Salesforce sf "This org appears to have a problem" (JWT) in CI
A headless JWT bearer flow (sf org login jwt) failed against the org. The CLI wraps the OAuth response, so the cause is almost always the JWT inputs: the private key does not match the connected app cert, the consumer key is wrong, or the running user is not pre-authorized.
What this error means
A login step using JWT fails with "This org appears to have a problem" or "JWT" in the error, and no org alias is written for later steps to use.
ERROR running org:login:jwt: This org appears to have a problem (Dependent class is invalid and needs recompilation).
JWTAuthError: We encountered a JSON web token error, which is likely not an issue with Salesforce CLI.Common causes
The private key does not match the connected app certificate
The --jwt-key-file private key must pair with the X.509 certificate uploaded to the connected app's "Use digital signatures" setting. A regenerated or wrong key fails the signature check.
The user is not pre-authorized on the connected app
JWT requires the running user's profile or permission set to be on the connected app's OAuth policies (admin pre-approved), or the JWT grant is rejected.
How to fix it
Provide the matching key, consumer key, and username
- Store the server private key as a CI secret and write it to a file in the job.
- Pass the connected app consumer key as
--client-idand the integration user as--username. - Confirm the cert on the connected app was generated from the same key pair.
echo "$SF_JWT_KEY" > server.key
sf org login jwt \
--client-id "$SF_CONSUMER_KEY" \
--jwt-key-file server.key \
--username "$SF_USERNAME" \
--instance-url https://login.salesforce.com \
--alias ci-orgPre-authorize the integration user
On the connected app, set OAuth policies to "Admin approved users are pre-authorized" and assign the integration user a permission set that grants the app, so the JWT grant is accepted.
How to prevent it
- Keep the connected app certificate and the CI private key as one managed pair.
- Use a dedicated integration user pre-authorized on the connected app.
- Point
--instance-urlat login.salesforce.com for prod and test.salesforce.com for sandboxes.