Generating Salesforce JWT for Zoom Revenue Accelerator

When integrating your Salesforce with Zoom to sync deal progress with Zoom Revenue Accelerator, you will be asked for the JWT from your Salesforce account. In generating the token, you must follow this guide in the order listed.

Requirements for generating Salesforce JWT for Zoom Revenue Accelerator

Pro, Business, Enterprise, or Zoom Phone standalone account
Licensed user with Zoom Revenue Accelerator license
Salesforce account with admin access

How to create a private key and self-signed digital certificate
How to generate the Salesforce JWT

How to create a private key and self-signed digital certificate

Select your platform to view the instructions on how to create a private key and a self-signed digital certificate. This is the first step in successfully generating a Salesforce JWT.

Windows

The following process produces two files:

server.key—The private key. You specify this file when you authorize an org with the auth:jwt:grant command.
server.crt—The digital certification. You upload this file when you create the connected app required by the JWT bearer flow.
1. Open Command Prompt as administrator.
2. Enter the following command to create a directory.
```
mkdir /Users/jdoe/Documents/JWT
```
  Note: You can select where you wish to save the JWT directory.
3. Enter the following command to access the created directory.
```
cd /Users/jdoe/Documents/JWT
```
4. Enter the following command to generate a private key.
```
openssl genrsa -des3 -passout pass:SomePassword -out server.pass.key 2048
```
5. Enter the following command to store the private key in a file called server.key.
```
openssl rsa -passin pass:SomePassword -in server.pass.key -out server.key
```
6. Enter the following command to generate a certificate signing request using the server.key file. Store the certificate signing request in a file called server.csr.
```
openssl req -new -key server.key -out server.csr
```
  Enter information about your company when prompted or use a period to leave the field blank before hitting enter from your keyboard.
7. Enter the following command to generate a self-signed digital certificate from the server.key and server.csr files. Store the certificate in a file called server.crt.
```
openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
```
8. Close the Command Prompt.

Note: You may also refer to Create a Private Key and Self-Signed Digital Certificate and Salesforce documentation regarding how to acquire the token.

macOS

The following process produces two files

server.key—The private key. You specify this file when you authorize an org with the auth:jwt:grant command.
server.crt—The digital certification. You upload this file when you create the connected app required by the JWT bearer flow.
1. From your desktop, click Go, then Utilities, and then Terminal.
2. Enter the following command to create a directory.
```
mkdir /Users/jdoe/Documents/JWT
```
  Note: You can select where you wish to save the JWT directory.
3. Enter the following command to access the created directory.
```
>cd /Users/jdoe/Documents/JWT
```
4. Enter the following command to generate a private key.
```
>openssl genrsa -des3 -passout pass:SomePassword -out server.pass.key 2048
```
5. Enter the following command to store the private key in a file called server.key.
```
openssl rsa -passin pass:SomePassword -in server.pass.key -out server.key
```
6. Enter the following command to generate a certificate signing request using the server.key file. Store the certificate signing request in a file called server.csr.
```
openssl req -new -key server.key -out server.csr
```
  Enter information about your company when prompted or use a period to leave the field blank before hitting enter from your keyboard.
7. Enter the following command to generate a self-signed digital certificate from the server.key and server.csr files. Store the certificate in a file called server.crt
```
openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
```
8. Close Terminal.

Note: You may also refer to Create a Private Key and Self-Signed Digital Certificate and Salesforce documentation regarding how to acquire the token.

How to generate the Salesforce JWT

After creating a private key and a self-signed digital certificate, follow these steps in the order listed.

Create a connected app in Salesforce

Sign in to Salesforce as admin.
Click the gear icon , then click Setup.
In the navigation menu, click Apps, then App Manager.
Click New Connected App.
In the Basic Information section, enter your Connected App Name, API Name, and Contact Email.
In the API (Enable OAuth Settings) section, select Enable OAuth Settings.
In the Callback URL field, enter https://login.salesforce.com
Select Use digital signatures then click Choose File.
Open the JWT directory you have created then select server.crt.
In the Selected OAuth Scopes, add the following:
- Access unique user identifiers (openid)
- Full access (full)
- Manage user data via Web browsers (web)
- Perform requests at any time (refresh_token, offline_access)
Click Save.
When a dialog box appears saying changes will take up to 10 minutes to take effect, click Continue.

Note: Once the page loads, you should see a Consumer Key. Click Copy and paste it on a notepad. This will be used when generating the JWT. In cases where the Consumer Key does not appear, click Manage Consumer Details. You will be asked to verify your identity through a verification code sent to your email before it displays your Consumer Key.

Edit the App Policy

In the Salesforce admin account Setup page navigation menu, click App then Connected Apps, and then Manage Connected Apps.
Click Edit beside the app you created.
In the OAuth Policies section, set Permitted Users to Admin approved users are pre-authorized.
If a confirmation window appears, click OK.
Set IP Relaxation to Enforce IP restrictions, and Refresh Token Policy to Refresh token is valid until revoked.
Click Save.

Grant app access to system administrator

In the Salesforce admin account set up page navigation panel, click Users then Profiles.
From the list of Profiles, select System Administrator then click Edit.
In the Connected App Access section, select the app name you have created then click Save.

Generate the JWT

Open your browser then access https://jwt.io/
In the Algorithm drop-down, click RS256.
This will be reflected in the HEADER section (from "alg": "HS256", to "alg": "RS256",)
In the PAYLOAD section, change the data:
- from "sub": "1234567890", to "iss": "<input consumerKey>",
  Note: You must complete creating a connected app in Salesforce to have a Consumer Key. You can get the Consumer Key when you:
  1. Sign in to Salesforce as admin.
  2. Click the gear icon , then click Setup.
  3. In the navigation menu, click Apps, then App Manager.
  4. Find the app you created, click the dropdown arrow, and then click View.
  5. In the API (Enable OAuth Settings) section, copy the Consumer Key.
- from "name": "John Doe", to "sub": "username",
  Note: username refers to the Salesforce admin account username.
- from "admin": true, to "aud": "https://login.salesforce.com",
  Note: aud refers to the Callback URL. You can get the Callback URL when you:
  1. Sign in to Salesforce as admin.
  2. Click the gear icon , then click Setup.
  3. In the navigation menu, click Apps, then App Manager.
  4. Find the app you created, click the dropdown arrow, and then click View.
  5. In the API (Enable OAuth Settings) section, copy the Consumer Key.
- from "iat": 1516239022 to "exp": 1698325095
  Note: 1698325095 pertains to Thu Oct 26 2023 20:58:15 GMT+0800. You can set your own expiration date based on your corporate policies.
In the VERIFY SIGNATURE section, clear both the Public Key field and the Private Key field.
Open the JWT directory you have created when you complete creating a private key and self-signed digital certificate.
Select and right-click on server.key, then click Open with, and then select TextEdit (if you are on macOS) or Notepad (if you are on Windows).
Copy all the text from the server.key file, then go back to https://jwt.io/
In the VERIFY SIGNATURE section, paste it into the Private key field.
Copy the entire text in the Encoded section.
This is the jwt token that you need to use when integrating your Salesforce with Zoom Revenue Accelerator to sync deal progress.

(Optional) Validate the token

To validate the token, open a browser and enter
https://login.salesforce.com/services/oauth2/token?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=${your jwt token}

If your token is not valid, you will see a response that says <error>invalid_grant</error>.

If the user setting up the Revenue Accelerator/Salesforce integration does not have OpenSSL installed on their machine, they need to install OpenSSL and set the PATH variables if they are on a Windows machine.