Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            OAuth Flow Enablement: Disable Client Credentials Flow Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            OAuth Flow Enablement: Disable Client Credentials Flow Control

            This security setting deactivates the OAuth 2.0 grant type that lets an application authenticate and access data using only its own credentials without any user intervention or presence.

            Control Name

            External Client Apps: OAuth Flow Enablement: Disable Client Credentials Flow

            Recommended Configuration

            Disable Client Credentials Flow.

            Control Overview

            This security setting deactivates the OAuth 2.0 grant type that lets an application authenticate and access data using only its own credentials without any user intervention or presence.

            Security Risk If Not Configured

            When this flow is enabled, the compromise of a single set of client credentials grants an attacker persistent, autonomous access to the entire org’s data at a high privilege level, completely bypassing multi-factor authentication.

            Threat Scenarios

            A malicious actor gains access to a plaintext client secret stored in a configuration file and uses it to programmatically exfiltrate sensitive records through a background process that never expires.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Permitting unattended machine-to-machine authentication increases the probability of long-term data breaches because the access remains active even if individual user passwords are changed or accounts are deactivated.

            Higher Risk When

            If the associated integration user has been granted administrative permissions or the ability to modify all data across multiple objects.

            Low Risk When

            If the company enforces strict IP address filtering for the specific integration and uses certificates instead of shared secrets for the authentication handshake.

            Business and Integration Considerations

            Disabling this flow will immediately break any automated back-end integrations, scheduled data synchronizations, or server-side applications that do not support a user-driven authorization process.

            Recommended Remediation

            Go to the OAuth settings of the External Client App and make sure that the checkbox for the client credentials flow is deselected.

            Security Health Review Guidance

            Security Health Review identifies the elimination of static, unattended credentials as a mandatory step in a defense-in-depth strategy, favoring interactive or certificate-based authentication methods that provide superior visibility and continuous verification.

            See Also

             
            Loading
            Salesforce Help | Article