Manage OAuth Access Policies for a Connected App
Configure OAuth access policies for OAuth-enabled connected apps. These policies include defining which users can access a connected app, what IP restrictions apply to the connected app, and how long a refresh token is valid for.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
Connected Apps can be created in: Group, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer Editions Connected Apps can be installed in: All editions |
| User Permissions Needed | |
|---|---|
| To read, create, update, or delete connected apps: | Customize Application AND either Modify All Data OR Manage Connected Apps |
| To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes: | Customize Application AND either Modify All Data OR Manage Connected Apps |
| To update Profiles, Permission Sets, and Service Provider SAML Attributes: | Customize Application AND Modify All Data AND Manage Profiles and Permission Sets |
| To rotate the consumer key and consumer secret: | Allow consumer key and secret rotation |
| To install and uninstall connected apps: | Customize Application AND either Modify All Data OR Manage Connected Apps |
| To install and uninstall packaged connected apps: | Download AppExchange Packages AND Customize Application AND either Modify All Data OR Manage Connected Apps |
See New connected apps can no longer be created in Spring ‘26 for more details.
- From Setup, enter Connected Apps in the Quick Find box, then select Manage Connected Apps.
- Click Edit next to the connected app that you are configuring access for.
- Under OAuth Policies, click the Permitted Users dropdown menu and
select one of the following options.
- All users may self-authorize—Default. Allows all users in the org to authorize the app after successfully signing in. Users must approve the app the first time they access it.
- Admin approved users are pre-authorized—Allows only users with the associated profile or
permission set to access the app without first authorizing it. After selecting this option,
manage profiles for the app by editing each profile’s Connected App Access list. Or manage
permission sets for the app by editing each permission set’s Assigned Connected App list.
In a Group Edition org, you can’t manage individual user access with profiles. However, you can manage all users’ access when you edit a connected app’s OAuth settings.
Warning If you switch from All Users may self-authorize to Admin-approved users are pre-authorized, anyone using the app loses access, unless a user’s permission authorizes the connected app specifically. Connected apps that are part of a managed package use the default permission. In addition, if users have the Use Any API Client permission, they can access any connected app—even if its Permitted Users setting is set to Admin-approved users are pre-authorized. Be careful when using the Use Any API Client permission. As the name implies, you’re giving up your control over authorization.
- Click the IP Relaxation dropdown menu, and select one of the
following options to determine whether a user’s access to the app is restricted by IP
ranges.
- Enforce IP restrictions—Default. Enforces the IP restrictions configured for the org, such as the IP ranges assigned to a user profile.
- Enforce IP restrictions, but relax for refresh tokens—Enforces the IP restrictions configured for the org, such as the IP ranges assigned to a user profile. However, this option bypasses these restrictions when the connected app uses refresh tokens to get access tokens.
- Relax IP restrictions for activated devices—Allows a user running the app to bypass the
org’s IP restrictions when either of these conditions is true.
- The app has a list of allowed IP ranges and is using the web server authentication flow. Only requests coming from these IPs are allowed.
- The app doesn’t have a list of allowed IP-ranges, but it uses the web server authentication flow, and the user successfully completes identity verification if accessing Salesforce from a new browser or device.
- Relax IP restrictions—Allows a user to run this app without org IP restrictions.
Note If you relax IP restrictions for your connected app and your org has Enforce login IP ranges on every request enabled, the access to your connected app can change. See Connected App IP Relaxation and Continuous IP Enforcement. Also, IP restrictions are enforced only if they are configured on a user’s profile. The SAML bearer assertion and JWT bearer token flows always enforce IP restrictions regardless of the connected app policy. Connected apps that are part of a managed package use the default IP relaxation setting. - Select Enable Single Logout to automatically log users out of the connected app service provider when they log out of Salesforce.
- If you selected Enable Single Logout, enter a single logout URL. Salesforce sends logout requests to this URL when users log out of Salesforce. The single logout URL must be an absolute URL starting with https://.
- Select a Refresh Token Policy to determine how long a refresh token
is valid for.
If refresh tokens are provided, users can continue to access the OAuth-enabled connected app without having to reauthorize when the access token expires (defined by the session timeout value). The connected app exchanges the refresh token with an access token to start a new session. The Refresh Token policy is evaluated only during usage of the issued refresh token and doesn’t affect a user’s current session. Refresh tokens are required only when a user’s session has expired or isn’t available.
For example, you set a refresh token policy to expire the token after 1 hour. If a user uses the app for 2 hours, the user isn’t forced to reauthenticate after 1 hour. However, the user is required to authenticate again when the session expires and the client attempts to exchange its refresh token for a new session.
- Refresh token is valid until revoked—Default. The refresh token is
used indefinitely, unless revoked by the user or Salesforce admin.
Revoke tokens on a user’s detail page under OAuth Connected Apps or on the OAuth Connected Apps Usage Setup page.
- Immediately expire refresh token—The refresh token is invalid immediately. The user can use the current session (access token) already issued, but can’t obtain a new session when the access token expires.
- Expire refresh token if not used for
n—The refresh token is valid as long as it’s been used within the specified amount of time. For example, if set to seven days, and the refresh token isn’t exchanged for a new session within seven days, the next attempt to use the token fails. The expired token can’t generate new sessions. If the refresh token is exchanged within seven days, the token is valid for another seven days. The monitoring period of inactivity also resets. - Expire refresh token after
n—The refresh token is valid for a fixed amount of time. For example, if the policy states one day, the user can obtain new sessions only for 24 hours.
- Refresh token is valid until revoked—Default. The refresh token is
used indefinitely, unless revoked by the user or Salesforce admin.
If your connected app is a canvas app that uses signed request authentication:
- Set Permitted Users to Admin-approved users are pre-authorized.
- Set Expire Refresh Tokens to Immediately expire refresh token.
- Give users access via profiles and permission sets.
