Skip to content
Latchkey

Salesforce sf "This org appears to have a problem" (JWT) in CI

A headless JWT bearer flow (sf org login jwt) failed against the org. The CLI wraps the OAuth response, so the cause is almost always the JWT inputs: the private key does not match the connected app cert, the consumer key is wrong, or the running user is not pre-authorized.

What this error means

A login step using JWT fails with "This org appears to have a problem" or "JWT" in the error, and no org alias is written for later steps to use.

sf
ERROR running org:login:jwt:  This org appears to have a problem (Dependent class is invalid and needs recompilation).
JWTAuthError: We encountered a JSON web token error, which is likely not an issue with Salesforce CLI.

Common causes

The private key does not match the connected app certificate

The --jwt-key-file private key must pair with the X.509 certificate uploaded to the connected app's "Use digital signatures" setting. A regenerated or wrong key fails the signature check.

The user is not pre-authorized on the connected app

JWT requires the running user's profile or permission set to be on the connected app's OAuth policies (admin pre-approved), or the JWT grant is rejected.

How to fix it

Provide the matching key, consumer key, and username

  1. Store the server private key as a CI secret and write it to a file in the job.
  2. Pass the connected app consumer key as --client-id and the integration user as --username.
  3. Confirm the cert on the connected app was generated from the same key pair.
Terminal
echo "$SF_JWT_KEY" > server.key
sf org login jwt \
  --client-id "$SF_CONSUMER_KEY" \
  --jwt-key-file server.key \
  --username "$SF_USERNAME" \
  --instance-url https://login.salesforce.com \
  --alias ci-org

Pre-authorize the integration user

On the connected app, set OAuth policies to "Admin approved users are pre-authorized" and assign the integration user a permission set that grants the app, so the JWT grant is accepted.

How to prevent it

  • Keep the connected app certificate and the CI private key as one managed pair.
  • Use a dedicated integration user pre-authorized on the connected app.
  • Point --instance-url at login.salesforce.com for prod and test.salesforce.com for sandboxes.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →