Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            API (Enable OAuth Settings): Enable OAuth Settings Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            API (Enable OAuth Settings): Enable OAuth Settings Control

            Enabling OAuth settings in a Salesforce Connected App allows the application to use secure, token-based authorization protocols and granular scopes.

            Control Name

            Connected Apps: API (Enable OAuth Settings): Enable OAuth Settings

            Recommended Configuration

            Enable OAuth Settings - Selected.

            Control Overview

            Enabling OAuth settings in a Salesforce Connected App allows the application to use secure, token-based authorization protocols and granular scopes rather than relying on less secure, legacy credential-sharing methods.

            Security Risk If Not Configured

            The Connected App cannot use OAuth 2.0, forcing the use of less secure methods like legacy session IDs or hard-coded credentials. This lack of standardized authorization prevents the enforcement of granular access controls, leaving the integration without the protective layers of scopes, refresh token policies, or multi-factor authentication.

            Threat Scenarios

            An attacker can harvest static credentials via Man-in-the-Middle attacks.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Without OAuth settings enabled, you lose administrative visibility and revocation control (for example, OAuth Sessions).

            Higher Risk When

            When sensitive data must be accessed by public-facing apps, as the lack of OAuth protections means that any intercepted credential provides unrestricted access to the user's full permissions.

            Low Risk When

            If the app is strictly used for non-API functions, such as SAML-based Single Sign-On, where authentication is handled through a separate, secure identity provider handshake.

            Business and Integration Considerations

            While simpler to set up for legacy systems, disabling these settings creates a significant technical barrier that prevents the use of modern, scalable Salesforce features like Headless Identity and the REST API.

            Recommended Remediation

            Turn on "OAuth Settings" within the Connected App to establish a secure handshake using the Authorization Code or JWT Bearer flow, ensuring all API traffic is governed by granular scopes and PKCE.

            Security Health Review Guidance

            Security Health Review recommends this as a must have foundational setting for Connected Apps.

            See Also

             
            Loading
            Salesforce Help | Article