External Client App setup happens in two Setup pages: External Client App Manager (the app identity) and OAuth Settings configuration (the runtime policy). Most production integrations need both.
- Open External Client App Manager
Setup, Quick Find, External Client App Manager. The list shows existing External Client Apps. Click New External Client App to start. Connected Apps are a separate area; do not confuse the two.
- Define the App
Enter Name, API Name (lower-case-with-underscores), Contact Email, and a logo URL. Enable OAuth Settings. Configure the callback URL (the post-auth redirect destination), the OAuth scopes (Full Access, API, Refresh Token, custom), and the consumer key visibility.
- Configure OAuth Settings
Click into the OAuth Settings section. Set refresh token behavior, IP relaxation, session policy, and high-assurance requirement. These map to ExternalClientAppOauthSettings; they can be reconfigured later without re-issuing the consumer key.
- Grant access via profile or permission set
Edit the External Client App, navigate to Profiles or Permission Sets, assign the app to the right user audience. Without this, users cannot complete OAuth flows even if the app is otherwise correctly configured.
- Capture the credentials
The OAuth Consumer Key and Consumer Secret are visible in the App detail page. Copy both into your secrets manager or external integration config; the secret is masked after the initial reveal and you cannot retrieve it later, only regenerate.
Authorization Code (with PKCE), Client Credentials, JWT Bearer, Refresh Token, Device Authorization, Username-Password (legacy). Pick per integration type.
Refresh until revoked (long-lived sessions), expires after N days, immediately expire (no refresh). Pick based on how often the user should reauthenticate.
Enforce IP restrictions, relax for OAuth callouts, or relax for both. Relaxing breaks the org-wide IP restrictions for this app, useful for cloud-hosted integrations on dynamic IPs.
Require MFA at token issuance, require MFA only for refresh, no requirement. Pick to match the data sensitivity the app accesses.
- The Consumer Secret is revealed once at creation and never again. Capture it immediately or regenerate when needed.
- External Client Apps and Connected Apps are separate Setup areas. The legacy Connected App Manager is still in Setup for older integrations.
- Profile or permission set assignment is required for users to complete OAuth flows. Without it, users hit a generic auth failure with no clear cause.
- IP relaxation on the app overrides org-wide IP restrictions. Use only for integrations that genuinely run on dynamic IPs.
- Username-Password OAuth flow is supported but deprecation-flagged. New integrations should use Client Credentials or JWT Bearer instead.