What is a Connected App?

Posted by Vinay Vernekar 16th October 2025

Overview

A Salesforce Connected App enables external applications to integrate with Salesforce using secure authentication and authorization protocols (primarily OAuth). Connected Apps provide a way to manage access to Salesforce data by configuring OAuth scopes, callback URLs, and security settings—allowing administrators to control which external apps can connect and what data they can access.

Why Connected Apps Matter

Connected Apps are essential for secure integrations, API access, single sign-on (SSO), and mobile or server-to-server communication. They centralize authorization, provide auditability, and enable administrators to enforce policies such as IP restrictions, session timeouts, and permitted OAuth scopes.

Key Components

Important elements of a Connected App:

  • Consumer Key (Client ID) — Public identifier used in OAuth flows.
  • Consumer Secret (Client Secret) — Private secret used to authenticate the client (keep it secure).
  • Callback URL / Redirect URI — The endpoint where Salesforce will send the OAuth authorization code or token.
  • OAuth Scopes — Permissions requested by the app (e.g., api, refresh_token, full, web).
  • Policies & Security — IP restrictions, refresh token policies, certificate requirements, and permitted users.

Common OAuth Flows Used with Connected Apps

Which flow to choose depends on the integration type:

  • Authorization Code Grant — Used by web apps that can securely handle a client secret. It obtains an authorization code and exchanges it for an access token.
  • Implicit Grant — For single-page apps where storing a secret is not possible (less secure).
  • JWT Bearer Token Flow — Server-to-server flow using a certificate. Ideal for backend integrations without interactive login.
  • Username-Password OAuth Flow — Direct credential flow (not recommended due to security risks).
  • Refresh Token — Allows obtaining new access tokens without user interaction when refresh_token scope is granted.

Example: Authorization Code Flow (simplified)


https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=YOUR_CONSUMER_KEY&redirect_uri=YOUR_CALLBACK_URL&scope=api refresh_token


POST https://login.salesforce.com/services/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=AUTH_CODE&client_id=YOUR_CONSUMER_KEY&client_secret=YOUR_CONSUMER_SECRET&redirect_uri=YOUR_CALLBACK_URL

Example: JWT Bearer Token Flow (high-level)

Use a signed JWT assertion (signed with a private key corresponding to a certificate registered on the Connected App) to request an access token without interactive login:


POST https://login.salesforce.com/services/oauth2/token
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=BASE64URL_ENCODED_JWT

Use Cases

  • Mobile or web applications that need API access to Salesforce data.
  • Middleware platforms (Mulesoft, Heroku, custom middleware) accessing Salesforce via APIs.
  • Service accounts and scheduled jobs using JWT or Refresh Token flows.
  • Single Sign-On (SSO) setups where Salesforce acts as identity provider or service provider.

Security Best Practices

  • Use the most secure OAuth flow available for your scenario (prefer JWT for server-to-server integrations).
  • Keep Consumer Secret and certificates secure. Rotate secrets as part of your security policy.
  • Restrict OAuth scopes to the minimum required (principle of least privilege).
  • Apply IP restrictions and session timeout policies where appropriate.
  • Monitor connected app usage and revoke access for suspicious clients or users.

Troubleshooting Tips

  • If you see INVALID_CLIENT or invalid_grant errors, verify consumer key/secret, callback URL, and that the app is authorized for the user.
  • For JWT flow errors, ensure the certificate uploaded in the Connected App matches the private key used to sign the JWT and that the JWT scope and audience are correct.
  • Check user permission sets and profile assignments if users cannot authorize the Connected App.

Conclusion

Connected Apps are Salesforce’s secure mechanism for integrating external applications. They centralize authentication and authorization, support multiple OAuth flows, and provide administrators with the controls needed to manage, monitor, and secure integrations. Understanding Connected Apps is essential for building robust and secure Salesforce integrations.