How to authenticate SaleForce OAuth 2.0 JWT in PHP


My name is Ume, I'm in charge of development. In this article, I'll show you how to use the PHPOAuth 2.0 JWT authentication method for SaleForce (verified in SandBox environment)We are pleased to introduce the
Salesforce is the world's No. 1 sales support and CRM tool, with a wide range of features including customer management, deal management, prospect management, sales forecasting, reports and dashboards, etc. If you want to synchronize Salesforce information with your own system, what should you do?


Salesforce provides REST API and SOAP API for data exchange between servers, and this article explains how to use OAuth 2.0 JWT authentication to use those Web Service APIs.

Click here for table of contents

  • 1. create a private key and a self-signed digital certificate with OpenSSL
  • 2. create a Salesforce connection application
  • 3. create a JWT in PHP
  • 4. get an access token with PHP
  • 5. get information from SaleForce with PHP

 Create a private key and a self-signed digital certificate with OpenSSL

This certificate is for OAuth 2.0 authentication to verify that the JWT you passed to Salesforce is valid. Basically, you can use the Salesforce developer guideCreating a private key and a self-signed digital certificateYou can create it without any problem by referring to

Step 1: Generate a private key and save it in a file named server.key.

openssl genrsa -des3 -passout pass:any password -out server.pass.key 2048
openssl rsa -passin pass:any password -in server.pass.key -out server.key

Workflow 2. use the server.key file to generate a certificate signing request. save the certificate signing request in a file named server.csr.

openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [XX]:JP <- A two letter code indicating the country where the company is located. In the case of Japan, the value is JP.
State or Province Name (full name) []:Tokyo <- Prefecture
Locality Name (eg, city) [Default City]:Taito <- city, town or village
Organization Name (eg, company) [Default Company Ltd]:tatsuno joho system <- Company name (optional)
Organizational Unit Name (eg, section) []: <- Department name (optional)
Common Name (eg, your name or your server's hostname) [] <- Common name (optional)
Email Address [] <- Email address (optional)
A challenge password []: <- Not required
An optional company name []: <- Not required

Workflow 3. generate a self-signed digital certificate from the server.key and server.csr files. save the certificate in a file called server.crt.

openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

Directly under the path where the command was executed, four files are generated as follows, but what you will need is "server.key" and "server.crt".


    The content of the primary key (for signing) "server.key" is like this.

    ... Abbr...
    -----END RSA PRIVATE KEY-----

    The content of the self-signed digital certificate (for verification) "server.crt" looks like this.

    ... Abbr...
    -----END CERTIFICATE-----

     Create a Salesforce Connection Application

    Step 1: After logging in to Salesforce, open the "Settings" screen from the menu in the upper right corner.


    Step 2: Open "Application Manager" from the menu on the left side of the configuration screen, and click "New Connected Application".


    Set up the connection application. (Don't forget to "Save" after completing the settings.

    • Connection application name (optional content)
    • API reference name (include a clear description)
    • Business partner manager Email
    • Enable OAuth settings (must be checked)
    • Callback URL (not used, but it's a required field, so enter something appropriate)
    • Use digital signature (must be checked)
    • Self-signed digital certificate ("server.crt" created in the first step should be chosen)
    • The selected OAuth range
      If you use "full access (full)", you cannot get the access talk.

      • Provides access to data via the web (web)
      • Data access and management (api)
      • Perform requests on behalf of the user at any time (refresh_token, offline_access)

    All other settings can be left as default.


    Click the "manage" button to open the administration screen. (For some reason, it is written in English here.


    Click the "Edit Policy" button to open the Edit Policy screen.


    Set the "OAuth Policy" as shown below. You can leave the other settings as default. Don't forget to click the "Save" button when you are done.

    Once the "OAuth Policy" is set to "Users approved by the administrator are pre-approved", the "Profile" can be set in the application management screen.


    Workflow 7. Assign a profile to the application by clicking the "Manage Profile" button in the "Profile" settings area of the application's administration screen.


    We want to retrieve and update data from Saleforce via REST API, so we assigned "System Admin" with full privileges here.

    If necessary, assign appropriate profiles.


    After saving your profile settings, you will be automatically returned to the application management screen where you can check the results of your settings.


     Creating a JWT with PHP

    The creation method published in the SaleForce developer's guide isthis way (direction close to the speaker or towards the speaker)is.

    I don`t know if the document is outdated or if it was a translation error, but there were a lot of mistakes and it was not helpful.

    The JWT (JSON Web Token) structure can be roughly divided into three parts, each separated by a ". separating them.

    • Header
    • Payload
    • Signature (Sinature)

    The entire JWT (JSON Web Token) string looks like this

    {header>} {Payload}. {signature}

    You can create an OAuth 2.0 JWT for SaleForce in PHP as follows

    Here I got stuck on the path of the file to pass to the openssl_pkey_get_private function.

    The file path must be written as "file://relative path or absolute path".

    function base64UrlEncode($data)
        return str_replace('=', '', strtr(base64_encode($data), '+/', '-_'));
    $header = base64UrlEncode(json_encode([.
        'alg' => 'RS256',
     * About aud.
     * Production:
     * Sandbox:
     * Scratch Organization:
    $payload = base64UrlEncode(json_encode([.
        //iss If you get it wrong, you'll get the error message 'The connection application does not exist.
        'iss' => 'The consumer key of the SaleForce connection application created in the previous step',
        'aud' => '',
        //sub If wrong, error message 'Invalid user' will be returned.
        'sub' => 'SaleForce user's login ID',
        //The expiry time here is quite random, if exp is wrong you'll get the error message 'Talk expired'.
        'exp' => time() + 3 * 60,
     * About signatures.
     * Use the "server.key" created in the previous step to write the JWT header and payload.
    $signature = null;
    $privateKey = openssl_pkey_get_private('file://server.key');
    openssl_sign($header . '.' . $payload, $signature, $privateKey, OPENSSL_ALGO_SHA256);
    $signature = base64UrlEncode($signature);
    $jwt = $header . '.' . $payload . '.' . $signature ;

     Obtaining an access token in PHP (using cUrl)

    You can access SaleForce side with PHP and issue an access talk as follows.

    $post = [
        'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
        'assertion' => $jwt, //the JWT string created in the previous step
     * About the API to get the access token.
     * Production:
     * Sandbox:
     * Scratch Organization:
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, '');
    curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 7);
    curl_setopt($ch, CURLOPT_TIMEOUT, 7);
    $response = curl_exec($ch);
    $httpcode = curl_getinfo($ch, CURLINFO_RESPONSE_CODE);
    if($httpcode == 200) {
        $json = json_decode($response, true);
        if(isset($json['access_token'])) {
            $access_token = $json['access_token'];
            //do something.
    } else {

    As a result of the query, the following json data is returned.

        "access_token" => "***********************************",
        "scope" => "web id api",
        "instance_url" => "https://SaleForce環境名",
        "id" => "*****/*****",
        "token_type" => "Bearer"

     Get information from SaleForce with PHP

    One of the ways to query data published in the SaleForce developer's guide: theREST API/Query

    Data query method in PHP (using cUrl)

    $query = "SELECT field name FROM table name";
    $query = http_build_query(['q' => $query]);
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_HTTPHEADER, [
        'Content-Type: application/json',
        'Authorization: Bearer ' . $access_token, //access token obtained in the previous step (string)
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'GET');
    curl_setopt($ch, CURLOPT_URL, 'https://SaleForce環境名' . $query);
    curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 7);
    curl_setopt($ch, CURLOPT_TIMEOUT, 7);
    //Contact us
    $response = curl_exec($ch);
    $httpcode = curl_getinfo($ch, CURLINFO_RESPONSE_CODE);
    $json = json_decode($response, true);


    In this article, we have shown you the steps to get data from SaleForce.
    learningBOX can also be integrated with SaleForce, please try it.