Salesforce is blocking my cypress automation

[pratheshvasan]

It is sometime asking for MFA or shows blank page after clicking login or says we cant send you a verification code

[pratheshvasan]

This is my config code
import { defineConfig } from "cypress";

export default defineConfig({
e2e: {
baseUrl: "applicationurl",
defaultCommandTimeout: 30000,
pageLoadTimeout: 120000,
specPattern: "cypress/e2e/**/*.cy.ts",
supportFile: "cypress/support/e2e.ts",
experimentalModifyObstructiveThirdPartyCode: true,
injectDocumentDomain: true,
},
});

[pratheshvasan]

Is it possible to bypass MFA ?

[MikeMcC399]

If you don't receive any feedback here, you may be able to connect to testers using Salesforce if you go to the Cypress technical community on Discord.

[qa-ashutosh]

Hi @pratheshvasan

This is a very common pain point with Salesforce automation. The root cause is that Salesforce's bot detection treats Cypress's headless browser as a suspicious login attempt, which triggers MFA, verification codes, or a blank page. You can't reliably "handle" this through the UI, the right solution is to bypass the login UI entirely.

The proper approach for Salesforce + Cypress automation is to use the SOAP API to get a session ID, then log in through frontdoor.jsp instead of the login form. This skips MFA completely because you're not going through the interactive login flow.

Step 1 — Create a custom login command in cypress/support/commands.ts:

Cypress.Commands.add('salesforceLogin', () => {
  const username = Cypress.env('SF_USERNAME')
  const password = Cypress.env('SF_PASSWORD')
  const loginUrl = Cypress.env('SF_LOGIN_URL') // e.g. https://test.salesforce.com

  const soapBody = `<?xml version="1.0" encoding="utf-8" ?>
    <env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
      <env:Body>
        <n1:login xmlns:n1="urn:partner.soap.sforce.com">
          <n1:username>${username}</n1:username>
          <n1:password>${password}</n1:password>
        </n1:login>
      </env:Body>
    </env:Envelope>`

  cy.request({
    method: 'POST',
    url: `${loginUrl}/services/Soap/u/57.0`,
    headers: {
      SOAPAction: 'login',
      'Content-Type': 'text/xml',
    },
    body: soapBody,
  }).then((response) => {
    const sessionId = Cypress.$(response.body).find('sessionId').text()
    const instanceUrl = Cypress.$(response.body).find('serverUrl').text().split('/services')[0]
    cy.visit(`${instanceUrl}/secur/frontdoor.jsp?sid=${sessionId}`)
  })
})

Step 2 — Add your credentials to cypress.env.json:

{
  "SF_USERNAME": "your-test-user@example.com",
  "SF_PASSWORD": "yourpassword",
  "SF_LOGIN_URL": "https://test.salesforce.com"
}

Step 3 — Use it in your tests:

beforeEach(() => {
  cy.salesforceLogin()
})

One important thing — make sure your test user has the "Waive Multi-Factor Authentication for Exempt Users" permission set assigned in Salesforce Setup. Without this, even the SOAP login can get blocked. You do this via Setup → Permission Sets → New → System Permissions → enable "Waive MFA for Exempt Users" → assign to your test user.

Also add this to your cypress.config.ts if you haven't already — it helps with Salesforce's Lightning iframe behaviour:

experimentalModifyObstructiveThirdPartyCode: true,

You already have that in your config which is good. The blank page issue you're seeing is usually caused by the login session not being fully established before Cypress navigates — the frontdoor.jsp approach fixes that too since the session is already active when the page loads.