Introduction to Salesforce OAuth
If you're working with Salesforce integrations, getting an OAuth access token is one of the most important steps. OAuth works like a secure digital key that allows your application to communicate with Salesforce—without exposing passwords.
Salesforce now uses External Client Apps (ECA) for OAuth-based integrations, replacing legacy Connected Apps. ECAs offer a more secure, modern, and future-proof authentication approach. To understand how ECA works with REST APIs, you can also read How to Connect to Salesforce REST API with OAuth 2.0.
What Is OAuth?
OAuth is an open authorization framework that lets applications access Salesforce data without sharing user credentials. It issues secure, time-bound tokens instead of permanent passwords.
For a more detailed view of OAuth usage in integrations, see How Legacy Systems Communicate with Salesforce Using Connected App Replacement.
Why Salesforce Uses OAuth
Salesforce uses OAuth for:
- Secure authentication
- Avoiding password sharing
- Granting access only to what the app needs
- Enterprise-grade token management
OAuth is also a core requirement for AppExchange apps, as explained in Salesforce Managed Package & Distribution Guide.
Benefits of OAuth in Integrations
- Safe and secure API communication
- Easy to revoke access anytime
- Scalable for enterprise systems
- Required for AppExchange and modern integrations
If you’re building SaaS products or integrations, see Salesforce AppExchange Integration Best Practices.
Understanding Salesforce OAuth Flow Types
Salesforce supports several OAuth flows depending on the integration type. For a deeper comparison of integration patterns, refer to iPaaS vs Native Salesforce Integration.
Authorization Code Grant
Best for apps where users authenticate via UI.
Client Credentials Flow
Best for server-to-server integrations.
Username-Password Flow
Quick but less secure. Use only for dev/testing.
JWT Bearer Token Flow
Ideal for secure backend and enterprise connectors.
When to Use Which Flow
| Use Case | Recommended Flow |
|---|---|
| User logs in through UI | Authorization Code |
| Backend / microservice | Client Credentials / JWT |
| Quick scripts (dev only) | Username-Password |
Steps to Create an External Client App (ECA) in Salesforce
To request OAuth tokens, you must create an External Client App—Salesforce’s modern replacement for Connected Apps. For more details on ECA setup, check Salesforce External Client Apps Explained.
Enable OAuth Settings
- Go to Setup → App Manager
- Click New External Client App
- Enable OAuth
- Add App Name, Contact Email, Description
Add Callback URL
Needed only for Authorization Code Flow.
Example:
https://yourapp.com/callback
Select OAuth Scopes
Choose required permissions:
- Full access
- API
- Refresh token
- OpenID
- Manage user data
Manage Client ID & Client Secret
Once saved, Salesforce generates:
- Client ID — identifies your integration
- Client Secret — used for secure token exchange
Always store them securely.
How to Get OAuth Access Token (Step-by-Step)
Below are instructions for each Salesforce OAuth flow.
Authorization Code Flow
Step 1 – Generate Authorization Code
Visit:
https://login.salesforce.com/services/oauth2/authorize? response_type=code& client_id=YOUR_CLIENT_ID& redirect_uri=YOUR_CALLBACK_URL
Salesforce redirects with:
?code=AUTHORIZATION_CODE
Step 2 – Exchange Code for Access Token
POST:
https://login.salesforce.com/services/oauth2/token
Body:
grant_type=authorization_code code=AUTHORIZATION_CODE client_id=YOUR_CLIENT_ID client_secret=YOUR_CLIENT_SECRET redirect_uri=YOUR_CALLBACK_URL
Response:
{ "access_token": "xxxx", "instance_url": "https://yourinstance.salesforce.com" }
Client Credentials Flow
POST Body:
grant_type=client_credentials client_id=YOUR_CLIENT_ID client_secret=YOUR_CLIENT_SECRET
Returns an access_token without login.
Username-Password Flow
grant_type=password client_id=YOUR_CLIENT_ID client_secret=YOUR_CLIENT_SECRET username=USERNAME password=PASSWORD + SECURITY_TOKEN
JWT Bearer Token Flow
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer assertion=YOUR_JWT
Salesforce validates the JWT → returns token.
Useful Salesforce OAuth Endpoints
Authorization:
https://login.salesforce.com/services/oauth2/authorize
Token Endpoint:
https://login.salesforce.com/services/oauth2/token
Instance URL: Returned in OAuth response.
Testing OAuth with Postman
Configure POST request → Token Endpoint
Add headers:
Content-Type: application/x-www-form-urlencoded
Validate token:
GET {{instance_url}}/services/data/v62.0/ Authorization: Bearer {{access_token}}
Common OAuth Errors and Fixes
Invalid Client ID/Secret Re-check ECA values.
Redirect URI mismatch Must match exactly.
Missing Scopes Add required scopes and re-authorize.
IP Restrictions Whitelist IPs for testing.
Best Practices for Salesforce OAuth
- Store secrets in environment variables
- Use Named Credentials
- Rotate client secrets
- Monitor failed attempts
- Use TLS everywhere
- Use least-privilege scopes
For deep security practices, check Salesforce Integration Security Best Practices.
Conclusion
Salesforce’s OAuth framework—powered by External Client Apps—provides a secure, scalable, and modern method for generating access tokens. Whether you're building a web app, backend integration, or enterprise-level connector, choosing the right OAuth flow ensures your integration is both reliable and secure.
FAQs
1. Which OAuth flow is best for external integrations? Client Credentials or JWT.
2. Do I need a callback URL? Only for Authorization Code Flow.
3. Can I use OAuth without an External Client App? No—ECA is required.
4. How long do access tokens last? Usually ~12 hours.
5. Can access tokens be refreshed?
Yes, using the refresh_token scope.



