If you parse sf org display or any --json login output inside your pipelines, this week’s Salesforce CLI release (2.136.8, May 27) is the one you actually need to read.
Salesforce has stopped printing sensitive credentials — access tokens, SFDX Auth URLs, user passwords — in the standard output of a list of commands you’ve probably been scraping for years. Among them: org display, org list --json, org create scratch --json, org resume scratch --json, org display user, org list users --json, org list auth --json, and every org login variant (jwt, web, sfdx-url, access-token) when run with --json.
It’s a good change. Tokens flying through CI logs have caused real incidents, and anyone with read access to your build output was effectively holding a key to your org. But a lot of us wired this stuff in years ago and stopped thinking about it, so the cost is that we now have to go find every place that quietly depends on the old output.
A few things worth knowing.
There’s a temporary escape hatch: set SF_TEMP_SHOW_SECRETS=true and the old behaviour comes back. Salesforce has already said it’s going away “in the near future,” so don’t lean on it.
If you genuinely need the credential, there are three new commands to ask for it explicitly:
sf org auth show-access-tokensf org auth show-sfdx-auth-urlsf org auth show-user-password
Switch your pipelines to call those instead of grepping output. While you’re in there, it’s worth asking why you needed the raw token in the first place. Often the honest answer is “we don’t, we’ve just always done it that way.”
If you’re on Agentforce DX, the same release also adds a live search filter for agent traces inside the VS Code extension, and a History tab so you can pick up a past preview conversation where you left off. Small wins, but they actually save time once you start using them.
My advice: don’t wait for prod to break. Grep your pipelines this week, see what calls org display or a JSON login, and migrate now while the env-var fallback still works.
Full release notes: https://github.com/forcedotcom/cli/blob/main/releasenotes/README.md