The setup flow is the same for every new integration: license, user, permission set, Connected App, OAuth tokens.
- Confirm available Integration Licenses
Setup, Company Information. Check the license allocation; each org gets a small free allocation, more can be purchased.
- Create the User record
Setup, Users, New User. Assign the Integration License profile, set a strong password or disable interactive login, and pick a generic email like integration-hubspot@yourcompany.com.
- Build a least-privilege Permission Set
Create a Permission Set with exactly the objects, fields, and Apex classes the integration needs. Assign it to the integration user.
- Create a Connected App
Setup, App Manager, New Connected App. Enable OAuth, choose JWT Bearer Flow, upload the certificate the external system will sign with. Authorize the Connected App for the integration user.
- Test the OAuth flow
From the external system, request an access token using the JWT flow. Verify the token comes back and the API call succeeds.
- Document the integration
Record the integration user, Connected App name, JWT certificate location, and intended object access in a runbook. Future admins will thank you.
The user license type that grants API-only access.
Least-privilege object and field permissions.
The OAuth trust object the external system authenticates against.
Required for the JWT Bearer Flow.
Integration users should not log in interactively.
- Integration License has a restricted object list. Confirm every object the integration needs is supported before assigning the license.
- Each org gets a small free Integration License allocation. Hitting the cap requires purchasing additional licenses through the Salesforce account team.
- JWT Bearer Flow requires the external system to maintain a certificate. Lost certificates require revoking and re-issuing, which interrupts the integration.
- Integration users without strong governance can drift into excess permissions over time. Audit Permission Set assignments quarterly.