Connecting to the Salesforce REST API is one of the most effective ways to build modern integrations, automate workflows, and sync B2B systems. But before any API calls can be made, your application needs a secure way to authenticate — and OAuth 2.0 is the industry standard.

As Salesforce evolves its security model, the platform is transitioning away from Connected Apps and moving toward a more secure, admin-controlled mechanism: External Client Apps (ECA).

In this guide, you’ll learn:

• What Salesforce REST API is

• Why OAuth 2.0 is preferred

• How External Client Apps work

• How to authenticate using OAuth flows

• How to request and refresh tokens

• How to test everything using Postman

• Troubleshooting and best practices

Let’s get started.

The Salesforce REST API allows you to interact with Salesforce data using simple HTTP requests. You can:

• Query records

• Create or update objects

• Delete data

• Execute searches

• Perform DML operations

It’s lightweight, fast, and ideal for modern integrations spanning SaaS products, backend services, or mobile apps.

OAuth 2.0 is a secure authorization framework that allows apps to access Salesforce without handling passwords. Instead, OAuth uses:

• Access Tokens (short-lived)

• Refresh Tokens (long-lived)

• Scopes (permissions)

Think of it like a digital hotel key — granting limited, controlled access without exposing your credentials.

Using OAuth is strongly recommended because it is:

🔐 Highly secure — no password sharing
♻️ Supports token refresh
📱 Ideal for mobile & backend apps
🛡️ Required for AppExchange apps
🌍 Industry standard & scalable

Salesforce will gradually phase out Connected Apps.
All new OAuth integrations should use External Client Apps, which offer:

• Admin-controlled creation

• Stronger token governance

• Ability to rotate client secrets

• Better lifecycle & security management

An ECA defines:

• OAuth permissions

• Redirect URIs

• Allowed scopes

• Token management policies

Short-lived token used to authenticate REST API calls.

Long-lived token used to generate new access tokens without user login.

Common Salesforce OAuth scopes include:

Allows complete access to Salesforce data.

Required to make REST API calls.

Allows your app to request new access tokens.

Used for identity and user profile data.

You’ll need:

A Developer Edition, Sandbox, or Production org.

Admin permission required.

Where Salesforce will send the authorization code:

https://yourapp.com/callback

Minimum recommended:

• api

• refresh_token

• openid

Step-by-Step Guide: Connect to Salesforce REST API with OAuth 2.0 (Using ECA)

Go to:

Setup → External Client Apps → New External Client App

Add:

• App Name

• Email

• Description

• Redirect URI

• Enable OAuth flows

This replaces the old Connected App creation method.

Inside your ECA, enable:

✔ Authorization Code Flow
✔ Refresh Token Flow
✔ Require Secret for Web Server Flow

Add callback URL:

https://yourapp.com/callback

Assign scopes:

• Access and manage your data (api)

• Perform requests on your behalf (refresh_token)

• OpenID (openid)

After saving, Salesforce provides:

• Client ID

• Client Secret

These uniquely identify your integration.

Direct the user to Salesforce login:

https://login.salesforce.com/services/oauth2/authorize? response_type=code& client_id=YOUR_CLIENT_ID& redirect_uri=YOUR_CALLBACK_URL

After login, Salesforce sends an authorization code to your callback URL.

POST to:

https://login.salesforce.com/services/oauth2/token

Body:

grant_type=authorization_code code=AUTH_CODE client_id=CLIENT_ID client_secret=CLIENT_SECRET redirect_uri=CALLBACK_URL

You receive:

• Access Token

• Refresh Token

• Instance URL

• ID Token

Example request:

GET /services/data/v57.0/sobjects/Account HTTP/1.1 Host: INSTANCE_URL Authorization: Bearer ACCESS_TOKEN

Now you can access Salesforce data!

When the access token expires:

POST

https://login.salesforce.com/services/oauth2/token

Body:

grant_type=refresh_token client_id=CLIENT_ID client_secret=CLIENT_SECRET refresh_token=REFRESH_TOKEN

You get a new access token instantly.

Most secure. Recommended for web apps.

Ideal for backend or server-to-server integrations without user login.

Not recommended — less secure.

Best for devices with limited interfaces (IoT).

Set environment variables:

• client_id

• client_secret

• callback_url

• instance_url

Test REST API:

/services/data/v57.0/query?q=SELECT+Id,+Name+FROM+Account

❌ Invalid Client ID/Secret
Double-check ECA settings.

❌ Redirect URI Mismatch
Callback URL must match exactly.

❌ Insufficient Scopes
Ensure api and refresh_token are added.

❌ Expired Token
Use refresh token flow.

🔒 Do not store secrets in plain text
♻️ Rotate secrets regularly
🛡️ Use Refresh Tokens effectively
⚙️ Use Salesforce Named Credentials
🔐 Enable IP and session policies for added security

Connecting to the Salesforce REST API using OAuth 2.0 and External Client Apps is now the most secure, scalable, and future-proof method. With ECA replacing Connected Apps, Salesforce provides stronger governance, improved lifecycle controls, and enhanced token management — making integrations safer and easier to manage.

Whether you’re building a SaaS integration, automating backend tasks, or connecting enterprise systems, OAuth 2.0 is your secure gateway into Salesforce.

1. Can I still use Connected Apps?

Salesforce is phasing them out. New integrations must use External Client Apps.

2. How long do access tokens last?

Typically minutes to hours.

3. Can refresh tokens be used indefinitely?

Yes — unless revoked or policy-limited.

4. Best flow for server-to-server integration?

JWT Bearer Token Flow.

5. Can I test everything with Postman?

Absolutely — it's the easiest testing tool.