Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            OAuth 2.0 Username-Password Flow for Special Scenarios

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            OAuth 2.0 Username-Password Flow for Special Scenarios

            You can use the username-password flow to authorize a client via a connected app that already has the user’s credentials. However, we recommend avoiding this flow because it passes credentials back and forth. Use it only if there’s a high degree of trust between the resource owner and the client, the client is a first-party app, Salesforce is hosting the data, and other grant types aren’t available. In these cases, set user permissions to minimize access and protect stored credentials from unauthorized access.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: All Editions
            Note
            Note Connected apps creation is restricted as of Spring ‘26. You can continue to use existing connected apps during and after Spring ‘26. However, we recommend using external client apps instead. If you must continue creating connected apps, contact Salesforce Support.

            See New connected apps can no longer be created in Spring ‘26 for more details.

            Important
            Important For increased security, we recommend using the OAuth 2.0 web server flow with Proof Key for Code Exchange (PKCE) or the OAuth 2.0 client credentials flow instead of the username-password flow. We also recommend that you block all connected apps from using the username-password flow.

            The username-password flow generates access tokens as Salesforce Session IDs that can’t be introspected. Because the access tokens are temporary, connected apps that are using this flow aren’t displayed on the Connected Apps OAuth Usage page, even if they have an active session. This flow doesn’t support scopes or refresh tokens. Experience Cloud sites don’t support the OAuth 2.0 username-password flow.

            Here are the major steps involved in the username-password flow.

            • The connected app requests an access token by sending the user’s login credentials to the Salesforce token endpoint.
            • After verifying the request, Salesforce grants an access token to the connected app.
            • The connected app can use the access token to access the protected data on the user’s behalf.

            Request an Access Token

            To request an access token, the connected app sends the user’s username and password as an out-of-band POST to the Salesforce token endpoint. This POST is an example.

            grant_type=password&
client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82HnFVVX19KY1uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&
client_secret=1955279925675241571&
username=testuser@salesforce.com&
password=mypassword

            Include these credentials in the POST.

            Important
            Important When developing OAuth integrations, always pass sensitive information in the body of a POST request or in a request header. Don't use GET parameters in the URL query string to pass sensitive information. Sensitive information includes but isn't limited to usernames, passwords, OAuth tokens, client secrets, and any personally identifiable information. For more information on security best practices, see Storing Sensitive Data in the Secure Coding Guide.
            Parameter Description
            grant_type The OAuth 2.0 grant type that the connected app requests. The value must be password for this flow.
            client_id The consumer key of the connected app. To access the consumer key, from the App Manager, find the connected app and select View from the dropdown. Then click Manage Consumer Details. You're sometimes prompted to verify your identity before you can view the consumer key.
            client_secret The consumer secret of the connected app. To access the consumer secret, from the App Manager, find the connected app and select View from the dropdown. Then click Manage Consumer Details. You're sometimes prompted to verify your identity before you can view the consumer secret.
            username The username of the user that the connected app is imitating.
            password

            The password of the user that the connected app is imitating.

            When using the username-password flow with an API, create a field in the username and password login screen where users can enter their security token. The security token is an automatically generated key that must be added to the end of the password to log in to Salesforce from an untrusted network. Concatenate the password and token when passing the request for authentication.
            format

            If not included in the request’s header, you can specify the expected return format. The format parameter takes precedence over the request’s header. These formats are supported.

            • urlencoded
            • json (default)
            • xml

            Salesforce Grants an Access Token

            After the request is verified, Salesforce sends a response to the client.

            Here’s an example response.

            {"id":"https://login.salesforce.com/id/00Dx0000000BV7z/005x00000012Q9P",
"issued_at":"1278448832702",
"instance_url":"https://yourInstance.salesforce.com/",
"signature":"0CmxinZir53Yex7nE0TD+zMpvIWYGb/bdJh6XfOH6EQ=",
"access_token":"00Dx0000000BV7z!AR8AQAxo9UfVkh8AlV0Gomt9Czx9LjHnSSpwBMmbRcgKFmxOtvxjTrKW19ye6PE3Ds1eQz3z8jr3W7_VbWmEu4Q8TVGSTHxs",
"token_type":"Bearer"}

            These parameters are in the body of the response.

            Parameter Description
            id An identity URL that can be used to identify the user and to query for more information about the user. See Identity URLs.
            issued_at Time stamp of when the signature was created in milliseconds.
            instance_url A URL indicating the instance of the user’s org. For example: https://yourInstance.salesforce.com/.
            signature Base64-encoded HMAC-SHA256 signature signed with the client_secret. The signature can include the concatenated ID and issued_at value, which you can use to verify that the identity URL hasn’t changed since the server sent it.
            access_token OAuth token that a connected app uses to request access to a protected resource on behalf of the client application. Additional permissions in the form of scopes can accompany the access token.
            token_type A Bearer token type, which is used for all responses that include an access token.
            Note
            Note This response doesn’t send a refresh token.
             
            Loading
            Salesforce Help | Article