Protecting What You Don’t See: Why the Salesforce CLI Update Matters

At SharinPix, we work with what people can see: images, annotations, field photos, visual proof, and business context inside Salesforce.

But behind every visible feature, there are things users do not see: access tokens, passwords, SFDX Auth URLs, CI/CD scripts, logs, and automation. These hidden parts matter too.

Salesforce is updating the Salesforce CLI to better protect sensitive information. Starting on May 27, 2026, sensitive values such as access tokens, passwords, and SFDX Auth URLs will be removed from normal Salesforce CLI outputs, including –json outputs. Developers will need to use dedicated commands when they really need to retrieve these values.

Why Developers Should Care

Some scripts or CI/CD pipelines may currently read secrets from commands like:

sf org display --json

or:

sf org list auth --json

After the update, these values will no longer be returned. So, a script that works today may fail later.

The reason for the change is simple: secrets should not be printed by accident. A token can easily end up in a build log, ticket, screenshot, chat message, or AI assistant history. Salesforce also mentions that this change is linked to reducing credential exposure in automated and AI-assisted development environments.

Who Should Check This?

This is mainly important for:

• Salesforce developers
• DevOps engineers
• Release managers
• Teams using CI/CD
• Anyone using Salesforce CLI in scripts or automation

Even if the application code does not change, deployment scripts may be affected.

What May be Affected?

Developers should review scripts using commands such as:

• sf org display –json
• sf org list –json
• sf org create scratch –json
• sf org resume scratch –json
• sf org display user –json
• sf org list users –json
• sf org login jwt –json
• sf org login web –json
• sf org login sfdx-url –json
• sf org login access-token –json
• sf org list auth –json

Salesforce lists these commands as impacted by the removal of sensitive values from standard outputs.

What Should Developers Do?

Developers should search their scripts and pipelines for values like:

• accessToken
• sfdxAuthUrl
• password

If a script depends on these values from normal CLI output, it should be updated.

Instead of getting an access token from:

sf org display --json

Use the new explicit command:

sf org auth show-access-token --target-org <ORG_ALIAS_OR_USERNAME> --json

For CI/CD or non-interactive usage, use:

sf org auth show-access-token --target-org <ORG_ALIAS_OR_USERNAME> --json --no-prompt

Example:

sf org auth show-access-token --target-org my-sandbox --json --no-prompt

Salesforce says the new credential commands are interactive by default, and that –json or –no-prompt should be used for non-interactive environments such as CI/CD.

How to Test Now

Developers can already test the new behaviour using Salesforce CLI version 2.136.8 or later, or by installing the latest release candidate.

Install the latest release candidate:

npm install -g @salesforce/cli@latest-rc

Salesforce documents latest-rc as the npm tag for the Salesforce CLI release candidate.

Then check the installed CLI version:

sf --version

You should be on @salesforce/cli@2.136.8 or later. Salesforce CLI releases show version 2.136.8 and later versions already available for testing.

Now test a command where secrets may be hidden:

sf org display --target-org <ORG_ALIAS_OR_USERNAME> --json

Then test the new explicit command:

sf org auth show-access-token --target-org <ORG_ALIAS_OR_USERNAME> --json --no-prompt

Example:

sf org auth show-access-token --target-org my-sandbox --json --no-prompt

This helps developers know early if their scripts need to be updated.

Temporary Workaround

Salesforce provides a temporary workaround:

SF_TEMP_SHOW_SECRETS=true

This can help if a pipeline breaks urgently.

However, this should only be treated as a short-term fix. Salesforce says this workaround will be removed in Summer 2026, so teams should update their scripts to use the new explicit commands instead.

Simple Checklist for Developers

Before this impacts delivery, developers should:

• Search scripts and pipelines for sf org display –json
• Search for accessToken, sfdxAuthUrl, and password
• Replace old secret extraction with the new explicit commands
• Test with @salesforce/cli@2.136.8 or later
• Avoid printing secrets in logs
• Mask sensitive variables in CI/CD tools
• Avoid sharing raw CLI outputs in tickets, chats, or screenshots
• Review what commands AI coding assistants are allowed to run

Why the CLI Update Matters to SharinPix

At SharinPix, we care about the visible experience customers use every day: images, annotations, visual proof, and Salesforce context.

But we also care about the hidden technical foundation that keeps this experience safe.

This Salesforce CLI update is a good reminder that security is not only about application code. It is also about scripts, logs, tools, automation, and developer habits.

The SharinPix Message to Developers

Developers should test early and update their scripts before the change causes issues.

This is not only about avoiding broken pipelines. It is also about avoiding accidental exposure of sensitive information.

Because protecting what users do not see is also part of protecting their trust.

References

Official Salesforce CLI Release Notes: Salesforce CLI Release Notes – GitHub