Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Stage, Rotate, and Delete OAuth Credentials for an External Client App

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Stage, Rotate, and Delete OAuth Credentials for an External Client App

            Use the OAuth Staged Credentials Connect REST API endpoint to manage the OAuth key and secret for an external client app. The API can be used to stage, view, rotate, or delete OAuth credentials.

            Required Editions

            Available in: Lightning Experience.
            Available in: Professional, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To stage, rotate, and delete OAuth credentials. External Client App Developer and View Client Secret

            Before you begin, make sure these prerequisites are met.

            • You must have a valid access token.
            • Allow access to External Client App consumer secrets via REST API must be turned on in External Client App Settings.

            This procedure uses cURL examples, but you can use other tools. To familiarize yourself with cURL, see Using cURL in the REST API Developer Guide. The cURL examples use placeholder text for access_token, external_client_app_identifier, consumer_id, and staged_credential_id. Replace these terms with the relevant values for your external client app credentials.

            1. To retrieve the external client app's ID, submit a call to the OAuth Usage endpoint. 
              curl --silent 'https://MyDomainName.my.salesforce.com/services/data/v65.0/
apps/oauth/usage' -H 'Authorization: Bearer access_token' -H 'Accept:
application/json' -H 'Content-Type: application/json' | jq .

              The output of this request includes an identifier, which is used in the next call.

              "identifier": "external_client_app_identifier"
            2. To retrieve the staged resource ID, configure the cURL and submit a call to the OAuth Credentials by App ID endpoint. 
              curl --silent 'https://MyDomainName.my.salesforce.com/services/data/v65.0/ 
apps/oauth/credentials/external_client_app_identifier' -H 'Authorization: 
Bearer access_token' -H 'Accept:

              The output of this request includes a staged credentials URL, which is used in the next call. It includes the identifier from the first response and a consumer ID, followed by /staged.

              "stagedCredentialsURL": "services/data/v65.0/apps/oauth/
credentials/external_client_app_identifier/consumer_id/staged"
            3. To retrieve the current staged credentials, configure the cURL and submit a call to the OAuth Staged Credentials endpoint. 
              curl --silent 'https://MyDomainName.my.salesforce.com/services/data/v65.0/
apps/oauth/credentials/external_client_app_identifier/consumer_id/staged'
-H 'Authorization: Bearer access_token' -H 'Accept: application/json' 
-H 'Content-Type: application/json' | jq .
              Note
              Note The output of this request includes the credential state. The options are Active, Rotated, or Expired. If there is a staged credential, the credentials must be rotated or deleted before new credentials can be staged. Staged credentials expire after 30 days unless they are deleted first.
            4. To stage credentials, submit a POST call to the OAuth Staged Credentials endpoint. 
              curl --silent -X POST 'https://MyDomainName.my.salesforce.com/services/
data/v65.0/apps/oauth/credentials/external_client_app_identifier/ 
consumer_id/staged' -H 'Authorization: Bearer access_token' -H 
'Accept: application/json' -H 'Content-Type: application/json' | jq .

              The output of the OAuth Credentials call includes a URL which is used in the call to rotate or delete staged credentials. The URL includes the external client app identifier and the consumer ID followed by /staged and finally the staged credentials resource ID.

              "id": "staged_credential_id"
            5. To rotate the staged credentials, configure the cURL and submit a PATCH call to the OAuth Credentials endpoint. 
              curl --silent -X PATCH 'https://MyDomainName.my.salesforce.com/services/
data/v65.0/apps/oauth/credentials/external_client_app_identifier/
consumer_id/staged/staged_credential_id' -H 'Authorization: Bearer
access_token' -H 'Content-Type: application/json' -d '{ "command":
"rotate" }' | jq .
            6. To delete the staged credentials, configure the cURL and submit a DELETE call to the OAuth Staged Credentials ID endpoint. 
              curl --silent -X DELETE 'https://MyDomainName.my.salesforce.com/services/
data/v65.0/apps/oauth/credentials/external_client_app_identifier/
consumer_id/staged/staged_credential_id' -H 'Authorization: Bearer
access_token' -H 'Accept: application/json' -H 'Content-Type:
application/json'
             
            Loading
            Salesforce Help | Article