Stand up a new client app the modern way by creating an External Client App. This replaces the legacy Connected App flow, which Salesforce is disabling for new apps in Spring '26. The steps below register a local ECA for an API integration.
- Open App Manager
In Setup, enter App Manager in the Quick Find box and open it. Click New External Client App in the top right. If you only see New Connected App, your org may need External Client Apps enabled first under External Client App Settings.
- Fill in the basic details
Give the app a name, an API name, and a contact email. Set the distribution state to Local for a single-org integration. Save to create the record before configuring OAuth.
- Enable and configure OAuth
On the app, edit the OAuth settings, select Enable OAuth, and enter a secure HTTPS callback URL. Choose the OAuth flow you need, such as the web server flow with PKCE for a user-facing app or client credentials for server-to-server.
- Select scopes and policies
Add only the OAuth scopes the integration actually uses, such as api and refresh_token. Set the refresh token policy, IP relaxation, and session timeout to match your security requirements rather than leaving defaults.
- Capture the consumer key and test
After saving, retrieve the consumer key and secret from the app. Use them in your client to request a token against the org login endpoint, and confirm the returned access token can call the API.
The human-readable label for the app, shown in App Manager and in the user OAuth approval screen.
The unique developer name used in metadata and packaging; it cannot be changed casually after creation.
The address Salesforce uses to reach the app owner about the integration.
The secure HTTPS endpoint where Salesforce redirects after authorization; required once OAuth is enabled.
The permissions the app may request at authentication time, such as api or refresh_token.
- External Client Apps do not support the OAuth username-password flow. If your integration relied on it, move to the web server flow with PKCE or client credentials before building the app.
- Use an HTTPS callback URL. Salesforce rejects insecure http endpoints because the authorization exchange carries sensitive tokens.
- Request the narrowest set of scopes that works. An over-scoped app is flagged in Security Reviews and widens the impact of a leaked token.
- Pair the app with a dedicated integration user, not an admin. Scopes cap what the app can request, but the running user decides what it can actually touch.