What is the most important tip for working with Client App?

Use one integration user per Client App. Shared users confuse audit and inflate privilege; dedicated users keep the access surface clear.

DevelopmentAdvanced

Client App

Q: What is a Client App in Salesforce?

Client Apps are external applications (mobile, desktop, web, server-side) that connect to Salesforce APIs through a Connected App and OAuth.

Q: What protocol does a Client App use to authenticate to Salesforce?

Client Apps authenticate via OAuth 2.0 using their Connected App configuration.

Q: What is a common Client App scenario?

Client Apps cover a wide range of scenarios where external software needs to read or modify Salesforce data.

A Client App in Salesforce is any external software application that authenticates against Salesforce and uses the platform's APIs to read or write data.

Hear it

§ 01

Definition

A Client App in Salesforce is any external software application that authenticates against Salesforce and uses the platform's APIs to read or write data. Client Apps include mobile apps (the Salesforce Mobile App, custom mobile apps built on the Mobile SDK, third-party iOS or Android apps), web apps (Marketing Cloud Engagement, custom integrations, partner-built portals), backend services (ETL pipelines, billing systems, data warehouses), and command-line tools (Salesforce CLI, custom scripts). Each Client App registers as a Connected App in Salesforce; the registration carries the OAuth Client ID, Client Secret, allowed scopes, and IP restrictions.

Client Apps matter because every external integration with Salesforce is one. The Connected App registration is the platform's mechanism for managing who can call the APIs, with what permissions, under what restrictions. Production Salesforce orgs typically have dozens of registered Client Apps representing every external system that touches the platform. Mature programs audit Client Apps annually, rotate secrets routinely, and apply IP restrictions where the integration runs from known addresses. The Client App concept spans every Salesforce SDK and integration pattern; understanding it is foundational to anything beyond the standard Salesforce UI.

§ 02

How Client Apps authenticate and operate with Salesforce

Connected App registration

Every Client App needs a Connected App record in Salesforce. Setup, App Manager, New Connected App. The record holds the OAuth Client ID, Client Secret, callback URL, allowed OAuth scopes, IP restrictions, refresh token policy, and session timeout. The Connected App is what the platform authenticates against.

OAuth flows per Client App type

Different Client App types use different OAuth flows. Web apps use Authorization Code. Mobile apps use Authorization Code with PKCE. Backend services use JWT Bearer flow (server-to-server, no user). Refresh tokens let long-lived integrations stay authenticated without re-prompting users. Picking the right flow is foundational to integration design.

OAuth scopes

Scopes define what the Client App can do: api (REST/SOAP API access), refresh_token (long-lived sessions), web (Visualforce/Lightning), full (everything). Mature integrations request only the scopes they need; over-scoped Client Apps are security findings.

IP restrictions and session policies

Connected Apps support IP restrictions (Connected App Policies) that limit where the Client App can authenticate from. Session timeout policies control how long an authenticated session lasts. Production-grade Client Apps configure both; defaults are permissive enough for development but rarely secure enough for production.

User permissions on top of Client App scopes

Even with broad Client App scopes, the user authenticating through the app determines what they can actually access. Integration users with limited permission sets are the safer pattern; using an admin user as the integration identity is convenient but risky.

Client Apps in the Mobile SDK

Custom mobile apps built on the Salesforce Mobile SDK register as Connected Apps. The SDK handles OAuth and refresh-token management. Most enterprise Salesforce customers have at least one custom mobile Client App for field service, employee self-service, or customer-facing flows.

Auditing and rotating Client App credentials

Client App audits should run annually: identify unused Connected Apps, verify scopes still match the integration's needs, rotate Client Secrets, and confirm IP restrictions remain accurate. Many production breaches trace to long-unrotated Client App secrets that leaked through old code repositories or developer machines.

Common pitfalls

Three patterns recur. Over-scoped Client Apps grant more access than the integration needs. Long-unrotated secrets accumulate exposure. And shared integration users without dedicated permission sets give every integration the same access level. Each is addressable with deliberate Connected App governance.

§ 03

How to register and manage a Client App

Client App registration is a Connected App configuration plus an integration user setup. The mechanics are short; the discipline that makes it safe spans annual audits and routine secret rotation.

Decide the integration model
Web app, mobile app, backend service, or CLI tool. The model drives the OAuth flow and the scopes needed.
Create the Connected App
Setup, App Manager, New Connected App. Configure OAuth scopes, callback URL, IP restrictions. Save and capture the Client ID and Client Secret in your integration's secret store.
Configure the integration user
Use a dedicated integration user with a tightly scoped permission set rather than reusing an admin user. Assign only the permissions the integration needs.
Implement the OAuth flow
Implement the chosen flow (Authorization Code, JWT Bearer, etc.) in the Client App. Use refresh tokens for long-lived sessions; secure them like passwords.
Audit and rotate secrets annually
Annual review: confirm scopes match needs, verify IP restrictions, rotate Client Secrets. Document the rotation procedure so the team can execute it reliably.

Mandatory fields

Connected Apprequired

The Salesforce registration record for the Client App.

Client ID and Client Secretrequired

The OAuth credentials the Client App uses.

OAuth Scopesrequired

The capabilities the Client App can exercise.

Integration Userrequired

The Salesforce user identity the Client App authenticates as.

Connected App Policiesrequired

IP restrictions, session timeouts, and refresh token policies.

Gotchas

Over-scoped Connected Apps grant more access than needed. Request only the scopes the integration uses; over-scoping is a security finding.
Unrotated Client Secrets accumulate exposure. Annual rotation is the minimum cadence for production.
Sharing integration users between unrelated integrations confuses audit and risks privilege creep. One integration user per Client App is the safer pattern.
Default Connected App Policies are permissive. Production deployments need explicit IP restrictions and session timeouts.

Trust & references

Sources

Cross-checked against the following references.

Connected Apps OverviewSalesforce Help
OAuth FlowsSalesforce Help

Official documentation

Straight from the source - Salesforce's reference material on Client App.

Salesforce Mobile SDKSalesforce Developer Docs

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.

Test your knowledge

Q1. What is a Client App in Salesforce?

Q2. What protocol does a Client App use to authenticate to Salesforce?

Q3. What is a common Client App scenario?

Discussion

Loading…

Loading discussion…

Back to Dictionary