Introduction
Salesforce offers multiple ways to authenticate API requests — but one question developers often ask is:
Can you use OAuth 2.0 with the Salesforce SOAP API? Yes. Fully supported — and highly recommended.
This updated guide explains how OAuth 2.0 works with SOAP, how to implement it using External Client Apps (ECA) and the best practices for secure enterprise integrations.
Understanding Authentication in Salesforce
Salesforce supports several authentication mechanisms:
- SOAP Login Call (legacy)
- OAuth 2.0 (recommended)
- SAML-based SSO
- JWT Assertion
- External Identity Providers
Among these, OAuth 2.0 is the most secure, scalable, and future-proof — and works for both SOAP and REST.
What is OAuth 2.0?
OAuth 2.0 is an industry-standard authorization framework that allows applications to authenticate without sharing passwords.
Key Features:
- Token-based access
- Strong, modern security
- User consent and granular permissions
- Works across mobile, web, and backend systems
Why OAuth 2.0 Matters
Think of OAuth tokens like temporary, revocable access cards. You never share your master key (password) — you share a safe, time-bound token.
What is Salesforce SOAP API?
Salesforce SOAP API is an XML-based, contract-driven API commonly used in:
- Enterprise systems
- Government systems
- Banking/financial integrations
- Legacy platforms
- Middleware tools
Why Developers Still Use SOAP
- Enforces strict schemas
- Predictable behavior
- Enterprise-friendly
- Long-term stability
SOAP vs REST (Quick Comparison)
| Feature | SOAP API | REST API |
|---|---|---|
| Format | XML | JSON |
| Protocol | Strict, structured | Lightweight |
| Best For | Enterprise, legacy systems | Modern web/mobile |
| Authentication | OAuth, Session ID | OAuth |
With OAuth 2.0, SOAP becomes modern, secure, and scalable.
Can You Use OAuth 2.0 with SOAP in Salesforce?
✔ YES — Completely supported.
Instead of using the legacy SOAP login() call, you authenticate via OAuth 2.0 and simply include the OAuth access token in your SOAP request header.
This modernizes SOAP integrations and eliminates passwords.
How OAuth 2.0 Works with Salesforce SOAP API
- Perform OAuth 2.0 authentication
- Salesforce issues an access token
- You pass that token in your SOAP SessionHeader
- Salesforce verifies the token and grants access
No username-password exchange. No login() call. Just secure OAuth tokens.
OAuth 2.0 Authentication Flows for SOAP
Salesforce supports several OAuth flows compatible with SOAP API:
- Authorization Code Flow Best for interactive logins.
- Username–Password Flow Simple but not secure — avoid for production.
- JWT Bearer Token Flow (recommended) Ideal for server-to-server SOAP integrations.
To understand these flows deeper, see: 👉 Salesforce OAuth Flow Types
Step-by-Step: Using OAuth Token in a SOAP Request
1. Create & Configure an External Client App (ECA)
Go to:
Configure:
- Enable OAuth
- Add Callback URL
- Select OAuth Scopes (API, Refresh Token)
Learn more: 👉 Salesforce External Client App
2. Generate an OAuth Access Token
Use any OAuth flow:
- Authorization Code
- JWT Bearer
- Username–Password (not recommended)
You’ll receive:
- access_token
- instance_url
3. Add Token to Your SOAP Header
<soapenv:Header> <urn:SessionHeader> <urn:sessionId>YOUR_OAUTH_ACCESS_TOKEN</urn:sessionId> </urn:SessionHeader> </soapenv:Header>
4. Send Your SOAP Request
Salesforce validates the token, scopes, and policies defined in the ECA.
If valid → Your SOAP call succeeds.
Sample SOAP Envelope with OAuth Token
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:partner.soap.sforce.com"> <soapenv:Header> <urn:SessionHeader> <urn:sessionId>YOUR_OAUTH_ACCESS_TOKEN</urn:sessionId> </urn:SessionHeader> </soapenv:Header> <soapenv:Body> <urn:query> <urn:queryString>SELECT Id, Name FROM Account</urn:queryString> </urn:query> </soapenv:Body> </soapenv:Envelope>
Common Errors & Fixes
| Error | Cause | Fix |
|---|---|---|
| INVALID_SESSION_ID | Token expired | Refresh or generate a new token |
| 401 Unauthorized | Missing token | Add sessionId in header |
| invalid_grant | Callback mismatch | Fix URL in ECA |
| Token revoked | Security policies | Re-authorize |
Security Best Practices
- Prefer JWT Bearer Flow
- Use Refresh Tokens for automation
- Rotate Client Secrets
- Enforce ECA policies
- Never hardcode tokens
- Use Named Credentials
Use Cases Where OAuth 2.0 + SOAP Are Ideal
- Large enterprise ERP → Salesforce
- Banking/finance
- Government systems
- High-security industries
- Legacy middleware
SOAP provides structure; OAuth provides modern security.
Limitations to Keep in Mind
- More setup compared to REST
- Token expiration
- SOAP libraries may need custom headers
Conclusion
So, can you use OAuth 2.0 with the Salesforce SOAP API? ✔ Absolutely YES — and you should.
OAuth modernizes authentication, eliminates password sharing, and strengthens enterprise security.
With the move to External Client Apps (ECA), OAuth is more powerful than ever.
FAQs
Q1. Does Salesforce recommend OAuth 2.0 for SOAP? Yes — OAuth is the preferred authentication method.
Q2. Can I still use the SOAP login() call? Yes, but OAuth is more secure.
Q3. Which OAuth flow is best for server-to-server SOAP? JWT Bearer Flow.
Q4. Can tokens be refreshed automatically? Yes — using Refresh Tokens or JWT.
Q5. Do I need an External Client App (ECA)? Yes — Connected Apps are being replaced.



