PR #29016: fix(Salesforce Node): Allow overriding JWT audience with My Domain URL

• Repository: n8n-io/n8n
• Author: jeanibarz
• State: open | merged: False
• Link: https://github.com/n8n-io/n8n/pull/29016

Description (problem / solution / changelog)

Summary

Salesforce's Spring '26 release ended redirection for legacy hostnames. External Client Apps on affected orgs reject test.salesforce.com and login.salesforce.com as the JWT audience with app_not_found, and the JWT credential had no way to override them.

This PR adds an optional My Domain URL field to the Salesforce JWT credential. When set, it is used as:

• the aud claim of the signed JWT,
• the token endpoint (/services/oauth2/token), and
• the baseURL of the credential's Test request (/services/oauth2/userinfo).

Leaving the field blank keeps the existing environment-based defaults (test.salesforce.com / login.salesforce.com), so no migration is needed for orgs that still accept them.

Both code paths are covered:

• The credential's own authenticate() (used for credential tests and generic-request pipelines), via an exported resolveAuthUrl helper in SalesforceJwtApi.credentials.ts.
• The Salesforce node's getAccessToken in nodes/Salesforce/GenericFunctions.ts (the real workflow-execution path), via the same shared helper. Without this second change, the Test button would succeed but live workflows on Spring '26 orgs would still fail.

How to test

1. In a Salesforce sandbox on Spring '26 or later, enable External Client Apps, create a Connected App configured for JWT Bearer, and add the issuer to the org.
2. In n8n, create a Salesforce JWT API credential with the Connected App's Client ID, the username, and the private key.
3. Paste the org's My Domain URL (e.g. https://mycompany--uat.sandbox.my.salesforce.com) into the new My Domain URL field.
4. Click Test — the credential should authenticate. Then run any Salesforce node workflow (e.g. fetch a Lead) — it should succeed.
5. As a regression check, clear the My Domain URL field and verify that an older sandbox/production org still authenticates against the default URLs.

Verification

Unit tests cover both paths and include an explicit reproducer for issue #28990:

• packages/nodes-base/credentials/test/SalesforceJwtApi.credentials.test.ts — 13 tests. The test named signs the JWT with the Spring '26 sandbox My Domain URL as audience (issue #28990) asserts the exact aud: https://acme--sandbox.sandbox.my.salesforce.com shape from the reporter's direct-call matrix.
• packages/nodes-base/nodes/Salesforce/__test__/GenericFunctions.test.ts — adds a test that getAccessToken uses the My Domain URL for both the JWT audience and the token endpoint, proving runtime workflows (not just the Test button) are fixed.
• Full Salesforce suite: 199/199 tests green locally.

Scope

JWT credential only. SalesforceOAuth2Api has the same hardcoded pattern and may need the same treatment depending on how Spring '26 treats OAuth2 authorization flows — left out of this PR as a separate scope decision so this fix can land quickly for JWT users.

Related Linear tickets, Github issues, and Community forum posts

fixes #28990

Review / Merge checklist

• I have seen this code, I have run this code, and I take responsibility for this code.
• PR title and summary are descriptive.
• Docs updated or follow-up ticket created.
• Tests included.
• PR Labeled with `Backport to Beta`, `Backport to Stable`, or `Backport to v1` (if urgent).

Changed files

• packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts (modified, +22/-5)
• packages/nodes-base/credentials/test/SalesforceJwtApi.credentials.test.ts (added, +211/-0)
• packages/nodes-base/nodes/Salesforce/GenericFunctions.ts (modified, +3/-4)
• packages/nodes-base/nodes/Salesforce/__test__/GenericFunctions.test.ts (modified, +36/-0)