Connected App
A Connected App is a Salesforce configuration that registers an external application or integration with the platform's identity and OAuth infrastructure.
Definition
A Connected App is a Salesforce configuration that registers an external application or integration with the platform's identity and OAuth infrastructure. It is the bridge that lets a mobile app, web service, or third-party tool authenticate users into Salesforce, make API calls on their behalf, and stay within the security boundary the admin has approved. Every modern integration with Salesforce (custom mobile apps, AppExchange packages, Slack workspaces, MuleSoft instances, ETL tools, Pub/Sub API clients) is fronted by a Connected App.
A Connected App holds the OAuth client ID and secret, the allowed OAuth scopes (api, refresh_token, full, web, openid, custom_permissions), the callback URLs for redirect-based flows, and the user-access policies (admin-approved versus self-authorized). It also controls IP relaxation rules, session policies, and certificate-based authentication for the JWT bearer flow. Connected Apps are the centerpiece of Salesforce identity and access management for anything outside the Salesforce-built UI; every API token in production traces back to one.
How Connected Apps gate integration access to Salesforce
OAuth client credentials and the basic identity model
Each Connected App is issued a Consumer Key (the OAuth client ID) and a Consumer Secret. The external application uses these to identify itself when requesting access tokens from the Salesforce OAuth endpoints. The Consumer Secret is sensitive and should never be embedded in client-side code; for public clients (mobile apps, single-page apps) the OAuth flow uses PKCE instead. Rotating the Consumer Secret is supported but requires updating every external system that uses it, so plan rotation events carefully.
OAuth flows: web server, JWT bearer, device, client credentials
Connected Apps support several OAuth flows. Web server flow is the classic redirect-based pattern for user-facing integrations. JWT bearer flow is the server-to-server pattern using a signed JWT, common for headless integrations like nightly ETL jobs. User-agent flow is for SPAs and mobile. Device flow is for input-constrained devices like smart TVs. Client credentials flow (newer) is for service accounts that need to authenticate without a user context. Each flow has different security trade-offs; pick the flow that matches the integration architecture.
Scopes and what they grant
OAuth scopes control what the access token can do. api lets the integration call REST and SOAP APIs as the authenticated user. refresh_token lets the integration refresh tokens without re-authenticating. full grants everything api does plus all standard scopes. openid lets the integration retrieve OpenID Connect identity claims. custom_permissions returns the user's custom permission set. web lets the integration use the API on behalf of the user via web-based redirect. Pick the minimum set the integration needs; broader scopes increase blast radius if credentials leak.
Pre-authorization and admin-approved policies
Connected Apps have a Permitted Users setting that controls who can use them. All users may self-authorize (lowest control, easiest UX) or Admin approved users are pre-authorized (highest control, profiles or permission sets must explicitly grant access). Admin-approved is the standard for production integrations; self-authorize is for developer tools. The IP Relaxation policy controls whether the Connected App can be accessed from outside the org's trusted IP ranges; relaxing is necessary for cloud-hosted integrations but increases attack surface.
Session policies and token lifetimes
Each Connected App can override the org-level session policies for access tokens issued through it. Refresh token lifetime, session timeout, high assurance session requirements, and "Allow JWT-Based" flag are all configurable per app. For sensitive integrations, set tight refresh token lifetimes and require high assurance sessions to limit damage from leaked credentials. For routine integrations, longer lifetimes reduce churn at the cost of broader blast radius.
Certificate-based authentication and JWT bearer flow
The JWT bearer flow is the most secure server-to-server pattern Salesforce offers. The Connected App is configured with a digital certificate (X.509). The external system signs a JWT with the matching private key, posts it to the OAuth token endpoint, and receives an access token without any user interaction. This pattern is the standard for headless integrations because it avoids storing passwords or refresh tokens, and rotation is as simple as updating the certificate. AppExchange packages often use this for their backend integration.
Monitoring, revocation, and audit
Setup > Connected Apps OAuth Usage shows recent token grants and active sessions per Connected App. Revoking a Connected App invalidates all outstanding tokens immediately. Setup Audit Trail logs Connected App changes (scope updates, policy changes, certificate rotations). Setup > Login History tracks API logins by source IP and Connected App. Build alerting on unusual usage patterns (new IP addresses, unexpected scope use) because the Connected App is the most common attack vector for stealing Salesforce data.
How to create and configure a Connected App
Creating a Connected App takes minutes; configuring it correctly takes thought. The OAuth flow, scopes, callback URLs, IP policies, and session policies all need deliberate choices that match the integration's actual needs. Build in sandbox first, validate every flow path, then promote to production with the right pre-authorization policy.
- Identify the integration use case and OAuth flow
User-facing web app: web server flow. Headless server integration: JWT bearer flow. Mobile or SPA: user-agent flow with PKCE. Service account without user: client credentials flow. The flow choice constrains every other configuration decision.
- Create the Connected App
Setup > App Manager > New Connected App. Enter the basic information (name, API name, contact email, logo). Check Enable OAuth Settings and configure the OAuth flow specifics.
- Set callback URLs
Add the URLs the external app uses for OAuth redirects. Web server flow needs at least one. Multiple callback URLs are supported for dev/stage/prod environments. The URLs must match exactly during the OAuth handshake or the platform rejects the request.
- Pick OAuth scopes
Select the minimum scopes the integration needs. api for REST/SOAP calls. refresh_token for offline access. openid for identity claims. full only when the integration truly needs everything. Avoid full as a habit because it grants more than most integrations actually need.
- Configure certificates if using JWT bearer
Upload the X.509 public certificate that matches the private key the external system will use to sign JWTs. The platform validates JWTs against this certificate during the bearer flow.
- Set permitted users and IP relaxation
Permitted Users: Admin approved users are pre-authorized (recommended for production). All users may self-authorize for low-risk dev tools only. IP Relaxation: Enforce IP restrictions (recommended); relax only when the integration runs from cloud hosts outside the trusted IP range.
- Save and capture the Consumer Key and Secret
Save the Connected App. The platform generates the Consumer Key and Consumer Secret. Store them in a secrets manager (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault). Never embed in source code or client-side bundles.
- Assign permitted profiles or permission sets
Manage Profiles or Manage Permission Sets on the Connected App detail page. Pre-approve the user populations that can use the integration. Without this, users cannot authenticate even with valid credentials.
Web server, JWT bearer, user-agent, device, or client credentials. Drives every other configuration choice on the Connected App.
Controls what the access token can do. api, refresh_token, openid, full, custom_permissions, web. Pick the minimum set the integration needs.
Admin approved (pre-authorized profiles/permission sets) versus All users may self-authorize. Admin approved is the recommended production default.
- The Consumer Secret is sensitive. Never embed in mobile app bundles or single-page apps; use PKCE instead. For server integrations, store in a secrets manager and rotate periodically.
- Callback URLs must match exactly during the OAuth handshake. Trailing slashes, case differences, and protocol mismatches (http versus https) all cause OAuth errors that look mysterious to debug.
- Asking for the full scope is broader than most integrations need. Stick to api, refresh_token, and openid for typical integrations. full grants administrative access and increases blast radius if credentials leak.
- IP Relaxation set to Enforce blocks cloud-hosted integrations whose source IPs are not in the trusted ranges. Relax only when the integration genuinely needs it, and pair with high-assurance session requirements.
- Revoking a Connected App invalidates all outstanding tokens immediately. Coordinate with integration owners before revoking because dependent systems lose access without warning.
Related free tool
Trust & references
Cross-checked against the following references.
- Connected Apps OverviewSalesforce Help
- Create a Connected AppSalesforce Help
- OAuth Authorization FlowsSalesforce Help
Straight from the source - Salesforce's reference material on Connected App.
- Create a Connected AppSalesforce Help
- OAuth JWT Bearer FlowSalesforce Help
- Connected App IP RelaxationSalesforce Help
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. What skill set is typically needed to work with Connected App?
Q2. What is a Governor Limit in the context of Connected App?
Q3. Where would a developer typically work with Connected App?
Discussion
Loading discussion…