Salesforce Admin Guide - Configure JWT Bearer OAuth For OrderCentral Integrations

Updated
  • Updated on Dec 11, 2025
  • Published on Dec 10, 2025
  • 3 minute(s) read
Prev Next

This guide explains how a Salesforce administrator configures an External Client App to allow an external system to authenticate using OAuth 2.0 JWT Bearer Flow. This setup enables secure server-to-server access to the OrderCentral API, which runs natively on Salesforce.
The document also details which information must be shared with the external developer once configuration is complete.

Overview of the JWT Bearer Flow

The JWT Bearer Flow allows an external application to request an access token from Salesforce by presenting a digitally signed JWT. Salesforce validates the signature using an X.509 certificate. No user interaction is required, making this flow ideal for backend integrations.
High-level characteristics:

  • No redirect URL is used in this flow.
  • No refresh token is issued.
  • When the access token expires, the external system submits a new signed JWT.

Roles and Responsibilities

Salesforce Admin

  • Configure the External Client App in Salesforce.
  • Associate an X.509 certificate with the External Client App.
  • Approve which users or permission sets may use the app.
  • Provide required OAuth details to the external developer.

External Developer

  • Generate or securely manage the private key that signs JWTs.
  • Implement JWT creation and token retrieval logic.
  • Use the received access token to call the OrderCentral API.

Step 1 – Determine Who Generates the Certificate

The JWT Bearer flow uses an X.509 certificate and associated private key. There are two approaches:

Option A: Developer Generates the Keypair (Recommended)

  • The developer generates a private key and public certificate.
  • The developer sends only the certificate to the admin.
  • The private key remains solely in the developer’s secure environment.

Option B: Salesforce Generates the Certificate

  • Admin generates a certificate under Setup → Certificate and Key Management.
  • Admin must then securely share the private key with the developer.
    Recommendation: Choose Option A to avoid transferring private keys.

Step 2 – Upload the Certificate to Salesforce

If the developer provides the certificate:

  1. Go to Setup → Certificate and Key Management.
  2. Click Upload Certificate.
  3. Upload the .crt or .pem public certificate.
    If the admin generates the certificate in Salesforce:
  4. Click Create Self-Signed Certificate.
  5. Name and save it.
  6. Download the public certificate if needed.

Step 3 – Create the External Client App

  1. Navigate to Setup → External Client Apps.
  2. Click New External Client App.
  3. Enter the following:
    • Name: for example OrderCentral JWT Integration.
    • Description: optional but recommended.
  4. Under Authentication Method, select JWT Bearer.
  5. Upload the X.509 certificate created or provided in Step 2.
  6. Define which OAuth scopes this client may request, at minimum:
    • api
    • refresh_token offline_access (even though refresh tokens are not issued in the JWT flow)
  7. Save the External Client App.
    Once saved, the app will display:
  • Client ID
  • Applicable metadata and certificate information
    This Client ID is required by the developer.

Step 4 – Approve Users for the External Client App

The JWT flow requires that the impersonated user is explicitly approved.

  1. Open the newly created External Client App.
  2. Click Manage Access.
  3. Select either:
    • Specific Profiles, or
    • A Permission Set you assign to the integration user.
      Make sure the integration user has:
  • API access
  • Access to the OrderCentral-related Apex REST endpoints
  • Access to any required objects and fields

Step 5 – Provide the Correct OAuth Domain

Salesforce uses different authentication domains depending on the environment:

Production / Developer Edition

  • https://login.salesforce.com
  • Or your My Domain, for example https://mydomain.my.salesforce.com

Sandbox

  • https://test.salesforce.com
  • Or https://mydomain--sandbox.my.salesforce.com
    Choose the domain that matches the environment used by the OrderCentral instance.

Step 6 – Information to Provide to the Developer

Share the following items once the External Client App is configured:

  1. Client ID of the External Client App
  2. Salesforce OAuth Domain (login host)
  3. Salesforce Username the integration should impersonate
  4. List of enabled OAuth scopes
  5. (Optional) Public certificate if the developer needs it for verification
    Do not share the private key, unless the certificate was generated by Salesforce and you both have a secure key exchange process.

Summary

The Salesforce admin must:

  • Upload or create a certificate
  • Create an External Client App configured for JWT Bearer flow
  • Approve which users may authenticate
  • Share the Client ID, login domain and user details with the developer
    Once complete, the developer can implement JWT-based authentication as described in the separate Developer Guide.