Expand description
Salesforce Data Cloud authentication (OAuth Access Token + DC JWT).
This crate implements the token flow for connecting to the Salesforce Data Cloud Hyper query engine:
- Obtain an OAuth Access Token from Salesforce
- Exchange it for a DC JWT (Data Cloud JSON Web Token)
- Send the DC JWT as the
Authorizationheader with every gRPC call
§Authentication Modes
Three modes are supported for Step 1 (obtaining an OAuth Access Token):
- Password: Username + password + client secret (OAuth password grant)
PrivateKey: JWT Bearer Token Flow using RSA private key (recommended for server-to-server; no OAuth Refresh Token involved)RefreshToken: Uses a long-lived OAuth Refresh Token + client secret
§Token Caching
Both the OAuth Access Token and the DC JWT are cached independently. The OAuth Access Token is only refreshed when genuinely expired, to avoid unnecessary OAuth Refresh Token rotation that would invalidate tokens held by other connections. The DC JWT is refreshed proactively based on both its expiry time and its age (maxAge check).
§Example: JWT Bearer Token Flow
use hyperdb_api_salesforce::{SalesforceAuthConfig, AuthMode, DataCloudTokenProvider};
let private_key_pem = std::fs::read_to_string("server.key")?;
let config = SalesforceAuthConfig::new(
"https://login.salesforce.com",
"your-connected-app-client-id",
)?
.auth_mode(AuthMode::private_key("user@example.com", &private_key_pem)?);
let mut provider = DataCloudTokenProvider::new(config)?;
// Get a valid DC JWT (automatically handles OAuth Access Token + exchange)
let dc_jwt = provider.get_token().await?;
println!("Authorization: {}", dc_jwt.bearer_token());
println!("Tenant URL: {}", dc_jwt.tenant_url_str());§Two-Stage Token Flow
-
OAuth Access Token: Authenticate with Salesforce
- Endpoint:
{login_url}/services/oauth2/token - Returns:
access_token,instance_url
- Endpoint:
-
DC JWT: Exchange OAuth Access Token for a Data Cloud JWT
- Endpoint:
{instance_url}/services/a360/token - Grant type:
urn:salesforce:grant-type:external:cdp - Returns:
access_token(the DC JWT),instance_url,expires_in
- Endpoint:
§Security
- Private keys are stored using
zeroizefor secure memory handling - Tokens are cached and automatically refreshed before expiration
- All HTTP communication uses TLS
Structs§
- Data
Cloud Token - Data Cloud JWT (DC JWT) for Hyper gRPC authentication.
- Data
Cloud Token Provider - DC JWT provider.
- OAuth
Token - Parsed OAuth Access Token with Salesforce instance URL.
- Salesforce
Auth Config - Configuration for the Salesforce Data Cloud token flow.
- Shared
Token Provider - Thread-safe wrapper around
DataCloudTokenProvider.
Enums§
- Auth
Mode - Authentication mode for obtaining an OAuth Access Token from Salesforce.
- Salesforce
Auth Error - Errors that can occur during the Salesforce Data Cloud token flow (OAuth Access Token acquisition and DC JWT exchange).
Type Aliases§
- Salesforce
Auth Result - Result type for Salesforce authentication operations.