Heroku AppLink: Now Using JWT-Based Authorization for Salesforce

Modern Continuous Integration/Continuous Deployment (CI/CD) pipelines demand machine-to-machine authorization, but traditional web-based flow requires manual steps and often rely on static credentials; a major security risk. Heroku AppLink now uses JWT Authorization to solve both: enabling automated setup and eliminating long-lived secrets.

In today’s evolving threat landscape, security attacks increasingly exploit systems that rely on long-lived access tokens or static credentials. If these credentials are compromised—for instance, if they are stolen from a configuration file or environment variable—attackers can reuse them for persistent, unauthorized access to sensitive data and systems. This vulnerability creates a major security risk that has recently impacted third-party applications across the industry.

Heroku AppLink is designed to deliver a modern, robust security posture by directly tackling this crucial vulnerability. With AppLink, you can secure your microservice integrations by moving away from storing and managing long-lived secrets. The architecture is simple and powerful: AppLink provides your microservice with on-demand tokens on demand. This significantly reduces the window of opportunity for an attacker because there is effectively nothing for them to steal or replay to gain long-term access. By switching to dynamic, on-demand credentials, you ensure your Salesforce data is protected in a microservice environment.

The shift: Why CI/CD demands JWT-based authorization

Historically, setting up the required authorization—establishing a trusted identity for your Heroku code to interact with Salesforce—relied solely on a web-based OAuth flow. While secure, this method required manual steps and posed a significant challenge for modern, automated deployment pipelines.

To enable true machine-to-machine communication, we’ve extended AppLink with JWT authorization, eliminating the manual steps required by traditional OAuth flows. This expands on the security model already in place, providing a secure, managed boundary between Salesforce and Heroku. Responding directly to feedback from our valued customers and partners who increasingly sought to automate their CI/CD pipelines, we have significantly enhanced AppLink to simplify this critical setup.

What is AppLink, and How JWT Authorization Works

Heroku AppLink is a secure managed boundary and service that fundamentally simplifies how you connect your Heroku microservices with your Salesforce org. It is specifically designed to deliver more robust security by moving away from storing and managing long-lived secrets. The architecture provides your microservice with on-demand tokens on demand, reducing the window of opportunity for an attacker to steal credentials or execute a replay attack. For more examples check out this article by Andy Fawcett, Heroku Alumni and veteran Salesforce MVP.

AppLink provides two distinct modes for secure authentication to accommodate various integration scenarios, from user-driven applications to automated background processes.

Web-based OAuth flow

This method is the standard for user-driven applications (like a Salesforce AppExchange app) where an end-user is present to log in and grant explicit, delegated access. While secure, this flow requires manual browser interaction and is not suitable for headless, automated deployment pipelines that require true machine-to-machine authentication.

JWT-based authorization (JSON web token)

This new option directly addresses the need for automation, and is highly recommended for server-to-server communication where a secure integration is essential. It allows you to seamlessly integrate the AppLink authorization setup into your CI/CD pipeline. The utilization of JWT authorization provides a robust and highly secure mechanism for authentication and authorization. JWTs are self-contained, digitally signed tokens, which allow your Heroku app to securely assert its identity and permissions when interacting with Salesforce APIs without needing to transmit credentials repeatedly. This approach is highly recommended for server-to-server communication where a seamless and secure integration is paramount.

Headless invocation of Salesforce agent

A headless invocation of Salesforce Agent is an available option for scenarios where the Heroku application needs to perform actions on behalf of a user or leverage the contextual capabilities of the Salesforce platform without a traditional user interface flow. This method enables the Heroku service to programmatically access and interact with Salesforce Org functionalities, such as leveraging Agentforce and pre-configured topics, thereby enhancing your Heroku application with advanced Agentforce capabilities.

Secure microservices and CI/CD automation with AppLink

For developers and the IT leaders supporting them, the enhancement of AppLink with JWT authorization delivers two non-negotiable requirements for the connected enterprise.

• Consistent automation for Continuous Delivery: You can now eliminate manual steps and ensure a consistent, repeatable deployment process within your CI/CD pipeline.
• Defense against credentials theft: By leveraging JWTs and on-demand tokens, your application gains a more secure mechanism for communication.

To get started with AppLink’s new JWT authorization features and learn how to implement them in your microservices, check out the AppLink Documentation and the JWT Authorization Setup Guide.