Manage Current OAuth Connected App Sessions
The Connected Apps OAuth Usage page displays current OAuth app connections. For apps that aren't installed, it also displays usage attempts that Salesforce automatically denied due to security restrictions. From this page, you can install or uninstall third-party connected apps, revoke an app’s active sessions, and block or unblock org-wide access to the app.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
Connected Apps can be created in: Group, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer Editions Connected Apps can be installed in: All editions |
| User Permissions Needed | |
|---|---|
| To view the OAuth Connected Apps Usage page: | View Setup and Configuration AND Manage Users |
| To read, create, update, or delete connected apps: | Customize Application AND either Modify All Data OR Manage Connected Apps |
| To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes: | Customize Application AND either Modify All Data OR Manage Connected Apps |
| To update Profiles, Permission Sets, and Service Provider SAML Attributes: | Customize Application AND Modify All Data |
| To install and uninstall connected apps: | Customize Application AND either Modify All Data OR Manage Connected Apps |
| To install and uninstall packaged connected apps: | Customize Application AND either Modify All Data OR Manage Connected Apps AND Download AppExchange Packages |
See New connected apps can no longer be created in Spring ‘26 for more details.
For security, we recommend that you block all connected apps from using the username-password flow. Use the OAuth 2.0 web server flow with Proof Key for Code Exchange (PKCE) as a more secure alternative. For steps to block the username-password flow, see Block OAuth 2.0 Flows to Improve Security. For steps to use the web server flow, see OAuth 2.0 Web Server Flow for Web App Integration.
-
From Setup, in the Quick Find box, enter OAuth, and then select
Connected Apps OAuth Usage.
The resulting list of apps can be long because it contains all Salesforce and custom OAuth apps available to your users, not just the ones installed in your org. For example, it lists third-party apps from AppExchange and Salesforce partners.
For apps that aren't installed, you can review the number of usage attempts that Salesforce automatically denied. For these apps, Salesforce denies usage if a user doesn't have the "Approve Uninstalled Connected Apps" user permission. Denied attempts can sometimes indicate that a user is trying to use an app with a legitimate use case. If you trust the app, allow usage by clicking Install. Denied attempts can also indicate that someone tried to connect a suspicious app. To tighten security, end all sessions and prevent new sessions by clicking Block.
Note Connected app sessions can expire when a new Salesforce major release takes effect. To avoid disruptions, start a new session after a major release. To see major release dates for your instance, go to Trust Status, search for your instance, and click the maintenance tab. - To open the detail page for the connected app, click Manage App Policies. From the detail page, you can click Edit Policies to manage the app’s access policies. See Manage Access to a Connected App.
-
To open the Connected Apps User’s Usage page to see information about users, click a user
count number. User information includes:
- When they first used the app
- Most recent time they used the app
- Total number of times they used the app
From this page, you can end a user’s access to the current session by clicking Revoke. At the top of the page, click Revoke All to end all current sessions for the app. - To install a third-party app, click Install. With the app installed, you can manage its access policies. See Install a Connected App.
- To remove your local copy of an installed connected app, click Uninstall. Before uninstalling a connected app, see Uninstall a Third-Party Connected App recommendations and considerations.
- To make the OAuth connected app inaccessible to your users, click Block. Blocking an app ends all current user sessions and prevents future sessions until you click Unblock.
-
To give users access to the connected app, click Unblock. By
unblocking the app, users can log in and run the app.
If Unblock is disabled, the app is blocked org-wide because it’s not on the allowlist. To allowlist the app, click Install, then click Edit Policies. Under the app’s OAuth settings, set Permitted Users to Admin approved users are pre-authorized. You can allowlist apps only if you asked Salesforce Customer Support to enable the API client allowlisting feature.
If the number of connected apps gets too large, it can cause timeout errors in the OAuth
Usage page. This timeout error blocks new connected apps from being installed. To install a new
connected app when the OAuth Usage page is experiencing timeout errors, manually create the app
approval URL with the app ID and the org ID:
/identity/app/AppInstallApprovalPage.apexp?app_id=App ID&app_org_id=Org
ID
For individual users, connected apps can be installed on the user’s OAuth usage detail page.
