When Salesforce is just one component of an architecture that includes a central identity
provider along with multiple apps and microservices, use the OAuth 2.0 token exchange flow to
simplify your integration patterns. With this flow, exchange tokens from external identity
providers for Salesforce tokens and grant access to Salesforce data.
Required Editions
Available in: Enterprise, Performance, Unlimited, and
Developer Editions
To learn more about how this flow works and how to set it up, see these resources.
Token Exchange Flow Use Cases To decide if the OAuth 2.0 token exchange flow is the right solution for your company, learn more about when to use it.
Token Exchange Flow Diagram and Process The OAuth 2.0 token exchange flow can simplify integrations for use cases with a central identity provider serving multiple apps and microservices. To understand how the flow works, review this step-by-step overview.
Integrate an App for the Token Exchange Flow To integrate an app with Salesforce for the OAuth 2.0 token exchange flow, create a Salesforce connected app or an external client app.
Create a Token Exchange Handler Apex Class A token exchange handler consists of an Apex class that extends the Oauth2TokenExchangeHandler abstract class and a token exchange handler definition. To get started, create an Apex class to reference in the handler definition.
Define a Token Exchange Handler To finish creating a token exchange handler, define the handler on the Token Exchange Handlers page in Setup, or use Metadata API to define a new OauthTokenExchangeHandler metadata type.
Enable Apps for a Token Exchange Handler To enable a connected app or external client app for a token exchange handler, use the Token Exchange Handlers page in Setup, or edit its metadata definition.
Set Up the Token Exchange Flow Some use cases require you to integrate Salesforce with an external identity provider along with multiple apps and microservices. To simplify these integrations, use the OAuth 2.0 token exchange flow. With this flow, exchange tokens from an external identity provider for Salesforce tokens.
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
