How to create OAuth2 credentials for Salesforce
How to create OAuth2 credentials for Salesforce
In this guide, I’ll share the process for customizing the auth config for Salesforce using External Client Apps. So, let’s begin.
Setting up Salesforce
In this section, we’ll go through the process of setting up Salesforce and creating an External Client App for OAuth 2.0 Web Server flow (authorization code grant).
NOTE: If you already have a Salesforce account, you can skip the first step.
Step 1: Create a Salesforce Developer Account (Optional)
If you don’t already have one, create a Salesforce Developer account.
This gives you a sandbox environment (Dev Org) where you can safely configure your apps. If you’re following along in your own Salesforce account you can also launch that instead.
Option A: External Client Apps (default for new orgs)
Step 2A: Create an External Client App
Once your org is ready, you can create an External Client App to generate the OAuth Client ID and Client Secret.
Log in to your Salesforce org.
Click the gear icon → Setup.
In the Quick Find box, search for App Manager and click it.
Click New External Client App in the top-right corner.
Fill in the basic info:
App Name:
Customer Order Status(or any name for your integration)API Name: auto-fills from the name (
Customer_Order_Status)Contact Email: your email
Distribution State: keep as Local
(Optional) Add a logo and description
Step 3A: Enable OAuth Settings
Now expand OAuth Settings and configure the app for OAuth:
Check Enable OAuth.
Add a Callback URL. For Composio, use:
<https://backend.composio.dev/api/v3/toolkits/auth/callback>Select OAuth Scopes. Common ones include:
Full access (full)
Access and manage your data (api)
Perform requests on your behalf at any time (refresh\_token, offline\_access)
(Optional) OpenID for ID tokens
In the Security section:
Keep Require Secret for Web Server Flow checked.
Keep Require Secret for Refresh Token Flow checked.
Uncheck Require PKCE (unless you want PKCE).
Save the app.
You’ll now have a Client ID (Consumer Key) and Client Secret (Consumer Secret). You can find them in the Settings tab → OAuth Settings, and then go to the Consumer Key and Secret page.
Option B: Connected Apps
You can also create the traditional Connected Apps with Salesforce. To enable it:
Search External in Quick Find → Open External Client App Settings
Enable Allow creation of Connected Apps → New Connected App
Then,
Fill in:
Connected App Name (API Name auto-fills)
Contact Email
Optional: logo, description, phone and icon
Expand API (Enable OAuth Settings) → check Enable OAuth
Callback URL:
<https://backend.composio.dev/api/v3/toolkits/auth/callback>OAuth Scopes (recommended/required):
Access the identity URL service (id, profile, email, address, phone)
Access unique user identifiers (openid)
Access and manage data (api, web)
Access Connect REST API resources (chatter_api)
Full access (full)
Perform requests on your behalf (refresh_token, offline_access)
Under OAuth Policies
Enable Web Server Flow
Enable Refresh Token Flow
Save the Connected App. Salesforce may take ~10 minutes to fully provision it.
Once done:
Go back to App Manager.
Find your app → click the dropdown → View.
Click Manage Consumer Details (you may need to verify identity).
Copy the Consumer Key (Client ID) and Consumer Secret.
Creating the Auth Config in Composio
With your OAuth credentials ready, navigate to the Composio Dashboard to configure Salesforce authentication.
Click Create Auth Config.
Choose Salesforce from the toolkit list.
Make sure OAuth2 is selected.
Check Use your own developer authentication.
Step 4: Fill in Auth Config
Now go to Manage Auth Config and paste in your credentials.
Client ID → from Salesforce External Client App (via either methods)
Client Secret → from Salesforce External Client App (via either methods)
Redirect URI (You’ll need to configure the Authorized Redirect URI to point to Composio’s callback URL) → Edit the redirect URL to point to this
<https://backend.composio.dev/api/v3/toolkits/auth/callback>
You can also customize the scopes if you want to. Default scopes are pre-filled, for most apps you will not need to change them.
Click Create Auth Config. Finally, to connect to your Salesforce account, you need to provide the Salesforce instance URL and the subdomain of your Salesforce account.
For a domain, you can use the same Setup bar and search for My Domain. Once you have it, you can use it in the subdomain field in the auth config (Make sure to remove the .salesforce.com part)
For instance, URL, you can use one of these Authorisation Endpoints (where users log in & grant access)
Now, you can copy the generated Auth Config ID (ac_...) for use in your app code.
In this guide, I’ll share the process for customizing the auth config for Salesforce using External Client Apps. So, let’s begin.
Setting up Salesforce
In this section, we’ll go through the process of setting up Salesforce and creating an External Client App for OAuth 2.0 Web Server flow (authorization code grant).
NOTE: If you already have a Salesforce account, you can skip the first step.
Step 1: Create a Salesforce Developer Account (Optional)
If you don’t already have one, create a Salesforce Developer account.
This gives you a sandbox environment (Dev Org) where you can safely configure your apps. If you’re following along in your own Salesforce account you can also launch that instead.
Option A: External Client Apps (default for new orgs)
Step 2A: Create an External Client App
Once your org is ready, you can create an External Client App to generate the OAuth Client ID and Client Secret.
Log in to your Salesforce org.
Click the gear icon → Setup.
In the Quick Find box, search for App Manager and click it.
Click New External Client App in the top-right corner.
Fill in the basic info:
App Name:
Customer Order Status(or any name for your integration)API Name: auto-fills from the name (
Customer_Order_Status)Contact Email: your email
Distribution State: keep as Local
(Optional) Add a logo and description
Step 3A: Enable OAuth Settings
Now expand OAuth Settings and configure the app for OAuth:
Check Enable OAuth.
Add a Callback URL. For Composio, use:
<https://backend.composio.dev/api/v3/toolkits/auth/callback>Select OAuth Scopes. Common ones include:
Full access (full)
Access and manage your data (api)
Perform requests on your behalf at any time (refresh\_token, offline\_access)
(Optional) OpenID for ID tokens
In the Security section:
Keep Require Secret for Web Server Flow checked.
Keep Require Secret for Refresh Token Flow checked.
Uncheck Require PKCE (unless you want PKCE).
Save the app.
You’ll now have a Client ID (Consumer Key) and Client Secret (Consumer Secret). You can find them in the Settings tab → OAuth Settings, and then go to the Consumer Key and Secret page.
Option B: Connected Apps
You can also create the traditional Connected Apps with Salesforce. To enable it:
Search External in Quick Find → Open External Client App Settings
Enable Allow creation of Connected Apps → New Connected App
Then,
Fill in:
Connected App Name (API Name auto-fills)
Contact Email
Optional: logo, description, phone and icon
Expand API (Enable OAuth Settings) → check Enable OAuth
Callback URL:
<https://backend.composio.dev/api/v3/toolkits/auth/callback>OAuth Scopes (recommended/required):
Access the identity URL service (id, profile, email, address, phone)
Access unique user identifiers (openid)
Access and manage data (api, web)
Access Connect REST API resources (chatter_api)
Full access (full)
Perform requests on your behalf (refresh_token, offline_access)
Under OAuth Policies
Enable Web Server Flow
Enable Refresh Token Flow
Save the Connected App. Salesforce may take ~10 minutes to fully provision it.
Once done:
Go back to App Manager.
Find your app → click the dropdown → View.
Click Manage Consumer Details (you may need to verify identity).
Copy the Consumer Key (Client ID) and Consumer Secret.
Creating the Auth Config in Composio
With your OAuth credentials ready, navigate to the Composio Dashboard to configure Salesforce authentication.
Click Create Auth Config.
Choose Salesforce from the toolkit list.
Make sure OAuth2 is selected.
Check Use your own developer authentication.
Step 4: Fill in Auth Config
Now go to Manage Auth Config and paste in your credentials.
Client ID → from Salesforce External Client App (via either methods)
Client Secret → from Salesforce External Client App (via either methods)
Redirect URI (You’ll need to configure the Authorized Redirect URI to point to Composio’s callback URL) → Edit the redirect URL to point to this
<https://backend.composio.dev/api/v3/toolkits/auth/callback>You can also customize the scopes if you want to. Default scopes are pre-filled, for most apps you will not need to change them.
Click Create Auth Config. Finally, to connect to your Salesforce account, you need to provide the Salesforce instance URL and the subdomain of your Salesforce account.
For a domain, you can use the same Setup bar and search for My Domain. Once you have it, you can use it in the subdomain field in the auth config (Make sure to remove the .salesforce.com part)
For instance, URL, you can use one of these Authorisation Endpoints (where users log in & grant access)
Now, you can copy the generated Auth Config ID (ac_...) for use in your app code.
