Loading
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            OAuth Endpoints

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            OAuth Endpoints

            OAuth endpoints are the URLs that you use to make OAuth authorization requests to Salesforce. Each OAuth flow defines which endpoints to use and what request data to provide.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: All Editions

            Use these OAuth endpoints for your OAuth authorization requests.

            If indicated, the OAuth endpoints support Cross-Origin Resource Sharing (CORS). For information about support for CORS with certain OAuth endpoints, see Enable CORS for OAuth Endpoints.

            All OAuth endpoints require secure HTTP (HTTPS). For standard OAuth 2.0 authorization flows, these host domains are supported unless otherwise specified.

            • login.salesforce.com
            • A My Domain URL, such as https://MyCompany.my.salesforce.com
            • An Experience Cloud site URL, such as https://MyDomainName.my.site.com
            • A custom URL
            • For sandboxes, use test.salesforce.com or the My Domain login URL for the sandbox, such as MyDomainName--SandboxName.sandbox.my.salesforce.com.

            If you’re calling an endpoint during a headless identity authorization flow, the only supported host domains are Experience Cloud site URLs.

            OAuth Endpoint Description CORS Allowed
            https://hostname/services/oauth2/authorize The Salesforce instance’s OAuth 2.0 authorization endpoint. External client apps send OAuth authorization requests to this endpoint during standard OAuth 2.0 authorization flows and headless identity flows Checkmark
            https://hostname/services/oauth2/token The Salesforce instance’s OAuth 2.0 token endpoint. External client apps send OAuth token requests to this endpoint during standard OAuth 2.0 authorization flows and headless identity flows. Checkmark
            https://hostname/services/auth/headless/init/registration The Salesforce instance’s Headless Registration API endpoint. A headless client app sends requests to this endpoint to initialize headless registration. This endpoint supports only headless identity flows, so hostname must be an Experience Cloud site URL. Checkmark
            https://hostname/services/auth/headless/init/passwordless/login The Salesforce instance’s Headless Passwordless Login API endpoint. A headless client app sends requests to this endpoint to initialize headless passwordless login. This endpoint supports only headless identity flows, so the hostname must be an Experience Cloud site URL. Checkmark
            https://hostname/services/auth/headless/forgot_password The Salesforce instance’s Headless Forgot Password API endpoint. A headless client app sends requests to this endpoint during a headless password reset process. This endpoint supports only headless identity flows, so the hostname must be an Experience Cloud site URL. Checkmark
            https://hostname/services/oauth2/revoke The Salesforce instance’s OAuth 2.0 revoke endpoint. Send requests to this endpoint to revoke an external client app’s access during a standard authorization flow or headless identity flow. See Revoke OAuth Tokens. Checkmark
            https://hostname/services/oauth2/userinfo The OpenID Connect OAuth 2.0 user profile information endpoint. OpenID Connect defines the UserInfo endpoint to get a user’s profile information. See Query for User Information. Checkmark
            https://hostname/services/oauth2/register The OpenID Connect dynamic client registration endpoint. Send requests to this endpoint to automatically register external client apps with Salesforce. See OpenID Connect Dynamic Client Registration for External API Gateways.  
            https://hostname/services/oauth2/introspect The OpenID Connect token introspection endpoint. Send requests to this endpoint to check the current state of an OAuth 2.0 access or refresh token. See OpenID Connect Token Introspection. Checkmark
            https://hostname/.well-known/openid-configuration The OpenID Connect discovery endpoint. Send queries to this endpoint for information about the Salesforce OpenID Connect configuration. See Query for the OpenID Connect Configuration. Checkmark
            https://hostname/.well-known/auth-configuration The authentication configuration endpoint. Send queries to this endpoint for information about an org’s SAML single sign-on and authentication provider settings. See Query SAML Authentication Settings. Checkmark
            https://hostname/services/oauth2/pkce/generator The Proof Key for Code Exchange (PKCE) Generator endpoint. Send requests to this endpoint to generate parameters that you can use to implement the PKCE security extension for variations of the authorization code flow. See Proof Key for Code Exchange (PKCE) Extension. For standard OAuth flows, the hostname must be a My Domain login URL or Experience Cloud site URL. For headless identity flows, use the Experience Cloud site URL. Checkmark
             
            Loading
            Salesforce Help | Article