Introduction to Salesforce OAuth
If you're working with Salesforce integrations, getting an OAuth access token is one of the most important steps. OAuth works like a secure digital key that allows your application to communicate with Salesforce—without exposing passwords.
Salesforce now uses External Client Apps (ECA) for OAuth-based integrations, replacing legacy Connected Apps. ECAs offer a more secure, modern, and future-proof authentication approach.
To understand how ECA works with REST APIs, you can also read How to Connect to Salesforce REST API with OAuth 2.0.
What Is OAuth?
OAuth is an open authorization framework that lets applications access Salesforce data without sharing user credentials. It issues secure, time-bound tokens instead of permanent passwords.
For a more detailed view of OAuth usage in integrations, see How Legacy Systems Communicate with Salesforce Using Connected App Replacement.
Why Salesforce Uses OAuth
Salesforce uses OAuth for:
Secure authentication
Avoiding password sharing
Granting access only to what the app needs
Enterprise-grade token management
OAuth is also a core requirement for AppExchange apps, as explained in Salesforce Managed Package & Distribution Guide.
Benefits of OAuth in Integrations
Safe and secure API communication
Easy to revoke access anytime
Scalable for enterprise systems
Required for AppExchange and modern integrations
If you’re building SaaS products or integrations, see Salesforce AppExchange Integration Best Practices.
Understanding Salesforce OAuth Flow Types
Salesforce supports several OAuth flows depending on the integration type.
For a deeper comparison of integration patterns, refer to iPaaS vs Native Salesforce Integration.
Authorization Code Grant
Best for apps where users authenticate via UI.
Client Credentials Flow
Best for server-to-server integrations.
Username-Password Flow
Quick but less secure. Use only for dev/testing.
JWT Bearer Token Flow
Ideal for secure backend and enterprise connectors.
When to Use Which Flow
Steps to Create an External Client App (ECA) in Salesforce
To request OAuth tokens, you must create an External Client App—Salesforce’s modern replacement for Connected Apps.
For more details on ECA setup, check Salesforce External Client Apps Explained.
Enable OAuth Settings
Go to Setup → App Manager
Click New External Client App
Enable OAuth
Add App Name, Contact Email, Description
Add Callback URL
Needed only for Authorization Code Flow.
Example:
https://yourapp.com/callback
Select OAuth Scopes
Choose required permissions:
Full access
API
Refresh token
OpenID
Manage user data
Manage Client ID & Client Secret
Once saved, Salesforce generates:
Client ID — identifies your integration
Client Secret — used for secure token exchange
Always store them securely.
How to Get OAuth Access Token (Step-by-Step)
Below are instructions for each Salesforce OAuth flow.
Authorization Code Flow
Step 1 – Generate Authorization Code
Visit:
https://login.salesforce.com/services/oauth2/authorize? response_type=code& client_id=YOUR_CLIENT_ID& redirect_uri=YOUR_CALLBACK_URL
Salesforce redirects with:
?code=AUTHORIZATION_CODE
Step 2 – Exchange Code for Access Token
POST:
https://login.salesforce.com/services/oauth2/token
Body:
grant_type=authorization_code code=AUTHORIZATION_CODE client_id=YOUR_CLIENT_ID client_secret=YOUR_CLIENT_SECRET redirect_uri=YOUR_CALLBACK_URL
Response:
{ "access_token": "xxxx", "instance_url": "https://yourinstance.salesforce.com" }
Client Credentials Flow
POST Body:
grant_type=client_credentials client_id=YOUR_CLIENT_ID client_secret=YOUR_CLIENT_SECRET
Returns an access_token without login.
Username-Password Flow
grant_type=password client_id=YOUR_CLIENT_ID client_secret=YOUR_CLIENT_SECRET username=USERNAME password=PASSWORD + SECURITY_TOKEN
JWT Bearer Token Flow
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer assertion=YOUR_JWT
Salesforce validates the JWT → returns token.
Useful Salesforce OAuth Endpoints
Authorization:https://login.salesforce.com/services/oauth2/authorize
Token Endpoint:https://login.salesforce.com/services/oauth2/token
Instance URL:
Returned in OAuth response.
Testing OAuth with Postman
Configure POST request → Token Endpoint
Add headers:
Content-Type: application/x-www-form-urlencoded
Validate token:
GET {{instance_url}}/services/data/v62.0/ Authorization: Bearer {{access_token}}
Common OAuth Errors and Fixes
Invalid Client ID/Secret
Re-check ECA values.
Redirect URI mismatch
Must match exactly.
Missing Scopes
Add required scopes and re-authorize.
IP Restrictions
Whitelist IPs for testing.
Best Practices for Salesforce OAuth
Store secrets in environment variables
Use Named Credentials
Rotate client secrets
Monitor failed attempts
Use TLS everywhere
Use least-privilege scopes
For deep security practices, check Salesforce Integration Security Best Practices.
Conclusion
Salesforce’s OAuth framework—powered by External Client Apps—provides a secure, scalable, and modern method for generating access tokens. Whether you're building a web app, backend integration, or enterprise-level connector, choosing the right OAuth flow ensures your integration is both reliable and secure.
FAQs
1. Which OAuth flow is best for external integrations?
Client Credentials or JWT.
2. Do I need a callback URL?
Only for Authorization Code Flow.
3. Can I use OAuth without an External Client App?
No—ECA is required.
4. How long do access tokens last?
Usually ~12 hours.
5. Can access tokens be refreshed?
Yes, using the refresh_token scope.
Ready to transform your Salesforce experience?
Start exploring the Salesforce Exchange today and discover apps that can take your CRM efficiency to the next level.
