Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure a Connected App for the OAuth 2.0 Client Credentials Flow

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure a Connected App for the OAuth 2.0 Client Credentials Flow

            With the OAuth 2.0 client credentials flow, your client app exchanges its client credentials defined in the connected app—its consumer key and consumer secret—for an access token. Before you implement the client credentials flow, configure these settings and access policies for your connected app.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience

            Connected Apps can be created in: Group, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer Editions

            Connected Apps can be installed in: All editions
            User Permissions Needed
            To read, create, update, or delete connected apps:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To update Profiles, Permission Sets, and Service Provider SAML Attributes: Customize Application AND Modify All Data AND Manage Profiles and Permission Sets
            To rotate the consumer key and consumer secret: Allow consumer key and secret rotation
            To install and uninstall connected apps:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To install and uninstall packaged connected apps:

            Download AppExchange Packages AND Customize Application AND either

            Modify All Data OR Manage Connected Apps
            Note
            Note Connected apps creation is restricted as of Spring ‘26. You can continue to use existing connected apps during and after Spring ‘26. However, we recommend using external client apps instead. If you must continue creating connected apps, contact Salesforce Support.

            See New connected apps can no longer be created in Spring ‘26 for more details.

            Warning
            Warning Before you set up the client credentials flow, it’s important to understand its security risks. With this flow enabled, any person or app that has access to your connected app’s consumer key and consumer secret can get an access token. Maintain security by periodically changing your consumer secret, and change it immediately if it becomes compromised. See Rotate the Consumer Key and Consumer Secret of a Connected App.

            For connected apps installed as part of a managed package, keep these considerations in mind.

            • The developer that set up the connected app in the publishing org can get an access token for subscriber orgs.
            • When the client credentials flow is enabled on a connected app in the publishing org, it isn’t automatically enabled in the subscriber org. Subscribers must explicitly opt in to use the flow.
            • When the client credentials flow isn’t enabled in the publishing org, subscribers can’t enable it for their installed app.
            1. Create your connected app, and complete its basic information.
            2. Configure the necessary OAuth settings for the connected app.
            3. Enable the client credentials flow for your connected app.
              1. From Setup, in the Quick Find box, enter Apps, and then select App Manager.
              2. Find your connected app, click Action dropdown, and then select Edit.
              3. Under API (Enable OAuth Settings), select Enable Client Credentials Flow.
              4. When you understand the security risks, accept the warning.
              5. Save your changes.
            4. Select an execution user for the flow.
              Although there’s no user interaction in the client credentials flow, Salesforce still requires you to specify an execution user. By selecting an execution user, you allow Salesforce to return access tokens on behalf of this user.
              Note
              Note Permitted Users policies, such as All users may self-authorize and Admin approved users are pre-authorized, don’t apply to the execution user.
              1. From the connected app detail page, click Manage.
              2. Click Edit Policies.
              3. Under Client Credentials Flow, for Run As, click Magnifying glass icon, and find the user that you want to assign the client credentials flow.
                For Enterprise Edition orgs, we recommend that you select an execution user who has the API Only User permission.
              4. Save your changes.

            To disable the client credentials flow on a connected app, deselect Enable Client Credentials Flow. Deselecting this setting prevents the client app from getting new access tokens, but it doesn’t revoke existing ones. To revoke access tokens, see Manage Current OAuth Connected App Sessions.

             
            Loading
            Salesforce Help | Article