Use these steps to harden the org-wide OAuth posture from the OAuth and OpenID Connect Settings page. Audit current usage before you block anything, because blocked flows stop working immediately for any integration that still relies on them.
- Open the settings page
From Setup, enter OAuth in the Quick Find box and select OAuth and OpenID Connect Settings.
- Check current usage first
Review Login History and the Connected Apps OAuth Usage report to find which integrations use the user-agent and username-password flows before you disable them.
- Block the insecure flows
Turn off Allow OAuth User-Agent Flows and Allow OAuth Username-Password Flows once you have migrated or confirmed no live integration depends on them.
- Require PKCE
Enable Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows so every authorization code request must carry a code challenge and verifier.
- Save and confirm
Save the page, then test a known integration end to end and watch Login History to confirm legitimate clients still authenticate.
Permits the redirect-fragment flow. Salesforce recommends blocking it because the token can leak into URLs and logs.
Permits clients to send a username and password to the token endpoint. Blocked by default in Summer 23 and later orgs; block it everywhere.
Permits the web server (authorization code) and client credentials flows. Keep enabled unless you do not use them.
When enabled, rejects every authorization code variation that does not implement PKCE protection.
- Blocking a flow takes effect immediately. Any integration still using it stops authenticating, so migrate before you toggle.
- Requiring PKCE breaks older clients that do not send a code challenge and verifier; update their code first.
- The username-password flow ignores multi-factor authentication and single sign-on, so it is the highest-risk toggle to leave on.
- The OpenID Connect discovery URL and issuer values are tied to your My Domain; changing My Domain moves them and can break external clients.