Client App registration is a Connected App configuration plus an integration user setup. The mechanics are short; the discipline that makes it safe spans annual audits and routine secret rotation.
- Decide the integration model
Web app, mobile app, backend service, or CLI tool. The model drives the OAuth flow and the scopes needed.
- Create the Connected App
Setup, App Manager, New Connected App. Configure OAuth scopes, callback URL, IP restrictions. Save and capture the Client ID and Client Secret in your integration's secret store.
- Configure the integration user
Use a dedicated integration user with a tightly scoped permission set rather than reusing an admin user. Assign only the permissions the integration needs.
- Implement the OAuth flow
Implement the chosen flow (Authorization Code, JWT Bearer, etc.) in the Client App. Use refresh tokens for long-lived sessions; secure them like passwords.
- Audit and rotate secrets annually
Annual review: confirm scopes match needs, verify IP restrictions, rotate Client Secrets. Document the rotation procedure so the team can execute it reliably.
The Salesforce registration record for the Client App.
The OAuth credentials the Client App uses.
The capabilities the Client App can exercise.
The Salesforce user identity the Client App authenticates as.
IP restrictions, session timeouts, and refresh token policies.
- Over-scoped Connected Apps grant more access than needed. Request only the scopes the integration uses; over-scoping is a security finding.
- Unrotated Client Secrets accumulate exposure. Annual rotation is the minimum cadence for production.
- Sharing integration users between unrelated integrations confuses audit and risks privilege creep. One integration user per Client App is the safer pattern.
- Default Connected App Policies are permissive. Production deployments need explicit IP restrictions and session timeouts.