Ever logged into an app using Google or Facebook without entering your password?
That frictionless login experience is powered by OAuth 2.0, a modern security protocol.

In Salesforce, OAuth 2.0 enables external systems to access Salesforce data without sharing passwords, making integrations more secure, scalable, and user-controlled.

And now, Salesforce is evolving — shifting from Connected Apps to the new, more secure External Client Apps (ECA).

This guide explains OAuth 2.0 in Salesforce in the simplest possible way — updated fully to reflect ECA.

OAuth 2.0 is an industry-standard authorization framework that allows one system to access another system’s data securely using tokens instead of passwords.

It is used everywhere — mobile apps, SaaS platforms, SSO systems, and APIs.

Salesforce integrates with:

• Mobile apps

• Web apps

• ERP systems

• Marketing automation tools

• Custom enterprise platforms

Since these apps exchange sensitive CRM data, OAuth 2.0 ensures:

✔ Secure authentication
✔ Controlled access
✔ No password sharing
✔ Compliance with security standards

OAuth involves three core components:

1. Authorization Server
   Salesforce itself — verifies identities and issues access tokens.

2. Resource Server
   Salesforce where data lives (records, APIs, objects).

3. Client Application
   The external system that wants to access Salesforce (a SaaS tool, backend app, etc.).

Simple Example:

• App requests permission

• Salesforce asks user to approve

• Salesforce gives a secure access token

• App uses token to call Salesforce APIs

🔥 Passwords are never shared. Tokens handle everything.

Salesforce supports multiple OAuth flows depending on the use case:

1. Authorization Code Flow

2. Client Credentials Flow

3. Username-Password Flow

4. JWT Bearer Token Flow

5. Device Flow

6. SAML Bearer Assertion Flow

Each flow balances security and simplicity differently.

Salesforce is moving away from Connected Apps and replacing them with External Client Apps (ECA) — the new framework for OAuth configurations.

An ECA is where you configure OAuth settings such as:

• Who can connect

• What data they can access

• Token settings

• Policies & SSO

• API scopes

👉 If you are building any OAuth integration today, use ECA instead of Connected Apps.

• Go to Setup → App Manager

• Click New External Client App (ECA)

• Enable OAuth Settings

• Add Callback URL

• Select OAuth Scopes

• Save and configure policies

Use the generated Client ID & Client Secret in your app.

Scopes define access levels:

• API

• Refresh Token

• Web

• Full

• Access Token – short-lived

• Refresh Token – long-lived

If compromised, tokens can be revoked instantly.

✔ Use Authorization Code or JWT flows
✔ Avoid Username-Password flow
✔ Rotate secrets
✔ Enforce SSL/TLS
✔ Least privilege access

• Invalid callback URL → Fix in ECA

• Invalid grant → Token expired

• Invalid client → Wrong ID/secret

• Insufficient scopes → Add in ECA

• No password sharing

• Strong governance

• Smooth communication

• User-controlled permissions

• Standardized authorization

• Future-proof integrations

OAuth is significantly more secure and recommended.

Salesforce relies on OAuth 2.0 to provide secure, modern, password-less integration across systems.

With External Client Apps replacing Connected Apps, Salesforce integrations are becoming more secure and enterprise-ready.

If you're building any Salesforce integration — OAuth 2.0 is the foundation.

• Is OAuth 2.0 required in Salesforce?
  Yes — almost all integrations need OAuth.

• Which flow for a web application?
  Authorization Code Flow with PKCE.

• Do I need an ECA?
  Yes — Connected Apps are being replaced.

• How long do access tokens last?
  Minutes — based on org policy.

• What if a token is compromised?
  Admins can revoke instantly.