Salesforce Platform: Security Updates to the "Use Any API Client" Permission

Original Publication Date - November 17, 2025

Updated - November 24, 2025

What is changing?

To align with the connected app security features rolled out in September 2025 (Prepare for Connected App Usage Restrictions Change), Salesforce is changing the behavior of the “Use Any API Client” permission so that users with this permission are restricted from self-authorizing uninstalled connected apps.

This change does not affect other existing functionalities of the "Use Any API Client" user permission, such as unrestricted access to Salesforce APIs.

Why are we making this change?

This change is intended to reduce the risk of phishing or other types of threats where end-users are misled into self-authorizing malicious or unauthorized connected apps, which could give attackers the opportunity to gain unauthorized access and exfiltrate data.

When will Salesforce roll out the changes to the “Use Any API Client” user permission?

Starting the week of December 8, 2025.

What impacts are expected from this change?

Users who depend on the "Use any API Client" permission for self-authorizing uninstalled connected apps will no longer be able to do so, as this functionality will be removed after the change.

What action do I need to take?

1. In Setup, navigate to the API Access Control page. If the setting “For admin-approved users, limit API access to only allowlisted connected apps.” is checked, proceed to the next step. If it's not checked, no further action is required.

Please note: If you have not previously contacted Customer Support to enable API access control in Setup, these settings will not be visible, and no further action is required.

2. Identify Where “Use Any API Client” is used: We recommend that you and your security teams audit your current Salesforce user permissions to identify any instances where the "Use Any API Client" permission has been assigned. If assigned to any end-users, evaluate the reason why the user previously had access.

If end-users must continue to self-authorize and use uninstalled connected apps, refer to the section "Admins need to continue to self-authorize and use uninstalled connected apps, what should I do?" Otherwise, if this permission is not required, you can manually remove it from those users. Alternatively, you can wait for Salesforce to enforce this change, which will automatically remove the ability to self-authorize uninstalled connected apps.
If assigned to any integration or API-only users, no action is required as part of this change. See “Should I keep the perm assigned to my integration and API-only users?”
If not assigned - no further action is required.

3. Install or Block Connected Apps: Take steps to review, install, and allowlist connected apps that you want to make accessible for end-users and only grant user access based on the principle of least privilege. Block any connected apps that you do not trust (when blocking connected apps - take action to uninstall, if applicable).

How do I identify where “Use Any API Client” is assigned?

Options you might consider to identify where “Use Any API Client’ is used:

Manually review all Profiles and Permission Sets in Setup to see where “Use Any API Client” is assigned.
Use Salesforce SOQL queries to determine where it's assigned. See below section for examples.

SOQL Queries to use to identify where "Use Any API Client" is Assigned:

Users with “Use Any API Client” assigned:

SELECT AssigneeId, Assignee.Id, Assignee.Username FROM PermissionSetAssignment

WHERE PermissionSet.PermissionsUseAnyApiClient = true

Profiles with “Use Any API Client” assigned

SELECT Id, Name FROM Profile WHERE PermissionsUseAnyApiClient = true

Permission Sets with “Use Any API Client” assigned

SELECT Id, Name FROM PermissionSet WHERE PermissionsUseAnyApiClient = true

Use the User Access and Permission Assistant to Analyze User Permissions

What should I do for default Salesforce Permission Sets?

You may see default Salesforce permission sets with the “Use Any API Client” permission under the namespace prefix “force”. These are used with the Platform Integration User which should not be impacted by the upcoming change as it utilizes a more secure internal authentication mechanism.

Examples of Permission Sets you may see include:

ApexGuruStandardPermSet
C2CHeadlessCMSAccessPermSet
C2CMcpServicePermSet
C360 High Scale Flow Integration User
ConnectivityServiceCASCPermSet
D360HomeOrgPermSet
Data Cloud Home Org Integration User
DCToDCSharingSetupC2CPermSet
DeliveryEstimationServicePermSet
DeliveryEstimationServicePermSet
E360 Messaging Integration User
E360MessagingC2CPermSet
E360UEC2CPermSet
HighScaleFlowC2cPermSet
Marketing Cloud Reporting C2C Perm
MarketingCloudPublishingC2CPermSet
MarketingCloudReportingC2CPermSet
MuleSoftPublishInvocableActionsC2CPermSet
PromptTemplatePermSet
PromptTemplatePermSet
Publish Suggested for You Nudges: Integration User
RPAC2CPermSet
Salesforce Apex Guru
Salesforce CMS Integration Admin
SeaS Indexing C2C User Perm
YourAccountFeatureDataPermSet
YourAccountNotifierPermSet
YukonNudgeHeadlessPublishPermSet

Should I keep the “Use Any API Client” permission assigned to my integration and API-only users?

Removing the "Use Any API Client" permission from integration and API-only users is not required due to this change. The existing functionalities of this permission, including unrestricted access to Salesforce APIs, remain unaffected. The sole modification being made here is the removal of the capability for self-authorization to uninstalled connected apps.

Despite this, we recommend against building new solutions or integrations that rely on the "Use Any API Client" permission, such as those that use the SOAP API login() call. The secure best practice is to first install and allowlist connected apps or external client apps within your Salesforce Org. Once this is done, you can authorize end-users to log in. This preferred method eliminates the requirement for the "Use Any API Client" permission for integrations to function.

Note: The SOAP API login() retirement is scheduled for the Summer ‘27 release. Ensure all applications and integrations currently using SOAP API login() are migrated to External Client Apps with OAuth for authentication prior to this date.

Admins need to continue to self-authorize and use uninstalled connected apps, what should I do?

To install new connected apps, particularly those from third parties, administrators may need to self-authorize the uninstalled connected app via OAuth. Once an app has an active OAuth session, only then can the app be installed from the Connected App OAuth Usage page in Setup. This process is necessary because direct app creation by administrators prevents them from defining the Client ID and Consumer Secret required by third-party applications.
In the September 2025 changes for Connected App Usage Restrictions Change, Salesforce introduced the user permission, “Approve Uninstalled Connected Apps” user permission that is built for this purpose. Where there are legitimate use cases such as Admins or Developers who must first test an app before installing it in the org, they might need to use this permission. But it’s critical to be aware that this “Approve Uninstalled Connected Apps” user permission bypasses the Connected App usage restriction. It should only be assigned to highly trusted users, such as administrators and those involved in managing or testing connected app integrations.
We advise against using the "Approve Uninstalled Connected Apps" user permission for the majority of end-users for purposes of accessing connected apps. Instead, install the required connected apps and external client applications. Once installed, these trusted apps should be allowlisted and their access managed, granting user access based on the principle of least privilege.

When a customer has enabled the Org Preference(Setup --> API Access Control), "For admin-approved users, limit API access to only allowlisted connected apps," what behavior is expected for self-authorizing uninstalled connected apps after this change takes effect?

User has "Use Any API Client" permission	User has "Approve Uninstalled Connected Apps" permission	Expected Behaviour: Self-authorizing uninstalled connected apps
TRUE	FALSE	[NEW] Blocked
TRUE	TRUE	Allowed
FALSE	TRUE	Allowed
FALSE	FALSE	Blocked

Note: This change will block the NEW self-authorization requests of uninstalled apps.
The existing active sessions of uninstalled connected apps remain unaffected.