Advanced Authentication Pattern: OAuth 2.1 Client Credentials Flow
Leverage the underlying authentication stack to register an MCP server that uses OAuth 2.1 client credentials.
Required Editions
| Available in: Lightning Experience |
| Available in: Enterprise, Performance, Unlimited, and Developer Editions. Required add-on licenses vary by agent type. |
| User Permissions Needed | |
|---|---|
| To register an MCP server: | Manage AI Agents AND the required permissions for your agent type |
| To create, edit, or delete named credentials, external credentials, or external auth identity providers: | Manage Named Credentials or Customize Application |
Register a No Auth MCP Server
To implement an advanced authentication pattern, the first step is to register an MCP server in Agentforce Registry.
Start by registering an MCP server in Agentforce Registry, which creates an underlying named credential, external credential, and permission set to handle authentication.
You can’t complete the initial registration with a server that uses OAuth 2.1 today. Instead, start with a simple placeholder MCP server that doesn’t require authentication. Choose a server from a provider you trust, and then register the server in Agentforce Registry. Complete the process, but don’t apply any policies or allowlist any tools. (You’ll come back to this in a later step.)
Registering a placeholder server creates a record for the server connection and the basic authentication stack in Salesforce. Next, you’ll update the authentication stack with the details for the server you want to register.
Learn more about named credentials, external credentials, and permission sets.
Create an External Auth Identity Provider
External auth identity providers obtain OAuth tokens for outbound callouts to external systems. They’re the first step in creating named and external credentials that use OAuth 2.0 and 2.1 authentication.
- From Setup, in the Quick Find box, enter Named Credentials, and then select Named Credentials.
- Click the External Auth Identity Provider tab.
-
Click New, and complete the following fields.
Label A user-friendly name for the external auth identity provider. We recommend a label that’s related to the MCP server you’re registering and that you can use throughout the authentication stack. Name A unique identifier that’s used to refer to this external auth identity provider from callout definitions and through the API. The name can contain only underscores and alphanumeric characters. It must be unique, begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores. Description A description for the external auth identity provider. Authentication Protocol OAuth 2.0 Authentication Flow Type Client Credentials Client ID The unique ID of the MCP server, used to request access via the authorization server. Client Secret A password known only to the MCP server and the authorization server, used to authenticate the MCP server when requesting access tokens. Must be kept secure. Token Endpoint URL The OAuth token URL from the authorization server. For example, https://auth.partner.com/token - Save your changes.
Add the Resource Parameter To Your External Auth Identity Provider
Add a resource parameter as a custom authorization request parameter and a custom token request parameter. This is the key difference between OAuth 2.0, where this parameter is optional, and OAuth 2.1, where this parameter is required.The resource value tells the authorization server which MCP server to accept this token for. The MCP server rejects any token that doesn't match.
- In the Custom Request Parameters section, click New.
-
Specify the following fields.
Name resource Value The URL of the API you’re calling For example, https://api.partner.com This value is the same as the associated named credential URL, because they represent the same API you’re calling. The resource parameter tells the authorization server who the token is for. The named credential tells the platform where to send the request. Request Type Authorize Request Parameter Location Query Parameter - Save your changes.
-
Repeat the steps with these fields.
Name resource Value The URL of the API you’re calling For example, https://api.partner.com This value is the same as the associated named credential URL, because they represent the same API you’re calling. The resource parameter tells the authorization server who the token is for. The named credential tells the platform where to send the request. Request Type Token Request Parameter Location Body Parameter - Save your changes.
The authorization parameter is appended as a query parameter when the user is redirected to the authorization server’s login or consent page.
https://auth.partner.com/authorize?
response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=https://login.salesforce.com/services/authcallback/...
&scope=read+write
&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
&code_challenge_method=S256
&resource=https%3A%2F%2Fapi.partner.com ← added by the custom parameterThe token parameter is included as a form body parameter in the POST to the token endpoint.
POST /token HTTP/1.1
Host: auth.partner.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code=AUTHORIZATION_CODE
&redirect_uri=https://login.salesforce.com/services/authcallback/...
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
&resource=https%3A%2F%2Fapi.partner.com ← added by the custom parameterEdit the Associated External Credential
An OAuth 2.0 or OAuth 2.1 external credential that uses Client Credentials Flow Managed by an External Auth Identity Provider uses the client identification configured in the linked external auth identity provider.
- From Setup, in the Quick Find box, enter Named Credentials, and then select Named Credentials.
- Click the External Credentials tab.
- Find the external credential associated with the MCP server you registered. Then from the dropdown menu, select Edit.
-
Specify the following fields.
Label A user-friendly name for the external auth identity provider. We recommend a label that’s related to the MCP server you’re registering and that you can use throughout the authentication stack. Name A unique identifier that’s used to refer to this external credential from callout definitions and through the API. The name can contain only underscores and alphanumeric characters. It must be unique, begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores. Authentication Protocol OAuth 2.0 Authentication Flow Type Configured in an External Auth Identity Provider Scope Optional. A list of permissions that the MCP server requires for the client to access server tools and APIs, formatted as a comma-separated list. External Auth Identity Provider Select the External Auth Identity Provider that you created in the previous steps. - Save your changes.
(Optional) Edit the Associated Named Credential
Named credentials specify the URL of a callout endpoint.
Named credentials specify the URL of a callout endpoint. You don’t have to make any changes to the named credential for it to work, but we recommend updating the label, name, and description to align with the MCP server you’re registering, the underlying external credential, and the external auth identity provider.
- From Setup, in the Quick Find box, enter Named Credentials, and then select Named Credentials.
- Click the Named Credentials tab.
- Find the named credential associated with the MCP server you registered. Then from the dropdown menu, select Edit.
- Edit the label, name, and description.
- Save your changes.
Postrequisites
Now that you’ve set up the authentication stack for your server, allowlist the server tools you want to use with your agent and, optionally, apply policies.
From the server record page, allowlist the tools you want to use with your agent.
Optionally, if you’ve created any policies for MCP servers in Agentforce Gateway that are available to add manually, you can apply them to your server from the server record page in Agentforce Registry. If your server meets the conditions for any rule-based MCP server policies you’ve created, the policies are applied automatically. You can create, apply, and remove policies from Agentforce Gateway. From Setup, in the Quick Find box, enter Agentforce Gateway, and then select Policies.
