ContextQMD
Back to Infisical

Salesforce Connection

docs/integrations/app-connections/salesforce.mdx

0.160.56.2 KB
Original Source

Infisical supports the OAuth 2.0 Client Credentials flow to connect with your Salesforce org.

Configure a Connected App in Salesforce

<Steps> <Step title="Open Settings"> In the top-right corner, click the gear icon. 
    ![Gear Icon](/images/app-connections/salesforce/gear-icon.png)

    Click the **Setup** option.
    ![Open Setup](/images/app-connections/salesforce/open-setup.png)
</Step>

<Step title="Create a Connected App">
    In Salesforce Setup, search for **External Client App Manager** and select it from the results.
    ![Search External Client App Manager](/images/app-connections/salesforce/search-app.png)

    Click **New External Client App**.
    ![Create External Client App](/images/app-connections/salesforce/create-connected-app.png)

    Provide a name, API name, and contact email.
    ![Basic Information](/images/app-connections/salesforce/basic-info-app.png)
</Step>
<Step title="Enable OAuth Settings">
    Under **API (Enable OAuth Settings)**:
    - Check **Enable OAuth**.
    - Provide a callback URL.
        <Note>
            The callback URL is only used by Salesforce's OAuth Web Server Flow. Since this External Client App is used solely to rotate secrets via the Client Credentials Flow, the callback URL is never invoked — any valid URL (e.g. `https://localhost`) works.
        </Note>
    - Add the OAuth scopes your integration requires. For secret rotation, you must select **Manage user data via APIs (api)**.
    - Check **Enable Client Credentials Flow** and **Enable Token Exchange Flow** (along with the sub-option **Require secret for Token Exchange Flow**).

    ![OAuth Scopes and Flow Enablement](/images/app-connections/salesforce/oauth-scopes.png)

    Under **Security**, enable **Require secret for Web Server Flow** and **Require secret for Refresh Token Flow**.

    Save the Connected App by clicking **Create**. It may take a few minutes for the new app to become available.
    ![OAuth Security Settings](/images/app-connections/salesforce/oauth-security.png)
</Step>
<Step title="Configure the Policies">
    Go back to the **External Client App Manager** page and select the External Client App you just created. To do this, search again for **External Client App Manager**.

    ![External created app](/images/app-connections/salesforce/created-external-app.png)

    Click the app you just created, select the **Policies** tab, and click **Edit**.

    ![Policies Tab](/images/app-connections/salesforce/policies-tab.png)

    Under the **OAuth Policies** section, check **Enable Client Credentials Flow** and provide a username under **Run As (Username)** to specify which user the flow runs as.
    ![Policies](/images/app-connections/salesforce/policies.png)
</Step>
<Step title="Copy the Consumer Key and Consumer Secret">
    Back on the **Settings** tab, go to the **OAuth Settings** section and click **Consumer Key and Secret** to open a new page where the values are displayed.
    ![Consumer Key and Secret Button](/images/app-connections/salesforce/get-secret-key.png)

    Copy both the **Consumer Key** and **Consumer Secret** for later.
    ![Consumer Details](/images/app-connections/salesforce/secret-value.png)
</Step>
<Step title="Enable access to External Client App Consumer">
    Search again for **External Client Apps** and click the **Settings** sub-option. Under **External Client App Settings**, enable **Allow access to External Client App consumer secrets via REST API**.
    ![Allow Access to Consumer Secrets](/images/app-connections/salesforce/allow-access.png)
</Step>
<Step title="Identify Your My Domain URL">
    In Salesforce Setup, search for **My Domain**.
    ![Search My Domain](/images/app-connections/salesforce/domain-search.png)

    Copy the **Current My Domain URL** (e.g. `my-org.my.salesforce.com`). This is your instance URL.
    ![My Domain URL](/images/app-connections/salesforce/domain-value.png)
</Step>
</Steps>

Setup Salesforce Connection in Infisical

<Tabs> <Tab title="Infisical UI"> 1. Navigate to **App Connections** in your organization or project. 
    2. Select the **Salesforce Connection** option.
    ![Select Salesforce Connection](/images/app-connections/salesforce/search-infisical.png)

    3. Enter your **Instance URL**, **Consumer Key**, and **Consumer Secret** from the previous section, then click **Connect to Salesforce**.
    ![Create Salesforce Connection](/images/app-connections/salesforce/fillup-info.png)

    4. Your **Salesforce Connection** is now available for use.
    ![Salesforce Connection Created](/images/app-connections/salesforce/app-connection.png)
</Tab>
<Tab title="API">
    To create a Salesforce Connection, make an API request to the [Create Salesforce
    Connection](/api-reference/endpoints/app-connections/salesforce/create) API endpoint.

    ### Sample request

    ```bash Request
    curl    --request POST \
    --url https://app.infisical.com/api/v1/app-connections/salesforce \
    --header 'Content-Type: application/json' \
    --data '{
        "name": "my-salesforce-connection",
        "method": "client-credentials",
        "credentials": {
            "instanceUrl": "my-org.my.salesforce.com",
            "consumerKey": "...",
            "consumerSecret": "..."
        }
    }'
    ```

    ### Sample response

    ```bash Response
    {
        "appConnection": {
            "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "name": "my-salesforce-connection",
            "version": 1,
            "orgId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "createdAt": "2026-05-04T05:31:56Z",
            "updatedAt": "2026-05-04T05:31:56Z",
            "app": "salesforce",
            "method": "client-credentials",
            "credentials": {
                "instanceUrl": "my-org.my.salesforce.com"
            }
        }
    }
    ```
</Tab>
</Tabs>