Skip to content

Token format change from UUID to JWT

Jump to bottom
Tobias Lohr edited this page May 4, 2023 · 7 revisions

UPDATE: May 3rd, 2023

What is this about?

In August 2022 Salesforce announced an upcoming deprecation of the token format UUID for access tokens obtained for API clients. The token format is a configuration at the API client in Account Manager. The default value is JWT already, but still a lot of API clients use UUID (mostly because UUID was the default value in the past and that configuration was left untouched).

When to do the change?

The change of an API client's token format from UUID to JWT should be done as soon as possible but latest by June 15, 2023 (see details about this timeline at https://help.salesforce.com/s/articleView?id=000394343&type=1)

Where to change the token format?

The token format can be changed in the API client configuration in Account Manager. Only a user with role Account Administrator or API Administrator and assigned to the org in Account Manager has the permission to manage and change API clients for the org.

Exceptions cases to keep in mind after the change to JWT

Authentication of an API client

You can change the token format to JWT today without any impacts, if you don't make Data API or WebDAV API calls to B2C Commerce instances or if the token was obtained through OAuth client_credentials grant only.

For the use of the CLI tool this means, that if you authenticate using sfcc-ci client:auth <client-id> <client-secret> or you don't make use of commands such as sfcc-ci code:deploy, sfcc-ci instance:upload you can change the token format to JWT today without any impact.

Authentication of a user

When authenticating with user credentials in an interactive way (respective using OAuth grant types implicit, authorization_code or resource_owner_password_credentials) you can also switch the API client's token format from UUID to JWT today.

For the CLI tool this means, that if you authenticate using sfcc-ci auth:login <api-client> or sfcc-ci client:auth <client-id> <client-secret> <username> <user-password> and you make use of commands such as sfcc-ci code:deploy, sfcc-ci instance:upload, you have to keep the following exceptions in mind:

  1. The user who authenticates has to be Business Manager Admin and the BM_ADMIN role with the tenant (B2C Commerce Instance) must be granted to the user.
  2. The tenant filter must not be "All Sandboxes" (<yourrealm>_sbx), as this filter type is currently not supported. If you work with On-Demand Sandboxes you have to grant the concrete tenant filter of that sandbox to the user, e.g. <yourrealm>_001. This is a defect on platform side, tracked already and being worked on.
  3. You have to log in once into Business Manager on that B2C Commerce Instance before you execute the commands. This will be optimized (so that you don’t have to log in anymore beforehand) as it can block productively hugely when working with lots of sandboxes, e.g. set up of multiple sandboxes, e.g to prep and deploy code etc. for a dev team

What next?

See details about the timeline at https://help.salesforce.com/s/articleView?id=000394343&type=1

We will update this page after the exception cases above are being eliminated through the platform changes.

Clone this wiki locally