uses SFDX Auth URLs

sfp-server provides centralized, secure storage for SFDX Auth URLs. When you register orgs with the server, credentials are encrypted and stored in Supabase, then decrypted on-demand when needed.

hashtag
Credential Storage Architecture

hashtag
Database Schema

sfp-server stores credentials in the sfp_salesforce_auth table:

Column
Description

username

Salesforce username

instance_url

Salesforce instance URL

org_id

Salesforce Org ID

org_type

production, sandbox, or devhub

sfdx_auth_url_encrypted

Encrypted SFDX Auth URL

is_devhub

Whether org is a DevHub

is_default

Default org for its type

parent_production_username

Parent org (for JIT sandboxes)

is_jit_registration

Whether sandbox uses JIT auth

hashtag
Encryption

SFDX Auth URLs are encrypted using PGP symmetric encryption before storage:

The encryption key is configured during sfp-server setup and never leaves the server.

hashtag
Registering Orgs with sfp-server

hashtag
Production Orgs and DevHubs

Production orgs and DevHubs require an SFDX Auth URL during registration:

What happens during registration:

  1. CLI extracts the sfdxAuthUrl from local authentication

  2. Validates the connection by querying the org

  3. Sends to sfp-server which encrypts and stores it

hashtag
Sandboxes (Two Options)

hashtag
Option 1: Direct Registration (with SFDX Auth URL)

hashtag
Option 2: JIT Registration (recommended)

JIT (Just-In-Time) sandboxes don't store credentials - they generate them on-demand via the parent production org:

What's stored for JIT sandboxes:

When credentials are requested, sfp-server:

  1. Retrieves the parent production org's sfdxAuthUrl

  2. Calls Salesforce's sandbox auth API

  3. Returns fresh credentials for the sandbox

See JIT Sandbox Authentication for details.

hashtag
How Credentials are Returned

sfp-server always returns short-lived access tokens when you access environments. The full SFDX Auth URL (containing the refresh token) never leaves the server.

hashtag
Access Token Generation

When you request credentials:

  1. Server retrieves stored sfdxAuthUrl (encrypted)

  2. Uses refresh token to generate new access token

  3. Returns only the short-lived access token (~2 hours)

  4. Refresh token stays on the server

hashtag
Exception: Scratch Orgs and Pool-Fetched Sandboxes

For scratch orgs fetched from pools and certain sandbox pool scenarios, the full SFDX Auth URL is returned. This is necessary because:

  • Scratch org operations may require extended sessions

  • Pool-fetched environments need independent credential lifecycle

  • The orgs have limited lifespan anyway (scratch orgs expire)

These are the only scenarios where sfdxAuthUrl leaves the server.

hashtag
OAuth2 Behind the Scenes

hashtag
The OAuth2 Flow

When you run sf org login web:

  1. Authorization Request: CLI opens browser to Salesforce authorization endpoint

  2. User Consent: You log in and authorize the Connected App

  3. Authorization Code: Salesforce redirects back with temporary code

  4. Token Exchange: CLI exchanges code for tokens:

    • Access Token: Short-lived (~2 hours)

    • Refresh Token: Long-lived (until revoked)

  5. SFDX Auth URL Created: CLI packages tokens into the auth URL format

hashtag
Token Lifecycle

The refresh token is what makes automation possible. sfp and Salesforce CLI automatically use it to obtain new access tokens when needed.

hashtag
Troubleshooting

hashtag
"Invalid SFDX Auth URL"

  • Verify URL starts with force://

  • Check for undefined in the refresh token position

  • Ensure instance URL is valid

hashtag
"Refresh token expired"

  • Re-authenticate: sf org login web --alias myOrg

  • Check Connected App session policies

  • Re-register with sfp-server

hashtag
"Decryption failed" (sfp-server)

  • Encryption key mismatch between registration and retrieval

  • Re-register the org with current encryption key

hashtag
"Unable to generate JIT auth"

  • Verify parent production org is registered

  • Check sandbox exists and is active

  • Ensure user has access to the sandbox

hashtag
Related Topics

Last updated