Connected App and OAuth Terminology
What’s a token? Consumer? Callback URL? To better understand OAuth-enabled connected apps, familiarize yourself with a few terms.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: All Editions |
Note Connected apps creation is restricted as of Spring ‘26. You can continue to use existing
connected apps during and after Spring ‘26. However, we recommend using external client apps instead. If you must continue
creating connected apps, contact Salesforce Support.
See New connected apps can no longer be created in Spring ‘26 for more details.
- Access Token
- Instead of using the user’s Salesforce credentials, a consumer (connected app) can use an access token to gain access to protected resources on behalf of the user.
- For OAuth 1.0.A, the access token must be exchanged for a session ID.
- For OAuth 2.0, the access token is a session ID and can be used directly.
- Authorization Code
- Only used in OAuth 2.0 with the web server flow, the authorization code is a token that represents the access granted by the end user. The authorization code is used to obtain an access token and a refresh token. It expires after 15 minutes.
- For OAuth 1.0.A, see RequestToken.
- Authorization Server
- The authorization server is the server that authorizes a resource owner, and upon successful authorization, issues access tokens to the requesting consumer.
- Callback URL
- A callback URL is the URL that is invoked after OAuth authorization for the consumer (connected app). In some contexts, the URL must be a real URL that the client’s web browser is redirected to. In others, the URL isn’t actually used, but the value between your client app and the server (the connected app definition) must be the same. For example, you might want to use a value that identifies the app, such as https://MyCompany.Myapp.
- Consumer
- A consumer is the website or app that uses OAuth to authorize both the Salesforce user
and itself on the user’s behalf. Referred to as
clientin OAuth 2.0. - Consumer Key
-
A consumer uses a key to identify itself to Salesforce.
Referred to as
client_idin OAuth 2.0. - Consumer Secret
-
A consumer uses a secret to establish ownership of
the consumer key. Referred to as
client_secretin OAuth 2.0. - OAuth Endpoint
- OAuth endpoints are the URLs that you use to make OAuth authorization requests to Salesforce.
- Nonce
- Nonce is a number, often a random number, used during authorization to ensure that requests cannot be reused.
- OAuth
- Open Authorization (OAuth) is a standard, token-based protocol for authorization.
- Refresh Token
- Only used in OAuth 2.0, a consumer can use a refresh token to obtain a new access token, without having the end user approve the access again.
- Request Token
- Only used in OAuth 1.0.A, a consumer (connected app) can use a request token to obtain authorization from the end user. It exchanges the token for an access token.
- For OAuth 2.0, see Authorization Code.
- Resource Owner
- The resource owner is the entity (usually the end user) that grants access to a protected resource.
- Resource Server
- The resource server is the server that hosts the protected resource. Your Salesforce org is the resource server that protects your data.
- Token Secret
- A consumer uses this secret to establish ownership of a given token, both for request tokens and access tokens.
- User
- An individual who has a Salesforce login.
See Also
Did this article solve your issue?
Let us know so we can improve!
