Restrict Customers and Partners from Accessing APIs
You can use API Access Control to restrict customers and partners from accessing APIs,
unless they’re using a connected app that is installed in the Experience Cloud site. Connected
apps integrate external applications with Salesforce APIs. You can select which connected apps
to install in the Experience Cloud site to limit access to APIs.
Required Editions
Available in: both Salesforce Classic and Lightning Experience
Available in: Professional, Enterprise, Performance,
Unlimited, and Developer Editions
User Permissions Needed
To read, create, update, or delete connected apps:
Customize Application AND either
Modify All Data OR Manage Connected
Apps
To update all fields except Profiles, Permission Sets, and Service Provider
SAML Attributes:
Customize Application AND either
Modify All Data OR Manage Connected
Apps
To update Profiles, Permission Sets, and Service Provider SAML
Attributes:
Customize Application AND Modify All Data AND Manage Profiles and Permission
Sets
To rotate the consumer key and consumer secret:
Allow consumer key and secret rotation
To install and uninstall connected apps:
Customize Application AND either
Modify All Data OR Manage Connected
Apps
To install and uninstall packaged connected apps:
Download AppExchange Packages AND Customize Application AND either
Modify All
Data OR Manage Connected Apps
To enable this feature, request API Access Control from Salesforce Customer
Support.
Important If users have the Use Any API Client permission,
they can access any app, including all connected apps. Use this permission with extreme
caution. It’s only intended for a limited number of admins.
From Setup, in the Quick Find box, enter API Access Control, and
select API Access Control.
Click Edit, and select For customers and partners,
limit API access to only installed connected apps.
Customers and partners can access Salesforce APIs only if they’re using an
installed connected app. Install a connected app on the Connected Apps OAuth Usage page.
To allow users of Visualforce pages to override this limitation and access APIs, select
Allow Visualforce pages to access APIs.
If you don’t select this option, users that access Salesforce APIs through Visualforce
are denied access. Also, client apps that call getSessionId() are denied access.
Save your changes.
Note If you allowlist connected apps in your org and don’t receive the expected scopes,
take these steps:
From Setup, in the Quick Find box, enter OAuth, then select
Connected Apps OAuth Usage.
For the allowlisted connected app, click Block.
For the allowlisted connected app, click Unblock.
Grant Customers and Partners Access to Uninstalled or Blocked Connected Apps
After enabling this API Access Control restriction, you can grant customers and
partners access to connected apps that are uninstalled or blocked. Org users can still
access connected apps that are uninstalled.
From Setup, in the Quick Find box, enter Connected Apps, and
select Connected Apps OAuth Usage.
Under Actions
Click Install if the connected app isn’t
installed.
Click Unblock to allow users to access the connected
app.
Did this article solve your issue?
Let us know so we can improve!
Loading
Salesforce Help | Article
Cookie Consent Manager
General Information
Required Cookies
Functional Cookies
Advertising Cookies
General Information
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
