Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Enable OAuth Settings for API Integration

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Enable OAuth Settings for API Integration

            You can use a connected app to request access to Salesforce data on the behalf of an external application. For a connected app to request access, it must be integrated with the Salesforce API using the OAuth 2.0 protocol. OAuth 2.0 is an open protocol that authorizes secure data sharing between applications through the exchange of tokens. When developers or independent software vendors (ISV) want to integrate their app with Salesforce, they use OAuth APIs. These OAuth APIs enable a user to work in one app but see the data from another.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience

            Connected Apps can be created in: Group, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer Editions

            Connected Apps can be installed in: All editions
            User Permissions Needed
            To read, create, update, or delete connected apps:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To update Profiles, Permission Sets, and Service Provider SAML Attributes: Customize Application AND Modify All Data AND Manage Profiles and Permission Sets
            To rotate the consumer key and consumer secret: Allow consumer key and secret rotation
            To install and uninstall connected apps:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To install and uninstall packaged connected apps:

            Download AppExchange Packages AND Customize Application AND either

            Modify All Data OR Manage Connected Apps
            Note
            Note Connected apps creation is restricted as of Spring ‘26. You can continue to use existing connected apps during and after Spring ‘26. However, we recommend using external client apps instead. If you must continue creating connected apps, contact Salesforce Support.

            See New connected apps can no longer be created in Spring ‘26 for more details.

            1. Create your connected app, and complete its basic information.
            2. In the API (Enable OAuth Settings) area of the page, select Enable OAuth Settings.
            3. If you’re setting up a connected app for an external application on a device with limited input or display capabilities, such as TVs, appliances, or command-line applications, select Enable for Device Flow.
              A callback URL isn’t used in the device flow. However, when this flow is enabled, the value for the callback URL defaults to a placeholder. You can specify a callback URL if needed, such as when this same client is being used for a different flow.
            4. Enter the callback URL (endpoint) that Salesforce calls back to your application during OAuth. It’s the same as the OAuth redirect URI.
              Depending on which OAuth flow you use, the URL is typically the one that a user’s browser is redirected to after successful authorization.
              Because this URL is used for some OAuth flows to pass an access token, the URL must use secure HTTPS or a custom URI scheme.
              If you enter multiple callback URLs, at run time Salesforce matches the callback URL value specified by the app with one of the values in Callback URL. It must match one of the values to pass validation. Separate multiple callback URLs with line breaks. The callback URL field has a limit of 2000 characters, cumulatively. If you enter several URLs and they exceed this limit, create another connected app to manage more callback URLs.
            5. If you’re using the JWT OAuth flow, select Use Digital Signatures. If the app uses a certificate, click Choose File, and select the certificate on your system to upload for the JWT OAuth flow.
              Important
              Important The certificate is limited to 4,000 characters, and the file must be smaller than 4 KB.
            6. Select the OAuth scopes to apply to the connected app. OAuth scopes define permissions for the connected app, which are granted as tokens after the app is authorized. The OAuth token name is in parentheses. For a list of scopes and their descriptions, see OAuth Tokens and Scopes.
            7. To require the OAuth 2.0 Proof Key for Code Exchange (PKCE) extension for all supported versions of the OAuth 2.0 authorization code flow, select Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows.
              This setting requires PKCE for the web server flow, the hybrid web server flow, the Authorization Code and Credentials Flow, and all variations of the Authorization Code and Credentials Flow including headless registration, headless passwordless login, and headless identity for guest users. With this setting enabled, any of these flows that don’t implement PKCE are blocked for this connected app. For more information on using PKCE to secure your apps, see Proof Key for Code Exchange (PKCE) Extension.
            8. To require the app’s client secret in exchange for an access token, select Require Secret for the Web Server Flow.
              Important
              Important If the client app can’t keep the client secret confidential and it must use the web server flow, deselect Require Secret for Web Server Flow. We still generate a client secret for your app, but this setting instructs the web server flow not to require the client_secret parameter in the access token request. We recommend user agent as a more secure option than web server flow without the secret.
            9. To require the client secret in the authorization request of a refresh token and hybrid refresh token flow, select Require Secret for Refresh Token Flow. If you don’t select this option and an app sends the client secret in the authorization request, Salesforce still validates it.
              You can select this option for web-server based apps that can protect client secrets. But for apps that can’t protect client secrets, such as mobile apps or apps installed on a user’s computer, we recommend against selecting this option.
              Note
              Note For new connected apps, this selection is automatically enabled. For connected apps created before the Spring ’21 release, this selection isn’t automatically enabled.
            10. To configure settings for the client credentials flow, see Configure a Connected App for the OAuth 2.0 Client Credentials Flow.
            11. To configure settings for the Authorization Code and Credentials Flow, see Configure a Connected App for the Authorization Code and Credentials Flow.
            12. To configure settings for the token exchange flow, see Integrate an App for the Token Exchange Flow.
            13. To get a new refresh token each time the refresh token flow is invoked, select Enable Refresh Token Rotation.
              Enabling this setting is a security best practice. With this setting enabled, the old refresh token is automatically invalidated after it’s used, so that each token is used only one time. If someone tries to use a refresh token that’s been rotated out, Salesforce invalidates the current refresh token and any associated access tokens.
            14. To configure JSON Web Token (JWT)-based access tokens, see Enable JSON Web Token (JWT)-Based Access Tokens.
            15. To authorize a single connected app to introspect all access and refresh tokens within the entire org, select Introspect all tokens.
              By default, all connected apps can introspect their own tokens. In addition, an OAuth client that directly registers OAuth 2.0 connected apps through the dynamic client registration endpoint can check the tokens for itself and its registered apps. See OpenID Connect Token Introspection.
            16. To control how the OAuth request handles the ID token, select Configure ID token.

              If the OAuth request includes the Allow access to your unique identifier (openid) scope, the returned token can include the ID token.

              The ID token is always included in access token responses.

              With the primary ID token setting enabled, configure the secondary settings that control the ID token contents in both access and refresh token responses. Specify these settings.

              SettingDescription
              Token Valid for The length of time that the ID token is valid for after it’s issued. The period can be from 1 to 720 minutes. The default is 2 minutes.
              ID Token Audiences The intended consumers of the ID token. For example, the target service where you use the ID token, such as https://your_service.com.
              Include Standard Claims Include the standard claims that contain information about the user, such as the user’s name, profile, phone number, and address. The OpenID Connect specifications define a set of standard claims to be returned in the ID token.
              Include Custom Attributes If your app has specified custom attributes, include them in the ID token.
              Include Custom Permissions If your app has specified custom permissions, include them in the ID token.
            17. If you’re setting up the app to issue asset tokens for connected devices, select Enable Asset Tokens, and specify these settings.
              SettingDescription
              Token Valid for The length of time that the asset token is valid after it’s issued.
              Asset Signing Certificate The self-signed certificate that you created for signing asset tokens. The certificate size is limited to 4 KB.
              Asset Audiences The intended consumers of the asset token. For example, the back-end service for your connected device, such as https://your_device_backend.com.
              Include Custom Attributes If your app has specified custom attributes, include them in the asset token.
              Include Custom Permissions If your app has specified custom permissions, include them in the asset token.

              Make sure to specify the callback URL (endpoint). For example, https://your_device_backend.com/callback.

              Select the Access and manage your data (api) and Allow access to your unique identifier (openid) OAuth scopes, which are required for asset tokens.

            18. To use single logout for use cases where Salesforce is an OpenID Connect provider, select Enable Single Logout, and then enter a single logout URL to determine where Salesforce sends logout requests. The single logout URL must be an absolute URL starting with https://.
              These settings are just one part of a single logout configuration. To finish setting up single logout, set the URL where users are redirected after they log out and share information with your OpenID Connect provider. See Configure OpenID Connect Single Logout with Salesforce as the OpenID Connect Provider.
            19. After you configure all settings for your connected app, save your changes.

            For help with configuring OAuth flows, see OAuth Authorization Flows in Salesforce Help.

            Important
            Important When developing OAuth integrations, always pass sensitive information in the body of a POST request or in a request header. Don't use GET parameters in the URL query string to pass sensitive information. Sensitive information includes but isn't limited to usernames, passwords, OAuth tokens, client secrets, and any personally identifiable information. For more information on security best practices, see Storing Sensitive Data in the Secure Coding Guide.

            See Also

             
            Loading
            Salesforce Help | Article