Loading
Salesforce now sends email only from verified domains. Read More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            API (Enable OAuth Settings): Require Secret for Web Server Flow

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            API (Enable OAuth Settings): Require Secret for Web Server Flow

            This control mandates that the client application provides its cryptographically strong Client Secret during the exchange of an authorization code for an access token to verify the client's identity.

            Control Name

            Connected Apps: API (Enable OAuth Settings): Require Secret for Web Server Flow

            Recommended Configuration

            Require Secret for Web Server Flow.

            Control Overview

            This control mandates that the client application provides its cryptographically strong Client Secret during the exchange of an authorization code for an access token to verify the client's identity.

            Security Risk If Not Configured

            The Web Server Flow (Authorization Code Grant) may allow an attacker who intercepts a temporary authorization code to successfully trade it for a long-lived access token without proving they control the authorized backend server.

            Threat Scenarios

            An adversary intercepts an authorization code via a browser redirect or log leakage and immediately executes a token exchange from their own infrastructure, successfully impersonating the legitimate application to gain access to the user's data.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Failure to require a secret facilitates unauthorized session establishment and data exfiltration, effectively turning a temporary, one-time code into a persistent gateway for account takeover.

            Higher Risk When

            When the application is hosted on a shared server or uses a custom URI scheme that increases the likelihood of authorization code interception by malicious local apps or network proxies.

            Low Risk When

            If the company has implemented PKCE (Proof Key for Code Exchange) as a compensating control, which adds a secondary dynamic layer of verification to the code exchange process.

            Business and Integration Considerations

            Enabling this requirement may break existing integrations if the third-party client was incorrectly configured to bypass the secret exchange or if the client-side code does not have secure access to the secret.

            Recommended Remediation

            Go to the Connected App OAuth Settings in Setup and select the checkbox for "Require Secret for Web Server Flow."

            Security Health Review Guidance

            Security Health Review identifies this as a foundational "Confidential Client" requirement so that sensitive CRM data is only released to verified, server-side applications that can protect their credentials.

            See Also

             
            Loading
            Salesforce Help | Article