Loading
Salesforce now sends email only from verified domains. Read More
Help Agent Performance DegradationRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            API (Enable OAuth Settings): Disable Client Credentials Flow

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            API (Enable OAuth Settings): Disable Client Credentials Flow

            This control involves disabling the insecure "Client Credentials" flows in favor of high-assurance, certificate-based authentication methods like the JWT Bearer Flow or External Client Apps (ECA).

            Control Name

            Connected Apps: API (Enable OAuth Settings): Disable Client Credentials Flow

            Recommended Configuration

            Disable Client Credentials Flow.

            Control Overview

            This control involves disabling the insecure "Client Credentials" flows in favor of high-assurance, certificate-based authentication methods like the JWT Bearer Flow or External Client Apps (ECA).

            Security Risk If Not Configured

            These flows often rely on a static Client ID and Client Secret (and sometimes user passwords) that act as "shared secrets," which are easily compromised if hard-coded in scripts or exposed in configuration files.

            Threat Scenarios

            An attacker discovers a hard-coded Client Secret in a public GitHub repository or internal documentation and uses it to programmatically authenticate as a high-privilege service account, gaining full API access to the Org.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            The use of insecure credentials leads to persistent, non-interactive account takeover, allowing an adversary to exfiltrate mass quantities of data or modify system configuration without triggering traditional MFA challenges.

            Higher Risk When

            If the Client Credentials flow is associated with a user assigned to the "System Administrator" profile or a profile with "Modify All Data" permissions.

            Low Risk When

            If the company has implemented strict Login IP Ranges for the integration user and uses real-time API Request Monitoring to detect anomalous high-volume traffic.

            Business and Integration Considerations

            Disabling these flows requires migrating existing middleware (for example, MuleSoft, Boomi, or custom Python scripts) to use certificate-based JWT flows, which involves managing X.509 certificates and updating client-side logic.

            Recommended Remediation

            Go to the Connected App OAuth Settings, uncheck the "Enable Client Credentials Flow" box, and transition the integration to use the JWT Bearer Flow with a digital certificate.

            Security Health Review Guidance

            Security Health Review identifies the removal of legacy, password-based credential flows as a critical step in modernizing identity security and moving toward a Zero Trust architecture for all system-to-system integrations.

            See Also

             
            Loading
            Salesforce Help | Article