Securely migrate your CLI-authenticated Salesforce orgs without re-authenticating every sandbox, DevHub, and production environment.
This article has been refreshed with the latest Salesforce CLI information. Note: The legacy sfdx commands are now deprecated; use sf commands instead. Originally published September 2024.
sfdxAuthUrl from each org using sf org display --verbose, transfer the files securely, then import using sf org login sfdx-url.
When setting up a new machine, one of the most common pain points for Salesforce developers and architects is migrating authenticated orgs. You don't want to re-authenticate every org manually—especially if you have dozens of sandboxes, DevHubs, and production environments already linked in your CLI.
Salesforce CLI stores authenticated org credentials locally. When you switch machines, these don't automatically carry over.
The challenge is:
The solution is to export authentication URLs from the old laptop and then import them into the new one. Salesforce CLI provides an sfdxAuthUrl string that encodes your login session. By storing these in local files, you can move them safely to your new machine.
sfdx commands are deprecated. This guide uses the current sf CLI commands, which are the officially supported version. The old sfdx commands still work but should be migrated to sf equivalents.
On your old laptop, run this script to extract all non-scratch orgs and save their sfdxAuthUrl values into individual files:
#!/bin/bash
# Create export directory
EXPORT_DIR=~/sfdx_auth_export
mkdir -p "$EXPORT_DIR"
# First, generate the org list
sf org list --json > ~/org_list.json
# Extract aliases from the JSON (non-scratch orgs)
aliases=$(jq -r '.result.nonScratchOrgs[].alias // empty' ~/org_list.json)
for alias in $aliases; do
if [ -n "$alias" ]; then
# Get the SFDX Auth URL
auth_url=$(sf org display --target-org "$alias" --verbose --json | jq -r '.result.sfdxAuthUrl // empty')
if [ -n "$auth_url" ]; then
# Save to file named after the alias
echo "$auth_url" > "$EXPORT_DIR/${alias}.sfdxurl"
echo "Exported $alias"
else
echo "Failed to export $alias (no auth URL - may be JWT authenticated)"
fi
fi
done
echo "Export complete. Files are in $EXPORT_DIR"sfdxAuthUrl is only available for orgs authenticated with the web server flow (browser login). Orgs authenticated with JWT bearer flow will not have an auth URL in the output.
Transfer the folder ~/sfdx_auth_export to your new MacBook using one of these secure methods:
Direct transfer between Macs - fast and secure
Physical transfer - no network exposure
Create a password-protected zip for any transfer method
On your new machine, run the following script to import each .sfdxurl file back into Salesforce CLI:
#!/bin/bash
EXPORT_DIR=~/sfdx_auth_export
for file in "$EXPORT_DIR"/*.sfdxurl; do
if [ -f "$file" ]; then
alias=$(basename "$file" .sfdxurl)
# Import the URL with alias
sf org login sfdx-url --sfdx-url-file "$file" --alias "$alias"
echo "Imported $alias"
fi
done
echo "Import complete. Run 'sf org list' to verify."After running the script, verify your orgs are available:
# List all authenticated orgs
sf org list
# Test connection to a specific org
sf org display --target-org your-aliassf (current CLI) and legacy sfdx commands.For teams, this approach also prevents risky practices like checking authentication files into version control.
.sfdxurl files from both machines. You can always re-export them if needed.
sf org display --target-org <alias> --verbose --json to get the sfdxAuthUrl, then save it to a file. This URL contains encrypted credentials that can be imported on another machine using sf org login sfdx-url.sf CLI commands. The commands in this guide use the current sf syntax.~/.sf (new CLI) or ~/.sfdx (legacy) directories.force://<clientId>:<clientSecret>:<refreshToken>@<instanceUrl>. It contains all the data needed to re-establish an authenticated session.Continue your Salesforce CLI and DevOps learning journey with these related guides:
Reference guide for technical terms and abbreviations used in this article.
