OAuth
In Salesforce, an open authorization protocol used by connected apps to grant third-party applications secure, token-based access to Salesforce data without exposing user credentials, supporting flows like Web Server, JWT Bearer, and Device.
Definition
In Salesforce, an open authorization protocol used by connected apps to grant third-party applications secure, token-based access to Salesforce data without exposing user credentials, supporting flows like Web Server, JWT Bearer, and Device.
In plain English
“OAuth is an open standard authentication protocol used by Salesforce connected apps to grant third-party applications secure access to Salesforce data. Instead of asking for the user's password, OAuth uses tokens that can be revoked, scoped, and refreshed without exposing credentials.”
Worked example
Brindlebrook Realty's marketing team runs a third-party email-campaign tool that needs to read Lead and Contact records from Salesforce nightly. Rather than giving the tool a service-account password, the team creates a Connected App in Salesforce and configures OAuth with the Web Server flow: the tool redirects the admin to Salesforce for one-time approval, Salesforce returns an access token plus a refresh token, and the tool uses those tokens for ongoing API calls. The admin can revoke the token from Salesforce in seconds if needed; the tool's permissions are scoped to the OAuth scopes granted (read on Lead and Contact, nothing else); no user password is shared. OAuth turns the integration into something the security team can audit, scope, and revoke without changing user passwords.
Why OAuth matters
In Salesforce, OAuth is an open authorization protocol used by connected apps to grant third-party applications secure, token-based access to Salesforce data without exposing user credentials. OAuth supports several flows for different scenarios: Web Server Flow (for web apps with server-side code), JWT Bearer Flow (for server-to-server integration without user interaction), Device Flow (for devices with limited input), User-Agent Flow (for client-side apps), and others. Each flow handles authentication differently but all produce access tokens that the application uses for API calls.
OAuth is foundational to modern Salesforce integration security. Compared to older approaches like password-based authentication or API keys embedded in code, OAuth provides better security through token-based access that can be revoked, scoped to specific permissions, and refreshed without re-authentication. Mature integration practices use OAuth for everything: connected apps, third-party tools, custom integrations, and the Salesforce CLI itself. Knowing the right OAuth flow for each scenario is part of being effective with Salesforce integration security.
How organizations use OAuth
Uses JWT Bearer Flow for server-to-server integrations, eliminating the need to store and rotate user passwords.
Built their connected app authentication around OAuth Web Server Flow for user-facing scenarios.
Trains developers on the various OAuth flows so they pick the right one for each integration scenario.
Related free tool
Trust & references
Straight from the source - Salesforce's reference material on OAuth.
- OAuth Authorization FlowsSalesforce Help
- OAuth 2.0 Web Server Flow for Web App IntegrationSalesforce Help
Test your knowledge
Q1. What is OAuth in Salesforce?
Q2. What are some OAuth flows?
Q3. Why is OAuth better than password-based auth?
Discussion
Loading discussion…