OAuth 1.0.A Flow
If your org uses the OAuth 1.0.A protocol, use this authorization flow to integrate a client—via a connected app—with the Salesforce API.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: All Editions |
| User Permissions Needed | |
|---|---|
| To manage, create, edit, and delete OAuth apps: | Manage Connected Apps |
Here are the major authorization steps.
- The connected app requests a request token. Salesforce verifies the request and returns a request token.
- The user logs in and authorizes the connected app to access data.
- The connected app requests an access token.
- After Salesforce verifies the request and grants the token, the connected app accesses the data.
For the list of possible error codes returned by Salesforce, see OAuth 1.0.A Error Codes.
Request a Request Token
To initiate the OAuth 1.0.A flow, the connected app sends a request to the Salesforce OAuth request token handler endpoint (https://login.salesforce.com/_nc_external/system/security/oauth/RequestTokenHandler).
Include the following OAuth parameters in the request.
After Salesforce receives the request, it does the following:
- Validates the request with its own copy of the consumer secret.
- Generates a response containing a request token and request token secret in the HTTP body as name and value pairs.
- Sends the response back to the consumer.
A request token is valid for 15 minutes, plus 3 minutes to allow for differences between machine clocks.
User Authorizes Access
After the connected app makes its initial request for the request token, the user is prompted to authorize access.
- The connected app redirects the user to
https://login.salesforce.com/setup/secur/RemoteAccessAuthorizationPage.apexp.
The appropriate GET query parameters are appended to this URL.
oauth_token(request token)oauth_consumer_key
Note If anoauth_callbackparameter is included, it's ignored. - The user is prompted to authorize access for the connected app on the Remote Access Authorization page.
- After the user authorizes access, Salesforce generates the access token and
access token secret. Note A user can grant a limited number of concurrent access tokens to an app. The default is five per app per user. If this authorization exceeds the org’s limit, the user is notified and the last used tokens are revoked.
- Salesforce verifies the callback URL and redirects the user as follows.
- If the
oauth_callbackdefined in the request token isooband the connected app’s callback URL is valid, the user is redirected to that URL. - If the
oauth_callbackdefined in the request token is a valid URL, the user is redirected to that URL.
- If the
Request the Access Token
After the user authorizes access for the connected app, the connected app can exchange a request token for an access token. It makes an HTTPS GET or POST request to https://login.salesforce.com/_nc_external/system/security/oauth/AccessTokenHandler. Include these parameters in the query or post data.
| Parameter | Description |
|---|---|
oauth_consumer_key
|
The consumer key of the connected app. To access the consumer key, from the App Manager, find the connected app and select View from the dropdown. Then click Manage Consumer Details and verify your identity. |
oauth_signature_method
|
The OAuth signature method must be HMAC-SHA1 for this flow. |
| oauth_signature | The OAuth signature used for login, which you generate according
to the OAuth specification for HMAC-SHA1. See oauth_signature. |
oauth_timestamp
|
Time stamp of when the signature was created. |
oauth_token
|
The request token that the connected app received in its initial request. |
oauth_nonce
|
Optional. Allows the service provider to verify that a request hasn’t been made before, and helps prevent replay attacks. |
oauth_verifier
|
The request token secret that the connected app received in its initial request. |
oauth_version
|
Optional. If included, the OAuth version must be 1.0 for this flow. |
Salesforce validates these elements in the request:
- Consumer secret
- Consumer key
- Signature
- Whether the request token has been used before
- Timestamp (must be within 15 minutes, plus 3 minutes to allow for differences between machine clocks)
- Whether the nonce has been used before
Upon validation, Salesforce returns the access token and access token secret in the HTTP response body as name and value pairs.
Access Data
After the connected app possesses a valid access token, it can access Salesforce data by posting a request to https://login.salesforce.com. The following parameters are included in the HTTP POST authorization header.
| Parameter | Description |
|---|---|
oauth_consumer_key
|
The connected app’s consumer key. To access the consumer key, from the App Manager, find the connected app and select View from the dropdown. Then click Manage Consumer Details. You're sometimes prompted to verify your identity. |
oauth_token
|
The access token that the connected app received from Salesforce. |
oauth_signature_method
|
The OAuth signature method must be HMAC-SHA1 for this flow. |
| oauth_signature | The OAuth signature used for login, which you generate according
to the OAuth specification for HMAC-SHA1. See oauth_signature. |
oauth_timestamp
|
Time stamp of when the signature was created. |
oauth_nonce
|
Optional. Allows the service provider to verify that a request hasn’t been made before, and helps prevent replay attacks. |
oauth_version
|
Optional. If included, the OAuth version must be 1.0 for this flow. |
Salesforce validates the request and sends a valid session ID to the connected app. The session ID is short-lived and valid only for frontdoor.jsp. To obtain a session ID that can be used directly, use the API access token exchange.
When the connected app possesses a valid access token, it can request to access Salesforce data using the Lightning Platform API. The connected app can post a request to https://login.salesforce.com/services/OAuth/type/api-version.
Replace the URL variables with the following:
- type must have one of the following values.
u—Partner WSDLc—Enterprise WSDL
- api-version must be a valid API version.
Include the following parameters in the HTTPS POST authorization header.
| Parameter | Description |
|---|---|
oauth_consumer_key |
The consumer key of the connected app. To access the consumer key, from the App Manager, find the connected app and select View from the dropdown. Then click Manage Consumer Details. You're sometimes prompted to verify your identity. |
oauth_token |
The access token that the connected app received from Salesforce. |
oauth_signature_method |
The OAuth signature method must be HMAC-SHA1 for this flow. |
| oauth_signature | The OAuth signature used for login, which you generate
according to the OAuth specification for HMAC-SHA1. See oauth_signature. |
oauth_timestamp |
Time stamp of when the signature was created. |
oauth_nonce |
Optional. Allows the service provider to verify that a request hasn’t been made before, and helps prevent replay attacks. |
oauth_version |
Optional. If included, the OAuth version must be 1.0 for this flow. |
Salesforce validates the request and sends a valid session ID to the consumer. The response header includes the following content.
<response>
<metadataServerUrl>https://yourInstance.salesforce.com/services/Soap/m/17.0/00D300000006qjK
</metadataServerUrl>
<sandbox>false</sandbox>
<serverUrl>https://yourInstance.salesforce.com/services/Soap/u/17.0/00D300000006qjK
</serverUrl>
<sessionId>00D300000006qrN!AQoAQJTMzwTa67tGgQck1ng_xgMSuWVBpFwZ1xUq2kLjMYg6Zq
GTS8Ezu_C3w0pdT1DMyHiJgB6fbhhEPxKjGqlYnlROIUs1</sessionId>
</response>