Session Revocation — Salesforce
Session Revocation — Salesforce
Challenge ends Salesforce UI and API sessions by deleting AuthSession records for the target user. Authentication uses a JWT Bearer Connected App (no simple API key).
Prerequisites
- Salesforce admin access to create a Connected App
- An integration user with Manage Users permission
- RSA key pair (private key stays in Challenge; public certificate uploaded to Salesforce)
Connected App setup
- In Salesforce Setup, create a Connected App with OAuth enabled.
- Enable Use digital signatures and upload your public certificate.
- Enable OAuth scopes including
Full access (full)orAccess and manage your data (api). - Pre-authorize the integration user for the Connected App (admin approved users).
- Note the Consumer Key (client ID).
Challenge configuration
Under Integrations → Session Revocation → Salesforce, provide:
| Field | Description |
|---|---|
| Login URL | https://login.salesforce.com (or https://test.salesforce.com for sandbox) |
| Consumer key | Connected App consumer key |
| Integration user username | Salesforce username used as JWT sub (must be pre-authorized) |
| JWT private key (PEM) | RSA private key matching the uploaded certificate |
| API version | Default v59.0 |
API calls Challenge makes
- Mint access token:
POST {login_url}/services/oauth2/token(JWT bearer grant) - Lookup: SOQL
SELECT Id FROM User WHERE Email = '...' - Query sessions:
SELECT Id FROM AuthSession WHERE UsersId = '...' - Revoke:
DELETE /services/data/{version}/sobjects/AuthSession/{sessionId}for each session
Username format
Use the user’s Salesforce email address.
Troubleshooting
| Symptom | Check |
|---|---|
| Authentication failed | Consumer key, username, private key, certificate match, user pre-authorized |
| Zero sessions deleted | User may have no active sessions (still reported as success) |
http_403 on AuthSession | Integration user lacks Manage Users permission |