Summary
sf org create scratch fails with RemoteOrgSignupFailed (error C-1016) when the Dev Hub is authenticated using an External Client App via sf org login jwt. The same command succeeds when authenticated via sf org login web (PlatformCLI).
Since Spring '26, Salesforce disabled creation of traditional Connected Apps by default — only External Client Apps can be created via the UI. This means the documented CI/CD path (sf org login jwt with an External Client App → sf org create scratch) is broken for any org that doesn't have the legacy Connected App org perm enabled by Support.
Steps To Reproduce
- Use any SFDX project (e.g., fork dreamhouse-lwc) with a minimal scratch org definition:
{
"orgName": "Test Scratch Org",
"edition": "developer",
"features": ["EnableSetPasswordInApi"],
"settings": {
"lightningExperienceSettings": {
"enableS1DesktopEnabled": true
}
}
}
-
In your Dev Hub org, create an External Client App following the official docs (Create an External Client App in Your Org):
- Enable OAuth (scopes:
api, web, refresh_token/offline_access)
- Enable JWT Bearer Flow
- Upload a self-signed certificate (RSA 2048-bit)
- Callback URL:
http://localhost:1717/OauthRedirect
- Permitted Users: "Admin approved users are pre-authorized"
- Assign System Administrator profile
-
Authenticate to the Dev Hub (succeeds):
sf org login jwt \
--client-id <CONSUMER_KEY> \
--jwt-key-file server.key \
--username <USERNAME> \
--instance-url https://<MYDOMAIN>.my.salesforce.com \
--alias DevHub --set-default-dev-hub
- Create a scratch org (fails):
sf org create scratch \
--definition-file config/project-scratch-def.json \
--duration-days 1 --target-dev-hub DevHub
Expected result
Scratch org is created successfully, as it does when the same Dev Hub is authenticated via sf org login web (PlatformCLI).
Actual result
{
"name": "RemoteOrgSignupFailed",
"message": "We encountered a problem while attempting to configure and approve the Connected App for your org. Verify the Connected App configuration with your Salesforce admin.",
"actions": [
"See https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_scratch_orgs_error_codes.htm for information on error code C-1016."
],
"data": {
"username": "demian@orangedcx.com",
"orgId": "00Dal00001NnHKbEAN",
"scratchOrgInfoId": "2SRVz0000005UjqOAE"
},
"code": "RemoteOrgSignupFailed"
}Additional information
- The JWT authentication step itself succeeds — only scratch org creation fails
- The same Dev Hub + same scratch org definition works perfectly when authenticated via
sf org login web (PlatformCLI)
- Tested on both macOS (local) and Ubuntu (GitHub Actions) — same error on both
- The scratch org signup process internally tries to replicate/authorize the Connected App into the new scratch org, and this step fails when the auth was done via an External Client App
- Since Spring '26, the Salesforce docs state: "Creating connected apps is now disabled by default, because connected apps are being deprecated." (ref). This means the only documented CI/CD auth path for new orgs (External Client App + JWT) doesn't work with scratch org creation
- Our workaround is using
sf org login sfdx-url with a stored auth URL from sf org login web, but this has refresh token durability concerns and is not the documented CI approach
- Salesforce Support Case also open for this org
Shell: zsh (macOS Terminal)
System Information
{
"architecture": "darwin-arm64",
"cliVersion": "@salesforce/cli/2.125.2",
"nodeVersion": "node-v22.22.0",
"osVersion": "Darwin 25.3.0",
"rootPath": "/opt/homebrew/Cellar/sf/2.125.2/libexec/lib/node_modules/@salesforce/cli",
"shell": "zsh",
"pluginVersions": [
"@oclif/plugin-autocomplete 3.2.40 (core)",
"@oclif/plugin-commands 4.1.40 (core)",
"@oclif/plugin-help 6.2.37 (core)",
"@oclif/plugin-not-found 3.2.74 (core)",
"@oclif/plugin-plugins 5.4.56 (core)",
"@oclif/plugin-search 1.2.38 (core)",
"@oclif/plugin-update 4.7.19 (core)",
"@oclif/plugin-version 2.2.36 (core)",
"@oclif/plugin-warn-if-update-available 3.1.55 (core)",
"@oclif/plugin-which 3.2.43 (core)",
"@salesforce/cli 2.125.2 (core)",
"agent 1.30.6 (core)",
"apex 3.9.10 (core)",
"api 1.3.10 (core)",
"auth 4.1.6 (core)",
"data 4.0.73 (core)",
"deploy-retrieve 3.24.11 (core)",
"info 3.4.105 (core)",
"limits 3.3.78 (core)",
"marketplace 1.3.10 (core)",
"org 5.9.69 (core)",
"packaging 2.25.5 (core)",
"schema 3.3.94 (core)",
"settings 2.4.57 (core)",
"sobject 1.4.84 (core)",
"telemetry 3.8.0 (core)",
"templates 56.9.3 (core)",
"trust 3.7.114 (core)",
"user 3.6.52 (core)"
]
}
Summary
sf org create scratchfails withRemoteOrgSignupFailed(error C-1016) when the Dev Hub is authenticated using an External Client App viasf org login jwt. The same command succeeds when authenticated viasf org login web(PlatformCLI).Since Spring '26, Salesforce disabled creation of traditional Connected Apps by default — only External Client Apps can be created via the UI. This means the documented CI/CD path (
sf org login jwtwith an External Client App →sf org create scratch) is broken for any org that doesn't have the legacy Connected App org perm enabled by Support.Steps To Reproduce
{ "orgName": "Test Scratch Org", "edition": "developer", "features": ["EnableSetPasswordInApi"], "settings": { "lightningExperienceSettings": { "enableS1DesktopEnabled": true } } }In your Dev Hub org, create an External Client App following the official docs (Create an External Client App in Your Org):
api,web,refresh_token/offline_access)http://localhost:1717/OauthRedirectAuthenticate to the Dev Hub (succeeds):
Expected result
Scratch org is created successfully, as it does when the same Dev Hub is authenticated via
sf org login web(PlatformCLI).Actual result
{ "name": "RemoteOrgSignupFailed", "message": "We encountered a problem while attempting to configure and approve the Connected App for your org. Verify the Connected App configuration with your Salesforce admin.", "actions": [ "See https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_scratch_orgs_error_codes.htm for information on error code C-1016." ], "data": { "username": "demian@orangedcx.com", "orgId": "00Dal00001NnHKbEAN", "scratchOrgInfoId": "2SRVz0000005UjqOAE" }, "code": "RemoteOrgSignupFailed" }Additional information
sf org login web(PlatformCLI)sf org login sfdx-urlwith a stored auth URL fromsf org login web, but this has refresh token durability concerns and is not the documented CI approachShell: zsh (macOS Terminal)
System Information
{ "architecture": "darwin-arm64", "cliVersion": "@salesforce/cli/2.125.2", "nodeVersion": "node-v22.22.0", "osVersion": "Darwin 25.3.0", "rootPath": "/opt/homebrew/Cellar/sf/2.125.2/libexec/lib/node_modules/@salesforce/cli", "shell": "zsh", "pluginVersions": [ "@oclif/plugin-autocomplete 3.2.40 (core)", "@oclif/plugin-commands 4.1.40 (core)", "@oclif/plugin-help 6.2.37 (core)", "@oclif/plugin-not-found 3.2.74 (core)", "@oclif/plugin-plugins 5.4.56 (core)", "@oclif/plugin-search 1.2.38 (core)", "@oclif/plugin-update 4.7.19 (core)", "@oclif/plugin-version 2.2.36 (core)", "@oclif/plugin-warn-if-update-available 3.1.55 (core)", "@oclif/plugin-which 3.2.43 (core)", "@salesforce/cli 2.125.2 (core)", "agent 1.30.6 (core)", "apex 3.9.10 (core)", "api 1.3.10 (core)", "auth 4.1.6 (core)", "data 4.0.73 (core)", "deploy-retrieve 3.24.11 (core)", "info 3.4.105 (core)", "limits 3.3.78 (core)", "marketplace 1.3.10 (core)", "org 5.9.69 (core)", "packaging 2.25.5 (core)", "schema 3.3.94 (core)", "settings 2.4.57 (core)", "sobject 1.4.84 (core)", "telemetry 3.8.0 (core)", "templates 56.9.3 (core)", "trust 3.7.114 (core)", "user 3.6.52 (core)" ] }