When setting up a new machine, one of the most common pain points for Salesforce developers and architects is migrating authenticated orgs. You don’t want to re-authenticate every org manually—especially if you have dozens of sandboxes, DevHubs, and production environments already linked in your CLI.
In this post, I’ll show you a secure and reliable way to move authenticated orgs from one MacBook to another using Salesforce CLI, without relying on third-party apps or random GitHub repositories. This approach keeps your org credentials in your control, avoids unnecessary exposure, and works seamlessly with the latest CLI (sf) or the legacy sfdx command.
Problem
Salesforce CLI stores authenticated org credentials locally. When you switch machines, these don’t automatically carry over.
The challenge is:
- You want to migrate all orgs (aliases, DevHubs, sandboxes, production, etc.) to your new laptop.
- You need a repeatable, secure method that avoids copy-pasting secrets into GitHub or relying on scripts from unverified sources.
Solution
The solution is to export authentication URLs from the old laptop and then import them into the new one. Salesforce CLI provides an sfdxAuthUrl string that encodes your login session. By storing these in local files, you can move them safely to your new machin
Step 1: Export Authenticated Orgs from Old MacBook
On your old laptop, run this script to extract all non-scratch orgs and save their sfdxAuthUrl values into individual files:
#!/bin/bash
# Path to the org list JSON
ORG_LIST=~/org_list.json
EXPORT_DIR=~/sfdx_auth_export
# Extract aliases from the JSON (assumes non-scratch orgs)
aliases=$(jq -r '.result.nonScratchOrgs[].alias' "$ORG_LIST")
for alias in $aliases; do
if [ -n "$alias" ]; then
# Get the SFDX Auth URL
auth_url=$(sf org display --target-org "$alias" --verbose --json | jq -r '.result.sfdxAuthUrl')
if [ -n "$auth_url" ]; then
# Save to file named after the alias
echo "$auth_url" > "$EXPORT_DIR/${alias}.sfdxurl"
echo "Exported $alias"
else
echo "Failed to export $alias"
fi
fi
done
echo "Export complete. Files are in $EXPORT_DIR"
Step 2: Copy Exported Files to New MacBook
Transfer the folder ~/sfdx_auth_export to your new MacBook using AirDrop, USB drive, or a secure file transfer method.
Important: Do not upload these files to GitHub, cloud drives, or email. Treat them like passwords.
Step 3: Import Orgs into New MacBook
On your new machine, run the following script to import each .sfdxurl file back into Salesforce CLI.
#!/bin/bash
EXPORT_DIR=~/sfdx_auth_export
for file in "$EXPORT_DIR"/*.sfdxurl; do
if [ -f "$file" ]; then
alias=$(basename "$file" .sfdxurl)
# Import the URL with alias
sf org login sfdx-url --sfdx-url-file "$file" --alias "$alias"
echo "Imported $alias"
fi
done
echo "Import complete. Run 'sf org list' to verify."
Why This Method Is Secure
- Local Only: Everything stays on your machine. No credentials are pushed to third-party repos or cloud storage.
- No Hardcoding: Auth URLs are pulled directly from the CLI instead of being manually copied or typed.
- Repeatable: Works across machines, across orgs, and for both
sf(new CLI) andsfdx(legacy CLI).
For teams, this approach also prevents risky practices like checking authentication files into version control.
Have you tried this method in your environment? Do you use sf CLI or still on sfdx? Share your experience in the comments below. And if you found this helpful, subscribe to my blog for more hands-on Salesforce CLI and architecture tips.
Leave a Reply