Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Integration User entry
How-to guide

How to set up an Integration User

Set up a dedicated Integration User on the Salesforce Integration license, grant least-privilege access through a permission set, and let an external system authenticate as it through a connected app. Do this in Setup as an admin.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated Jun 16, 2026

Set up a dedicated Integration User on the Salesforce Integration license, grant least-privilege access through a permission set, and let an external system authenticate as it through a connected app. Do this in Setup as an admin.

  1. Create the API-only user

    In Setup, go to Users and create a new user. Assign the Salesforce Integration user license and the Minimum Access - API Only Integrations profile. Give it a clear name such as Billing Integration so it stands out in logs. This account cannot sign in to any UI.

  2. Grant access with a permission set

    Build a permission set named for the integration. Add only the objects, fields, and Apex classes that integration needs. Assign the Salesforce API Integration permission set license to the user first, then assign your permission set. Keep the profile itself empty of permissions.

  3. Create and configure the connected app

    Create a connected app for the external system and enable OAuth settings. In the connected app's Manage view, set the permitted users policy to Admin pre-authorized and specify your Integration User as the Run-As User for the Client Credentials Flow.

  4. Hand over credentials and test

    Give the consumer key and secret to the external system. Have it request an access token and make a sample API call. Confirm in Login History that the call ran as your Integration User, then verify it can only touch the data you scoped.

Key options
Salesforce Integration user licenseremember

The API-only license assigned to the user. Available in Enterprise, Unlimited, Performance, and Developer editions, with a limited free allocation.

Minimum Access - API Only Integrations profileremember

The baseline profile created with the license. Keep it stripped of permissions and grant access through permission sets instead.

Salesforce API Integration permission set licenseremember

The permission set license that unlocks broader object and user permissions for the account. Assign it before assigning custom permission sets.

Run-As User for the Client Credentials Flowremember

The connected app setting that names which Integration User the external system's API calls execute as.

Gotchas
  • The license is API-only. The user genuinely cannot log in to any UI, so do not try to test it by signing in to a browser session.
  • Never leave permissions on the Minimum Access - API Only Integrations profile itself. Put all access in permission sets so it stays auditable.
  • Use one Integration User per external system. Sharing a single account across integrations makes auditing and least-privilege scoping impossible.
  • Prefer the Client Credentials or JWT Bearer flow over username-password. A password rotation will silently break a username-password integration.

See the full Integration User entry

Integration User includes the definition, worked example, deep dive, related terms, and a quiz.