Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Block Authorization Flows to Improve Security

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Block Authorization Flows to Improve Security

            The OAuth 2.0 user-agent and username-password flows are considered insecure and aren’t recommended. For better security, we strongly recommend that you block these flows in Salesforce to prevent developers from using them to build new integrations. If your org is created in Summer ‘23 or later, the username-password flow is blocked by default. You can enable the username-password flow if needed. If you have existing integrations that use the user-agent or username-password flow, update them to a more secure OAuth 2.0 flow. You can also block the Authorization Code and Credentials Flow, which is used to securely configure a headless login process. And you can block certain flows that don’t use the PKCE extension.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: All Editions
            Note
            Note Connected apps creation is restricted as of Spring ‘26. You can continue to use existing connected apps during and after Spring ‘26. However, we recommend using external client apps instead. If you must continue creating connected apps, contact Salesforce Support.

            See New connected apps can no longer be created in Spring ‘26 for more details.

            Blocking a flow can break managed packages, mobile apps, and other integrations that use it. Blocking the user-agent flow also blocks the hybrid app token flow. Before implementing your changes in production, test them thoroughly in a sandbox. In place of the user-agent flow for external web apps, we recommend using the OAuth 2.0 web server flow with Proof Key for Code Exchange (PKCE.) In place of the username-password flow, we recommend using OpenID Connect dynamic client registration or the OAuth 2.0 client credentials flow. For a list of alternative OAuth flows and their use cases, see OAuth Authorization Flows.

            1. From Setup, in the Quick Find box, enter OAuth, and then select OAuth and OpenID Connect Settings.
            2. To block a flow, turn off its associated setting. To enable a blocked flow, turn on its associated setting. Here’s a list of the settings.
              • Allow OAuth User-Agent Flows—We recommend updating your integrations and blocking this flow.
              • Allow OAuth Username-Password Flows—We recommend updating your integrations and blocking this flow too.
              • Allow Authorization Code and Credentials Flows—Block this flow only if you aren’t using it.
              • Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows—This setting doesn’t explicitly block or enable a specific flow. Instead, when enabled, it blocks all variations of the OAuth 2.0 authorization code flow that don’t implement the PKCE extension. These variations include the web server flow, the hybrid web server flow, the Authorization Code and Credentials Flow, and all variations of the Authorization Code and Credentials Flow. This setting is a prerequisite for requiring the PKCE extension for a connected app and for using PKCE for an authentication provider.
            3. At the prompt from your browser, click OK to confirm that you’re ready to implement this change.
              Note
              Note After a flow is blocked, you can’t use it to build new integrations. Existing integrations that use the blocked flow no longer work.

            You can allow these flows at any time, but we don’t recommend ever allowing the user-agent or username-password flows. To use the Authorization Code and Credentials Flow, you must explicitly allow it.

             
            Loading
            Salesforce Help | Article