Salesforce Platform: Security Updates to the "Use Any API Client" Permission

How do I identify where “Use Any API Client” is assigned?

Options you might consider to identify where “Use Any API Client’ is used:

• Manually review all Profiles and Permission Sets in Setup to see where “Use Any API Client” is assigned.

• Use Salesforce SOQL queries to determine where it's assigned. See below section for examples.

SOQL Queries to use to identify where "Use Any API Client" is Assigned:

Users with “Use Any API Client” assigned:

SELECT AssigneeId, Assignee.Id, Assignee.Username FROM PermissionSetAssignment

WHERE PermissionSet.PermissionsUseAnyApiClient = true

Profiles with “Use Any API Client” assigned

SELECT Id, Name FROM Profile WHERE PermissionsUseAnyApiClient = true

Permission Sets with “Use Any API Client” assigned

SELECT Id, Name FROM PermissionSet WHERE PermissionsUseAnyApiClient = true

Use the User Access and Permission Assistant to Analyze User Permissions

What should I do for default Salesforce Permission Sets?

You may see default Salesforce permission sets with the “Use Any API Client” permission under the namespace prefix “force”. These are used with the Platform Integration User which should not be impacted by the upcoming change as it utilizes a more secure internal authentication mechanism.

Examples of Permission Sets you may see include:

• ApexGuruStandardPermSet

• C2CHeadlessCMSAccessPermSet

• C2CMcpServicePermSet

• C360 High Scale Flow Integration User

• ConnectivityServiceCASCPermSet

• D360HomeOrgPermSet

• Data Cloud Home Org Integration User

• DCToDCSharingSetupC2CPermSet

• DeliveryEstimationServicePermSet

• DeliveryEstimationServicePermSet

• E360 Messaging Integration User

• E360MessagingC2CPermSet

• E360UEC2CPermSet

• HighScaleFlowC2cPermSet

• Marketing Cloud Reporting C2C Perm

• MarketingCloudPublishingC2CPermSet

• MarketingCloudReportingC2CPermSet

• MuleSoftPublishInvocableActionsC2CPermSet

• PromptTemplatePermSet

• PromptTemplatePermSet

• Publish Suggested for You Nudges: Integration User

• RPAC2CPermSet

• Salesforce Apex Guru

• Salesforce CMS Integration Admin

• SeaS Indexing C2C User Perm

• YourAccountFeatureDataPermSet

• YourAccountNotifierPermSet

• YukonNudgeHeadlessPublishPermSet

Should I keep the “Use Any API Client” permission assigned to my integration and API-only users?

Removing the "Use Any API Client" permission from integration and API-only users is not required due to this change. The existing functionalities of this permission, including unrestricted access to Salesforce APIs, remain unaffected. The sole modification being made here is the removal of the capability for self-authorization to uninstalled connected apps.

Despite this, we recommend against building new solutions or integrations that rely on the "Use Any API Client" permission, such as those that use the SOAP API login() call. The secure best practice is to first install and allowlist connected apps or external client apps within your Salesforce Org. Once this is done, you can authorize end-users to log in. This preferred method eliminates the requirement for the "Use Any API Client" permission for integrations to function.

Note: The SOAP API login() retirement is scheduled for the Summer ‘27 release. Ensure all applications and integrations currently using SOAP API login() are migrated to External Client Apps with OAuth for authentication prior to this date.

Admins need to continue to self-authorize and use uninstalled connected apps, what should I do?

• To install new connected apps, particularly those from third parties, administrators may need to self-authorize the uninstalled connected app via OAuth. Once an app has an active OAuth session, only then can the app be installed from the Connected App OAuth Usage page in Setup. This process is necessary because direct app creation by administrators prevents them from defining the Client ID and Consumer Secret required by third-party applications.

• In the September 2025 changes for Connected App Usage Restrictions Change, Salesforce introduced the user permission, “Approve Uninstalled Connected Apps” user permission that is built for this purpose. Where there are legitimate use cases such as Admins or Developers who must first test an app before installing it in the org, they might need to use this permission. But it’s critical to be aware that this “Approve Uninstalled Connected Apps” user permission bypasses the Connected App usage restriction. It should only be assigned to highly trusted users, such as administrators and those involved in managing or testing connected app integrations.

• We advise against using the "Approve Uninstalled Connected Apps" user permission for the majority of end-users for purposes of accessing connected apps. Instead, install the required connected apps and external client applications. Once installed, these trusted apps should be allowlisted and their access managed, granting user access based on the principle of least privilege.

When a customer has enabled the Org Preference(Setup --> API Access Control), "For admin-approved users, limit API access to only allowlisted connected apps," what behavior is expected for self-authorizing uninstalled connected apps after this change takes effect?

Note: This change will block the NEW self-authorization requests of uninstalled apps.
The existing active sessions of uninstalled connected apps remain unaffected.