The Code and Credentials Flow is the foundation of headless login, registration,
passwordless login, and guest user identity. Before setting up these features, enable the Code and
Credentials Flow at an org-wide level and configure these required settings and access policies
for your external client app.
Required Editions
Available in: Lightning Experience
Available in: Professional, Performance, Unlimited, and
Developer Editions
User Permissions Needed
To configure an External Client App for OAuth 2.0 Code and Credentials Flows
Create, edit, and delete External Client Apps
To access the Code and Credentials Flow settings, allow external client apps to access the
flow.
Note By default, the Code and Credentials Flow is blocked for all external client apps.
From Setup, in the Quick Find box, enter OAuth, and then select
OAuth and OpenID Connect Settings.
Turn on Allow Authorization Code and Credentials Flows.
Set up the basic OAuth settings for the app, including these settings.
Enable OAuth.
Enter a callback URL.
Assign scopes to the app.
Configure these specific settings for the Authorization Code and Credentials Flow.
(Optional) To require the Proof Key for Code Exchange (PKCE) extension for your flow,
select Require Proof Key for Code Exchange (PKCE) Extension for Supported
Authorization Flows.
With this setting selected, you must implement PKCE when you build your flow. We
strongly recommend PKCE for public clients, because these apps can’t use the consumer secret
to protect the code exchange. We also recommend it for private clients, but it’s less
critical.
Select Enable Authorization Code and Credentials Flow.
(Optional) To require your third-party client app to send the user’s credentials in the
body of HTTP POST requests to the authorization endpoint, select Require user
credentials in the POST body for Authorization Code and Credentials Flow.
With this setting enabled, you can’t use the GET method for the authorization request,
and you can’t include user credentials in a Basic authorization header.
If you’re using a client backend to implement this flow for a private client, select
Require Secret For Web Server Flow and Require Secret for
Refresh Token Flow.
Ensure that your client back end can keep the consumer secret secure.
If you’re using this flow for a public client, deselect Require Secret For Web
Server Flow and Require Secret for Refresh Token Flow to
avoid exposing the consumer secret to the browser.
Save your settings.
Did this article solve your issue?
Let us know so we can improve!
Loading
Salesforce Help | Article
Cookie Consent Manager
General Information
Required Cookies
Functional Cookies
Advertising Cookies
General Information
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
