function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Lajos Kelemen from TampereLajos Kelemen from Tampere 

GENERATE A JWT TOKEN for Salesforce Einstein Predictive Vision Service


I am at the step Create a custom classifier/Set up authorization/Generate a JWT token.
When I run the script I get a response:
             Your access token response:
              {"message":"Invalid JWT token"}

I am on win10 64bit but don't have the anniversary update so I don't have bash coming with win10.
I have bash came with git.
As I don't have a valid JWT token I can not continue to "Step 1: Create the Dataset".

Please help.

Here is a more detailed output and my changes to the script:

Script output (with my password changed)


$ ./ ./00D0Y0000008amn.jks 3600
Enter destination keystore password:  my_pass
Enter source keystore password:  my_pass
Existing entry alias lkelemen_sf_devcert exists, overwrite? [no]:  yes
Entry for alias lkelemen_sf_devcert successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
[Storing privateKey.p12]
MAC verified OK

Generated Assertion:


Your access token response:

{"message":"Invalid JWT token"}


my script changes:

openssl pkcs12 -in privateKey.p12 -nocerts -nodes -out private_key
changed to (added -passin pass at the end)

openssl pkcs12 -in privateKey.p12 -nocerts -nodes -out private_key -passin pass:my_pass

curl -H "Content-type: application/x-www-form-urlencoded" -X POST "$4/v1/oauth2/token" -d \
"grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=$jwt3.$jwt5" ; echo

changed to (added -k parameter to accept self signed certs?)

curl -k -H "Content-type: application/x-www-form-urlencoded" -X POST "$4/v1/oauth2/token" -d \
"grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=$jwt3.$jwt5" ; echo

Have you tried the apex quick start at ? Does that work for you ?
Lajos Kelemen from TampereLajos Kelemen from Tampere
Yes I went through successfully all the steps before the "Generate a JWT token".
Lajos Kelemen from TampereLajos Kelemen from Tampere
Yes I went through successfully all the steps before the "Generate a JWT token" i.e. I got the frog picture.
Ok. Have you tried generating a token or verifying your token at ? To generate a token, you'll need your privateKey.p12 file.
To validate your token, you'll need you public key from your certificate.
Lajos Kelemen from TampereLajos Kelemen from Tampere
I didn't try The script supposed to create the JWT and it doesn't work for me. 
We'll investigate why the script isnt working on win10.
In the meanwhile, JWT tokens can be generated with a private key in many different ways. Here is an example of how to generate it in Java. Also, is a convenient way to generate a token for testing. The script is just one example of how to generate a access token.
Hope this helps.
Lajos Kelemen from TampereLajos Kelemen from Tampere

I wentto but it is not clear to me how to generate a JWT there.

The other method using java seems to be even more difficult. I am not interested in generating JWT. I am interested in using the predictive vision service

I've updated the visualforce example on The visualforce page now generates an access token for you.
Lajos Kelemen from TampereLajos Kelemen from Tampere
I replaced the code with the new one in the visualforce page and in the apex class but I don't get any access token. Where should I see it?
Lajos Kelemen from TampereLajos Kelemen from Tampere
I executed the getAccessToken() in an anonymus window and it returns null.
public class VisionController {

    public String getAccessToken() {
        JWT jwt = new JWT('RS256');
        jwt.cert = 'lkelemen_SF_devcert';
        jwt.iss = '';
        jwt.sub = '';
        jwt.aud = '';
        jwt.exp = '3600';
        String access_token = JWTBearerFlow.getAccessToken('', jwt);
        System.debug('access token='+access_token);
        return access_token; 

the log shows
15:11:51:365 USER_DEBUG [11]|DEBUG|access token=null
We're debugging this. We should have an update soon. Really appreciate your patience.
Lajos Kelemen from TampereLajos Kelemen from Tampere

Is there any progress/solution?
Arpit BajpaiArpit Bajpai

Stuck in the same problem,
Is there any progress or help link to Develop things on Salesforce Einstein, or prediction services?
ashwin kumar 2ashwin kumar 2


I'm facing similar issue in generating token. I'm using The error is 'Public Key not found'


shalmali@shalmali-VirtualBox:~/api-utils$ ./ /home/shalmali/Downloads/00D61000000KDSk.jks "" 10800
Enter destination keystore password:  
Enter source keystore password:  
Existing entry alias certforeinstein exists, overwrite? [no]:  yes
Entry for alias certforeinstein successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
[Storing privateKey.p12]
Enter Import Password:
MAC verified OK
Error outputting keys and certificates
3074291388:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
3074291388:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:104:
3074291388:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130:

private key:



unable to load key file
3073681084:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY

Generated Assertion:


Your access token response:

{"message":"Public key not found"}

Michael Machado 22Michael Machado 22
Are you running on Win10 too?
Michael Machado 22Michael Machado 22
@ashwin Also, it looks like you are getting a slightly different error... please let me know if you are using the password you created when you downloaded your certificate from
Mao ElvisMao Elvis
Stuck in the same problem.
I get an error message like below when generated an OAuth token with cURL.
"Invalid JWT assertion"
any progress?
Michael Machado 22Michael Machado 22
Hi Mao- Happy to help. Did you set your account recently? We have updated our JWT generation process and it should have been enabled for windows users now.  
Alexandre Lachmann 21Alexandre Lachmann 21
I have same issue "Invalid JWT assertion" related to Quick Start: Predictive Vision Service badge
What is the solution ?
Alexandre Lachmann 21Alexandre Lachmann 21
16:39:22.0 (207556185)|CALLOUT_REQUEST|[13]|System.HttpRequest[Endpoint=, Method=POST] 16:39:22.0 (656150643)|HEAP_ALLOCATE|[EXTERNAL]|Bytes:214 16:39:22.0 (656236046)|CALLOUT_RESPONSE|[13]|System.HttpResponse[Status=Forbidden, StatusCode=403]
Alex EdelsteinAlex Edelstein
Also on Win10, also stuck here.

I'd like to add that the current demo at starts out very clear but gets very confusing when you start talking about jwt.sub in step 12 of "Create the Apex Classes". 

You instruct me to "update jwt.sub", but don't tell me what to do with jwt.sub after that. Should it also be saved as a discrete APEX class? If you click preview at the point you suggest, you get the frog but not the text under the frog, which I suspect is because I haven't updated my jwt.sub and haven't generated a token. There's no error message to indicate that anything is wrong...

Alex EdelsteinAlex Edelstein
Ok, I got it to work. I suggest you add this phrase to the beginning of step 12: "Inside the VisionController, ". I also suggest you rephrase "Use your email address that’s contained in the Salesforce org " to "Use your email address (NOT your user id) that’s contained in the Salesforce org " because the email addresses in userID are much more commonly used.
Muzammil BajariaMuzammil Bajaria 
I am referring to this link and using curl. When I paste the command in cmd to create datasets, getting error as "Invalid Access Token". Please help.
@jeronimoburgers ☁@jeronimoburgers ☁
Thanks @Alex for the terrific answer. How simple it is to overlook -- even though Trailhead seems perfectly clear, it's too easy to overlook.  Use your email address that’s contained in the Salesforce org you logged in to when you created an account... Your addition is valuable. 
Rohit RadhakrishnanRohit Radhakrishnan
Incase this is not yet resolved. Please have a look at this blog on authenticating using JWT.