Introduction
Ever logged into an app using Google or Facebook without entering your password? That frictionless login experience is powered by OAuth 2.0, a modern security protocol.
In Salesforce, OAuth 2.0 enables external systems to access Salesforce data without sharing passwords, making integrations more secure, scalable, and user-controlled.
And now, Salesforce is evolving — shifting from Connected Apps to the new, more secure External Client Apps (ECA).
This guide explains OAuth 2.0 in Salesforce in the simplest possible way — updated fully to reflect ECA.
What is OAuth 2.0?
OAuth 2.0 is an industry-standard authorization framework that allows one system to access another system’s data securely using tokens instead of passwords.
It is used everywhere — mobile apps, SaaS platforms, SSO systems, and APIs.
Why OAuth 2.0 Matters in Salesforce
Salesforce integrates with:
- Mobile apps
- Web apps
- ERP systems
- Marketing automation tools
- Custom enterprise platforms
Since these apps exchange sensitive CRM data, OAuth 2.0 ensures:
✔ Secure authentication ✔ Controlled access ✔ No password sharing ✔ Compliance with security standards
How OAuth 2.0 Works in Salesforce
OAuth involves three core components:
- Authorization Server Salesforce itself — verifies identities and issues access tokens.
- Resource Server Salesforce where data lives (records, APIs, objects).
- Client Application The external system that wants to access Salesforce (a SaaS tool, backend app, etc.).
Simple Example:
- App requests permission
- Salesforce asks user to approve
- Salesforce gives a secure access token
- App uses token to call Salesforce APIs
🔥 Passwords are never shared. Tokens handle everything.
Different OAuth 2.0 Flows in Salesforce
Salesforce supports multiple OAuth flows depending on the use case:
- Authorization Code Flow
- Client Credentials Flow
- Username-Password Flow
- JWT Bearer Token Flow
- Device Flow
- SAML Bearer Assertion Flow
Each flow balances security and simplicity differently.
⭐ What is an External Client App (ECA) in Salesforce? (Updated Requirement)
Salesforce is moving away from Connected Apps and replacing them with External Client Apps (ECA) — the new framework for OAuth configurations.
An ECA is where you configure OAuth settings such as:
- Who can connect
- What data they can access
- Token settings
- Policies & SSO
- API scopes
👉 If you are building any OAuth integration today, use ECA instead of Connected Apps.
Steps to Configure OAuth 2.0 in Salesforce (Using ECA)
- Go to Setup → App Manager
- Click New External Client App (ECA)
- Enable OAuth Settings
- Add Callback URL
- Select OAuth Scopes
- Save and configure policies
Use the generated Client ID & Client Secret in your app.
OAuth 2.0 Scopes in Salesforce
Scopes define access levels:
- API
- Refresh Token
- Web
- Full
Tokens in OAuth 2.0
- Access Token – short-lived
- Refresh Token – long-lived
If compromised, tokens can be revoked instantly.
Security Best Practices
✔ Use Authorization Code or JWT flows ✔ Avoid Username-Password flow ✔ Rotate secrets ✔ Enforce SSL/TLS ✔ Least privilege access
Real-World Use Cases of OAuth 2.0 in Salesforce
| Use Case | Best Flow |
|---|---|
| Web app login | Authorization Code + PKCE |
| Server-to-server | JWT or Client Credentials |
| Mobile apps | Authorization Code + PKCE |
| IoT | Device Flow |
| Enterprise SSO | SAML Bearer Flow |
Common OAuth Errors & Fixes
- Invalid callback URL → Fix in ECA
- Invalid grant → Token expired
- Invalid client → Wrong ID/secret
- Insufficient scopes → Add in ECA
Benefits of OAuth 2.0 in Salesforce Integration
- No password sharing
- Strong governance
- Smooth communication
- User-controlled permissions
- Standardized authorization
- Future-proof integrations
OAuth vs Basic Authentication
OAuth is significantly more secure and recommended.
Conclusion
Salesforce relies on OAuth 2.0 to provide secure, modern, password-less integration across systems.
With External Client Apps replacing Connected Apps, Salesforce integrations are becoming more secure and enterprise-ready.
If you're building any Salesforce integration — OAuth 2.0 is the foundation.
FAQs
- Is OAuth 2.0 required in Salesforce? Yes — almost all integrations need OAuth.
- Which flow for a web application? Authorization Code Flow with PKCE.
- Do I need an ECA? Yes — Connected Apps are being replaced.
- How long do access tokens last? Minutes — based on org policy.
- What if a token is compromised? Admins can revoke instantly.



