AQUILA - Salesforce Integration via JWT Authentication Overview With the OAuth 2.0 JWT bearer token flow, the client posts a JWT to the Salesforce OAuth token endpoint. Salesforce processes the JWT, which includes a digital signature, and issues an access token based on prior approval of the app. Check "View Event Log Files" Permission Check Your Org's Event Monitoring License: Go to Setup > Quick Find > Installed Packages or Company Information (under Quick Find > Company Settings ). Look for Event Log File Browser or Event Monitoring  and enable it if it shows an option to do so. 2. Enable Event Monitoring Features: Setup > Quick Find > Event Monitoring Settings (or search " Event Log File Browser "). If the page loads: Check Enable Event Log File Browser > Save . Clone and Modify the Profile Log in to Salesforce Setup: Go to Setup (gear icon > Setup) as an admin. Clone the Standard User Profile: Navigate to Setup > Quick Find > Profiles . Find Standard User > Click Clone next to it. Profile Information : Profile Name : e.g., "Standard User - Log Integration". Description : "Cloned for Elastic log integration with API and ELF access." User License: Salesforce Integration Save. This creates a new custom profile based on Standard User. 3.  Edit System Permissions in the Cloned Profile: In Profiles , find your new cloned profile > Click Edit > Go to the System Permissions section (or use Quick Find for "System Permissions"). Enable the following checkboxes (these are the key changes from Standard User, which starts with them disabled for security): Permission Change from Standard User Why Enable It? How to Enable API Enabled Disabled → Enabled Allows REST/SOAP API calls for fetching logs (e.g., EventLogFile queries). Essential for Elastic integration. Check the box under System Permissions . View Event Log Files Disabled → Enabled Grants read access to historical Event Log Files (ELF) like logins and Apex events. Core for log ingestion. Check the box under System Permissions . View All Data Disabled → Enabled Provides broader object read access if ELF queries fail due to restrictions. Check the box under System Permissions. Do NOT enable unrelated permissions like "Modify All Data" or "Delete All Data" to maintain least-privilege. Save the profile.   4. Assign the Cloned Profile to Your Integration User: Setup > Quick Find > Users > Select your integration user > Edit . Profile : Select "Standard User - Log Integration". Save . 5. Handle Event Monitoring Permissions (Not in Profile—Use Permission Set) : The "View Real-Time Event Monitoring Data" isn't a direct profile permission; it's tied to Event Manager. Create a Permission Set : Go to Setup > Quick Find > Permission Sets > New . Label/Name : e.g., "Event Monitoring Access". License : "Salesforce Integration" (matches Standard User). Save > System Permissions tab > Enable View All Data, API Enabled  and View Event Log Files . Event Log File Browser tab: Enable access to specific events. Assign the Permission Set : Permission Set Assignments > New > Select your integration user > Assign . Enable Events in Event Manager : Setup > Quick Find > Event Manager . For desired events (e.g., Login Event), click dropdown > Enable Storage . This requires the Event Log File Browser add-on license. This starts log retention (up to 1 year for ELF; real-time requires add-on license). Client Key and Certification Signature Configuration To use this integration, you need to create a new Salesforce Application using OAuth. Follow these steps to create a connected application in Salesforce: Log in to  Salesforce  with the user credentials you want to collect data with. Click  Setup  in the top right menu bar.                    In the  Quick Find textbox , search for  App Manager  or you can scroll down to  PLATFORM TOOLS  and select  App Manager.           In the upper right corner, choose the  New External Client App.           Provide a name for the connected application. This name will be displayed in the App Manager and on its App Launcher tile. Enter the API name. The default is a version of the name without spaces. Only letters, numbers, and underscores are allowed. If the original app name contains any other characters, edit the default name. Enter the  email address  of the  new account  you created earlier. Under the  API (Enable OAuth Settings)  section, check the box for  Enable OAuth Settings . In the  Callback URL  field, enter the instance URL as specified in  Salesforce instance URL.  Example URL: https://na9.salesforce.com Select the following OAuth scopes to apply to the connected app: Manage user data via APIs (api) Perform requests at any time (refresh_token, offline_access) (Optional) If you encounter any permission issues during data collection, add the  Full access (full)  scope. Select  Require Secret for the Web Server Flow  to require the app's client secret in exchange for an access token. Select  Require Secret for Refresh Token Flow  to require the app's client secret in the authorization request of a refresh token and hybrid refresh token flow.           Then scroll up above the  Callback URL  on the  App Settings  you will see the  Consumer Key and Secret  button, click it.       It will create another tab. Verify the user account by entering the Verification Code.       Copy the  Consumer Key  and  Consumer Secret  from the Consumer Details section. These values should be used as the  Client ID  and  Client Secret , respectively, in the integration. Close that tab and go back to the  External Client App Manager . Click  Save . Required fields for JWT Authentication Integration: JWT Authentication Audience URL JWT Authentication Client Key Path Username Client ID Instance URL Token URL Provide this required fields to CyTech Support . Reference Link: OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration in Salesforce If you need further assistance, kindly contact our support at  support@cytechint.com  for prompt assistance and guidance.