Generating Salesforce JWT for Zoom IQ for Sales

Last Updated:

When integrating your Salesforce with Zoom to sync deal progress with Zoom IQ, you will be asked for the JWT from your Salesforce account.

This article contains:

Prerequisites for generating Salesforce JWT for Zoom IQ Sales

  • Assigned Zoom IQ add-on license

  • Salesforce account with admin access

How to create a private key and self-signed digital certificate

The following process produces two files:

  • server.key—The private key. You specify this file when you authorize an org with the auth:jwt:grant command.
  • server.crt—The digital certification. You upload this file when you create the connected app required by the JWT bearer flow.
    1. Open Command Prompt as administrator.
    2. Enter the following command to create a directory.
      mkdir /Users/jdoe/Documents/JWT
      

      Note: You can select where you wish to save the JWT directory.

    3. Enter the following command to access the created directory.

      cd /Users/jdoe/Documents/JWT
      
    4. Enter the following command to generate a private key.
      openssl genrsa -des3 -passout pass:SomePassword -out server.pass.key 2048
    5. Enter the following command to store the private key in a file called server.key.
      openssl rsa -passin pass:SomePassword -in server.pass.key -out server.key
    6. Enter the following command to generate a certificate signing request using the server.key file. Store the certificate signing request in a file called server.csr.
      openssl req -new -key server.key -out server.csr

      Enter information about your company when prompted or use a period to leave the field blank before hitting enter from your keyboard.

    7. Enter the following command to generate a self-signed digital certificate from the server.key and server.csr files. Store the certificate in a file called server.crt.

      openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
    8. Close the Command Prompt.

Note: You may also refer to Create a Private Key and Self-Signed Digital Certificate and Salesforce documentation regarding how to acquire the token.

The following process produces two files

  • server.key—The private key. You specify this file when you authorize an org with the auth:jwt:grant command.
  • server.crt—The digital certification. You upload this file when you create the connected app required by the JWT bearer flow.
    1. From your desktop, click Go, then Utilities, and then Terminal.
    2. Enter the following command to create a directory.
      mkdir /Users/jdoe/Documents/JWT

      Note: You can select where you wish to save the JWT directory.

    3. Enter the following command to access the created directory.

      >cd /Users/jdoe/Documents/JWT
    4. Enter the following command to generate a private key.
      >openssl genrsa -des3 -passout pass:SomePassword -out server.pass.key 2048
    5. Enter the following command to store the private key in a file called server.key.
      openssl rsa -passin pass:SomePassword -in server.pass.key -out server.key
    6. Enter the following command to generate a certificate signing request using the server.key file. Store the certificate signing request in a file called server.csr.
      openssl req -new -key server.key -out server.csr

      Enter information about your company when prompted or use a period to leave the field blank before hitting enter from your keyboard.

    7. Enter the following command to generate a self-signed digital certificate from the server.key and server.csr files. Store the certificate in a file called server.crt
      openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
    8. Close Terminal.

Note: You may also refer to Create a Private Key and Self-Signed Digital Certificate and Salesforce documentation regarding how to acquire the token.

How to generate the Salesforce JWT

Create a connected app in Salesforce

  1. Sign in to Salesforce as admin.
  2. Click on the  icon, then click Setup.
  3. In the navigation panel, click Apps, then App Manager.
  4. Click New Connected App.
  5. In the Basic Information section, enter your Connected App Name, API Name, and Contact Email.
  6. In the API (Enable OAuth Settings) section, select Enable OAuth Settings.
  7. In the Callback URL field, enter https://login.salesforce.com
  8. Select Use digital signatures then click Choose File.

  9. Open the JWT directory you have created then select server.crt.

  10. In the Selected OAuth Scopes, add the following:
    • Access unique user identifiers (openid)
    • Full access (full)
    • Manage user data via Web browsers (web)
    • Perform requests at any time (refresh_token, offline_access)

  11. Click Save.

  12. When a dialog box appears saying changes will take up to 10 minutes to take effect, click Continue.

Note: Once the page loads, you should see a Consumer Key. Click Copy and paste it on a notepad. This will be used when generating the JWT. In cases where the Consumer Key does not appear, click Manage Consumer Details. You will be asked to verify your identity through a verification code sent to your email before it displays your Consumer Key.

Edit the App Policy

  1. In the Salesforce admin account set up page navigation panel, click App then Connected Apps, and then Manage Connected Apps.
  2. Click Edit beside the app you created.
  3. In the OAuth Policies section, set Permitted Users to Admin approved users are pre-authorized.
    Click OK if a dialog box appears.
  4. Set IP Relaxation to Enforce IP restrictions, and Refresh Token Policy to Refresh token is valid until revoked.
  5. Click Save

Grant app access to system administrator

  1. In the Salesforce admin account set up page navigation panel, click Users then Profiles.
  2. From the list of Profiles, select System Administrator then click Edit.
  3. In the Connected App Access section, select the app name you have created then click Save.

Generate the JWT

  1. Open your browser then access  https://jwt.io/
  2. In the Algorithm drop-down, click RS256.
    This will reflect in the HEADER section (from "alg": "HS256", to "alg": "RS256",)
  3. In the PAYLOAD section, change the data:
          1. Sign in to Salesforce as admin.
          2. Click on the icon, then click Setup.
          3. In the navigation panel, click Apps, then App Manager
          4. Find the app you created, click the drop-down arrow then click View.
          5. In the API (Enable OAuth Settings) section, Copy the Consumer Key.
      • from "name": "John Doe", to "sub": "username",
        Note: username refers to the Salesforce admin account username.
      • from "admin": true, to "aud": "https://login.salesforce.com",

    Note: aud refers to the Callback URL. You can get the Callback URL when you:

        1. Sign in to Salesforce as admin.
        2. Click on the  icon, then click Setup.
        3. In the navigation panel, click Apps, then App Manager
        4. Find the app you created, click the drop-down arrow then click View.
        5. In the API (Enable OAuth Settings) section, you will find the Callback URL
      • from "iat": 1516239022 to "exp": 1698325095
        Note: 1698325095
         pertains to Thu Oct 26 2023 20:58:15 GMT+0800.
        You can set your own expiration date based on your corporate policies.

  4. In the VERIFY SIGNATURE section, clear both the Public Key field and the Private Key field.
  5. Open the JWT directory you have created when you complete How to create a private key and self-signed digital certificate.
  6. Select and right-click on server.key, then click Open with, and then select TextEdit (if you are on macOS) or Notepad (if you are on Windows).
  7. Copy all the text from the server.key file, then go back to https://jwt.io/ 
  8. In the VERIFY SIGNATURE section, paste it into the Private key field.
  9. Copy the entire text in the Encoded section.
    This is the jwt token that you need to use when integrating your Salesforce with Zoom IQ for Sales to sync deal progress.

(Optional) Validate the token

To validate the token, open a browser and enter
https://login.salesforce.com/services/oauth2/token?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=${your jwt token}

If your token is not valid, you will see a response that says <error>invalid_grant</error>.

Zoom Community

Join the 100K+ other members in the Zoom Community! Login with your Zoom account credentials and start collaborating.