Salesforce API
| title | description | updated_date |
|---|---|---|
| Salesforce API | How to create a dedicated integration user and set up OAuth 2.0 Client Credentials Flow for Salesforce REST API access. | 2025-10-24T16:45:21Z |
What we need
[] Salesforce instance URL (e.g., https://yourcompany.my.salesforce.com)
[] Client ID
[] Client Secret
This guide provides step-by-step instructions for creating a dedicated integration user in Salesforce and configuring the OAuth 2.0 Client Credentials Flow for secure server-to-server API access. This approach is ideal for bulk data retrieval operations and automated integrations.
Why Use a Dedicated Integration User?
A dedicated integration user provides several advantages:
- Security: Follows the principle of least privilege by using a user with only the specific permissions needed
- Auditability: Makes it easy to track and audit all API calls in Salesforce logs
- Stability: Provides a stable connection that doesn’t require user intervention
- Simplified Token Management: No need to manage refresh tokens - simply request a new access token when needed
Step 1: Create a Dedicated Integration User
Log in to Salesforce as an Administrator
- Visit your Salesforce instance URL (e.g.,
https://yourcompany.my.salesforce.com) - Sign in with administrator credentials
- Visit your Salesforce instance URL (e.g.,
Create a Dedicated Profile
- Navigate to Setup > Users > Profiles
- Click New Profile
- Fill in the required fields:
- Existing Profile: Standard User
- Profile Name: Parable-Profile
- Save the Dedicated Profile. You will now see a summary of the profile
- Select Edit
- Ensure Enable API is checked
- Ensure the items under Standard Object Permissions only have the following options checked Read, View All Records, and View All Fields:
Create a New User
- Navigate to Setup > Users > Users
- Click New User
- Fill in the required fields:
- First Name: Integration
- Last Name: User
- Email: Use a dedicated email address (e.g.,
integration-user@yourcompany.com) - Username: Must be unique (e.g.,
integration-user@yourcompany.com) - User License: Select “Salesforce” license
- Profile: Select the “Parable-Profile” profile we created in the previous step
- Save the user
Set Password
- After creating the user, click on Reset Password and email the verification link
- Set a strong, complex password that follows your organization’s security policies
- Store this password securely in your password management system
Step 2: Create an External Client App
Navigate to External Client Apps Setup
- Go to Setup > Apps > App Manager
- Click New External Client App
Configure Basic External Client App Settings
- External Client App Name: Your Integration Name (e.g., “Data Integration”)
- API Name: Will auto-populate
- Contact Email: Your team’s email address
Enable OAuth Settings
- Check Enable OAuth Settings
- Callback URL: Enter a placeholder URL (e.g.,
https://yourcompany.com/oauth/callback) - Selected OAuth Scopes: Add the following:
- “Manage user data via APIs (api)”
- “Perform requests at any time (refresh_token, offline_access)”
- Check Enable for Client Credentials Flow. You will be shown a warning
- Save the External Client App
Add OAuth Flow to Connectd App
- Edit the External Client App we just created
- Under the Policies tab and OAuth Flows and External Client App Enhancements section:
- Check Enable Client Credentials Flow
- Enter the Username of the user we created in step three for the “Run As (Username)” prompt
- Save the External Client App
- After saving, you’ll need to wait for the External Client App to be approved (this can take up to 10 minutes)
Retrieve Client Credentials
- Once approved, navigate back to your External Client App
- Navigate to the Settings tab
- Open the OAuth Settings section
- Click Consumer Key and Secret
- Another page will open, and Salesforce will prompt you for a security pin that will be emailed to you.
- Copy and securely store the Consumer Key (Client ID) and Consumer Secret (Client Secret)
Step 3: Authenticate and Access the API
To authenticate using the OAuth 2.0 Client Credentials flow:
Request an Access Token
- Make a POST request to:
https://<salesforce_org_url>/services/oauth2/token. The “salesforce_org_url” can be retrieved from the login URL. - Include the following parameters:
grant_type=client_credentialsclient_id=YOUR_CONSUMER_KEYclient_secret=YOUR_CONSUMER_SECRET
Example using cURL:
curl -X POST https://<salesforce_org_url>/services/oauth2/token \ -d "grant_type=client_credentials" \ -d "client_id=$CLIENT_ID" \ -d "client_secret=$CLIENT_SECRET"- Make a POST request to:
Use the Access Token
- The response will include an
access_tokenandinstance_url - Include the access token in the Authorization header for all API requests:
Authorization: Bearer YOUR_ACCESS_TOKEN- The response will include an
Endpoint Permissions Reference
Here’s a detailed breakdown of the permissions required for each endpoint:
1. Bulk Query API
Endpoint: /services/data/v[API_VERSION]/query
Required Permissions:
- API Enabled system permission
- Read permission on any objects being queried
- Documentation Link
Best Practices for Integration
Secure Credential Storage
- Store Client ID and Secret in secure credential storage, not in code
- Use environment variables or a secrets manager
Implement Token Management
- Cache the access token until it expires
- Implement automatic token refresh when needed
Error Handling
- Implement proper error handling for API failures
- Add retry logic with exponential backoff for transient errors
Monitor API Usage
- Track your API call volume to avoid hitting Salesforce limits
- Set up alerts for approaching limits
Implement Logging
- Log all API interactions for troubleshooting
- Include correlation IDs for tracking requests across systems
Item Checklist for Integration
- Integration user credentials (username and password)
- External Client App Consumer Key (Client ID)
- External Client App Consumer Secret (Client Secret)
- Salesforce instance URL
- Permission set configured with appropriate object permissions