Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Use Any API Client - Restriction Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Use Any API Client - Restriction Control

            Restricts API access to only admin-approved Connected Apps, eliminating the ability for users to use unauthorized or legacy API clients.

            Control Name

            Use Any API Client - Restriction

            Control Overview

            Restricts API access to only admin-approved Connected Apps, eliminating the ability for users to use unauthorized or legacy API clients.

            Description

            Disables the global Use Any API Client system permission across all Profiles and Permission Sets, forcing all programmatic interactions through defined OAuth flows.

            Recommended Configuration

            Deselect Use Any API Client on all Profiles. Replace with granular access by assigning users to specific Connected Apps that have been vetted and authorized by the security team.

            Security Impact

            Closes a massive security hole where users could use their credentials in untrusted 3rd-party applications or CLI scripts that bypass corporate monitoring.

            Business Impact

            Increases visibility into which specific applications are consuming API limits and accessing data, leading to better resource management and auditability, allowing stricter security policies to strengthen the overall security posture.

            Security Risk If Not Configured

            Unauthorized users or potential attackers with stolen credentials can use any API-compatible tool to scrape data, bypassing the security wrappers intended by the third-party applications.

            Threat Scenarios

            Data Exfiltration: Unauthorized data export Credential Abuse: A leaked password is used via a custom script that mimics a trusted client.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            High risk for companies with many admins or users with elevated access profiles that have historically relied on broad API access.

            Higher Risk When

            Profiles also have Export Reports or Modify All Data enabled, as Use Any API Client provides a programmatic highway to those permissions.

            Low Risk When

            Access is strictly mediated via Connected App OAuth Scopes.

            Business and Integration Considerations

            Disabling this may break existing scripts or legacy integrations that haven't been registered as external third-party applications.

            Security Health Review Guidance

            Security Health Review scans permissions metadata to identify any profiles that have Use Any API client configuration enabled in your Salesforce org.

            Who Is Impacted

            Internal employees, administrators, developers, and workforce users accessing connected applications through Salesforce directly.

             
            Loading
            Salesforce Help | Article