Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Manage Connected Apps entry
How-to guide

Tighten a Connected App's OAuth policy

The most common task on this page is tightening an existing Connected App's OAuth policy. These steps configure who can use an app, how IP rules apply, and how long its refresh token lives.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated Jun 16, 2026

The most common task on this page is tightening an existing Connected App's OAuth policy. These steps configure who can use an app, how IP rules apply, and how long its refresh token lives.

  1. Open the page

    From Setup, type Connected Apps in the Quick Find box and select Manage Connected Apps. The list shows every app installed in or created within the org.

  2. Edit the app's policies

    Click Edit next to the target app, then Edit Policies. This opens the OAuth policy section where the access controls live.

  3. Restrict who can authorize it

    Set Permitted Users to Admin approved users are pre-authorized for anything beyond a personal tool, then assign only the profiles or permission sets that genuinely need the app.

  4. Set IP and refresh token rules

    Choose the IP Relaxation option the integration can tolerate, then pick a Refresh Token Policy. Idle expiry is a sensible default for most apps.

  5. Save and verify usage

    Save the policies, then open Connected Apps OAuth Usage to confirm the app's active sessions still look correct and revoke anything unexpected.

Key options
Permitted Usersremember

All users may self-authorize (any user can grant access) or Admin approved users are pre-authorized (only assigned profiles or permission sets, no consent prompt).

IP Relaxationremember

Enforce IP restrictions; Enforce but relax for refresh tokens; Relax for activated devices; or Relax IP restrictions entirely.

Refresh Token Policyremember

Valid until revoked; immediately expire; expire if not used for a set period; or expire after a fixed period.

Single Logoutremember

Optional. When enabled with an HTTPS logout URL, signs the user out of the connected app when they log out of Salesforce.

Gotchas
  • All users may self-authorize is the default. Leaving it on means any API-enabled user can grant an app access to their data without admin involvement.
  • The Manage Connected Apps page sets policy, but revoking live sessions happens on the separate Connected Apps OAuth Usage page.
  • A refresh token policy of valid until revoked combined with broad scopes is the highest-risk pattern; prefer an expiry for sensitive integrations.
  • Relaxing IP restrictions weakens a real control. Only loosen it for apps, like mobile clients, that genuinely cannot work behind fixed ranges.

See the full Manage Connected Apps entry

Manage Connected Apps includes the definition, worked example, deep dive, related terms, and a quiz.