Understanding How the Coveo for Salesforce Free Edition Uses the JWT Flow

Free edition only - Deprecated

The Coveo for Salesforce Free edition uses the JWT flow in Salesforce to secure content and ensure that users can only see results to which they normally have access.

By default, when installing the Coveo for Salesforce Free edition for the first time, the JWT flow isn’t properly configured. To configure it, see Allowing User Impersonation.

Understanding the JWT Flow With Logged Users

When a user performs a query, it’s routed through the Coveo infrastructure to enhance it with ranking values and added features (see Understanding the Coveo for Salesforce Free Edition Architecture).

At this point, Coveo needs to call Salesforce back to execute one or several search requests through API calls. To ensure that the user is returned only items to which they have access, Coveo needs to impersonate the user.

The JWT flow is used to ensure that the request sent to the Salesforce index uses the current user identity.

When the package is first installed and the JWT flow isn’t configured, queries fallback to the identity of the user who linked the Coveo package to your Coveo organization, to ensure that queries can be quickly returned and that the package can be tested beforehand. This identity fallback should be disabled as soon as the JWT flow is configured, before the Coveo for Salesforce Free edition is publicly released in your community.

Understanding the JWT Flow With Anonymous Users

Oftentimes, you’ll want anonymous users to be able to access your community. By default, Salesforce provides a guest user, which is used as the identity for your anonymous users.

However, this identity doesn’t have API access, meaning that it’s unable to perform API calls to the Salesforce index. For this reason, when impersonating the guest user, the API call that Coveo sends to the Salesforce index will fail and return zero results, meaning that your anonymous users won’t receive results in your community.

For this reason, you need to create a custom Guest User that’s able to perform API calls, and set this user as the default anonymous user of your Coveo component (see Creating a Guest User Profile for Your Community).

What's Next for Me?