What is Salesforce Security Token and How Do I Find It?

By on Sep 21, 2016

Your Salesforce security token is a case-sensitive alphanumeric key that is used in combination with a password to access Salesforce via API. The purpose of the token is to improve the security between Salesforce users and Salesforce.com in the case of a compromised account. It ensures, among other things, that if a user’s account credentials are compromised, a third party wouldn’t be able to access Salesforce via API or from an untrusted network.

A user’s security token is related to their password and used together to access Salesforce. There are two ways the security token may be entered, depending on the application:

  1. The token is appended to the end of your password without any spaces
  2. The token is entered in a separate field from the password

In the first case, when accessing Salesforce via API, you append the token to the end of your password. See below, but keep in mind the brackets would not be entered:

[password][security token]

For example, if your password was “football” and your security token was “FidneS38Dn” then you would enter “footballFidneS38Dn” (again, without the quotation marks).

In the second case, you would simply enter your security token into a separate field. See below for an example:

sfdc security token settings blog image

17-Point Salesforce Security Configuration Checklist

Get an overview of Salesforce’s security capabilities that provide the highest level of protection for sensitive data, along with a 17-point checklist to make the most of Salesforce’s robust built-in security.

Download Now

There are a few things about how Salesforce uses security tokens that can trip up Salesforce users and administrators.

Resetting your Salesforce user password

When a user resets their password, their security token resets as well. If that user’s security token was used to integrate third-party applications with Salesforce, that integration will break as well. Each time you reset an account password used to connect other applications to Salesforce, you will need to re-enter your new security token into that application.

Losing the security token

If you can’t remember you security token and have deleted the email containing the token, the only way to retrieve it is by resetting the token. Salesforce does not provide an option to view your token within the web application; the only option available is to reset it. Again, if the existing token is used for any API integrations, you will need to update your integrations.

Security tokens of deactivated users

If a user has been deactivated in Salesforce, they no longer have a valid Salesforce user account and so their security token is invalidated as well. This too would cause API integrations using the deactivated user’s security token to break. However, if the user has been reactivated, their original security token will continue to work until a password reset or token reset has been requested.

Where can I find or view my Salesforce security token?

As mentioned above, Salesforce doesn’t actually let a user view their security token within the application. To gain access to your security token, go to “Setup” (appears in the top right corner, under your name).

sfdc security token image 2.1

In the left side menu column (under Personal Setup), open the drop down item “My Personal Information.” The option to reset your security token will appear right under password reset option.

sfdc security token image 3.1

Salesforce will send you an email containing your new security token. It’s recommended that you save this email in a secure location so that you don’t have to reset your security token every time you need it.

How can I keep my token secure

It’s important to note that since a hacker can reset a user’s token if they access Salesforce from a desktop browser, if that hacker also had access to the email address that the user used in Salesforce, then they could also gain access to the security token. This is because whenever a security token resets, the new token is emailed to the user. Given that most people have the habit of reusing passwords across different services, it’s highly recommended that Salesforce administrators turn on two-factor authentication for their Salesforce environment.

Why is my “Reset Security Token” option missing?

If a user’s profile is configured such that there is a restriction on the IP ranges that can access Salesforce, then that user will not have the ability to access/reset their security token. In order to give access to security token, either remove the user from the profile that contains the IP range restriction, or update the user’s profile by removing the IP range restriction.

In rare cases where the user’s profile doesn’t contain IP range restriction and they still can’t access the security token reset option, edit the user’s profile and save (without making any actual changes to the profile).

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs