Web Server Auth Flow Enablement – Salesforce Mobile App Rollout

Publish Date: May 21, 2026

Description

The Salesforce Mobile App is being updated to use the OAuth 2.0 Web Server (Authorization Code) flow for authentication. This change improves security by ensuring that access tokens are never exposed in a URL — instead, an authorization code is securely exchanged server-side.

For more detail on the Web Server flow, see the Salesforce OAuth 2.0 Web Server Flow documentation.

	Before	After
OAuth Flow	User Agent (implicit) flow	Web Server (authorization code) flow
Token Handling	Access token exposed in URL fragment	Authorization code exchanged server-side
Security	Standard	Enhanced — token never exposed in URL

This change applies to the Salesforce Mobile App on iOS and Android, version 260.050 and later.

Resolution

User Impact

No action required. From the user's perspective, there is no visible change.

Users of the Salesforce Mobile App will:

See the same Salesforce login screen
Enter credentials as normal
Land in the app as expected

Affected Versions

This update applies to the Salesforce Mobile App on the following platforms:

Platform	Minimum Version
iOS	260.050+
Android	260.050+

Note: Having the minimum app version installed is not sufficient on its own — the update is activated remotely by Salesforce.

Rollout Timeline

iOS: Regional rollout beginning late May 2026
Android: Follows shortly after iOS rollout

Knowledge Article Number

005384996

Did this article solve your issue?

Let us know so we can improve!

Web Server Auth Flow Enablement – Salesforce Mobile App Rollout

User Impact

Affected Versions

Rollout Timeline

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List