What is the most important tip for working with Remote Access Application?

When you encounter Remote Access Application in any document or code, treat it as a signal that the surrounding content may be outdated in other ways too. Review the broader context, not just the term.

DevelopmentAdvanced

Remote Access Application

Q: What is a Remote Access Application?

Remote Access Application is the older name for Connected Apps.

Q: What should you use instead?

Connected App is the current term for this feature.

Q: What does the feature do?

Connected Apps provide OAuth-based integration capabilities regardless of the name used.

Remote Access Application is the legacy Salesforce term for what is now called a Connected App.

Hear it

§ 01

Definition

Remote Access Application is the legacy Salesforce term for what is now called a Connected App. It refers to a registered external application that authenticates with Salesforce using OAuth 2.0 and integrates with Salesforce data through the API. The Remote Access Application name was retired around the Winter 2014 release when Salesforce consolidated the related identity and integration features under the unified Connected App framework, but the original name still appears in documentation, training materials, and older customer integrations.

Anyone working with a legacy Salesforce org may encounter references to Remote Access Applications in old runbooks, partner documentation, or community posts. The functional capability is preserved entirely in modern Connected Apps; the rename was a packaging change that grouped OAuth-protected integration apps alongside related features (single sign-on, mobile app integration, canvas apps). Understanding the legacy term helps when reading old documentation or troubleshooting older customer environments.

§ 02

From Remote Access Application to Connected App

Why the rename happened

Salesforce introduced the Remote Access Application concept around 2010 to provide a registration mechanism for external apps that needed to authenticate users via OAuth and access Salesforce data through the API. Over the next few years, the platform added related features: single sign-on through SAML, mobile app integration with custom branding, canvas apps for embedded UI inside Salesforce, and various policy controls for IP restrictions and session timeouts. By 2013, the Remote Access Application registration was carrying a much broader set of responsibilities than its original name suggested. The Winter 2014 rename to Connected App reflected this broader scope: every external app connected to Salesforce, whether it accessed data via the API, signed users in via SSO, or hosted Salesforce-embedded canvas content, used the same registration construct.

What was preserved in the migration

The rename did not break anything. Existing Remote Access Application records were automatically migrated to Connected App records with the same configuration, the same client IDs and secrets, the same OAuth scopes, and the same authorized users. Customer integrations continued to work without modification. The Setup UI changed to show Connected Apps in the new location (Setup > App Manager > Connected Apps), and the legacy Remote Access Application Setup page redirected to the new location. For most customers, the transition was invisible. For partners and ISVs, the change required updating their documentation and any training materials that referenced the old name.

Where the old term still appears

The Remote Access Application name still surfaces in several places. Old community posts on the Salesforce Trailblazer Community reference the original term. Vintage customer documentation written before 2014 uses it. Some legacy Apex code or external integration code includes the literal string remoteaccess in URL paths or class names, even though the equivalent modern paths use connectedapp. Partner ISVs occasionally still ship installation guides that reference Remote Access Applications because the documentation has not been updated. Recognizing the legacy term and translating it to Connected App is a useful skill when reading any older Salesforce content.

How modern Connected Apps work

A modern Connected App registration captures the OAuth client ID, client secret, callback URLs, OAuth scopes (which data the app is allowed to access), profile and permission set authorization (which users can use the app), IP and login restrictions, session timeout policies, and any custom attributes for SSO claims. The configuration UI walks through each of these in sequence during initial setup. After registration, external apps use the client ID and secret in standard OAuth 2.0 flows: authorization code, JWT bearer, client credentials, device flow, depending on the app type. Salesforce validates the requesting app, the user, and the requested scope on each authentication, then issues access and refresh tokens.

Security considerations across the rename

Whether called Remote Access Application or Connected App, the underlying security considerations are the same. Client secrets must be stored securely and rotated periodically. OAuth scopes should follow the principle of least privilege (do not request full data access when read-only access to a specific object would do). Refresh token lifetime and inactivity timeout should be configured based on the app's threat model. IP restrictions are appropriate when the app runs from a known network range. Multi-factor authentication can be required on the user's Salesforce login flow. These controls have evolved since the Remote Access Application era, with newer policies (high-assurance sessions, OAuth client credentials, refresh token rotation) added over the past few releases, but the fundamental architecture is the same.

Migration patterns for legacy integrations

Some customers run integrations that were originally configured as Remote Access Applications and have not been touched since. These integrations continue to work because the underlying record is now a Connected App with the same client ID and secret. However, modernizing such integrations is a worthwhile exercise. Updates to the Connected App can take advantage of newer OAuth flows (PKCE for browser apps, JWT bearer for server-to-server), tighter scope restrictions, better session policies, and modern audit logging. The migration is a straightforward edit of the existing Connected App record rather than a re-registration. The integration code on the external side may need updates depending on which OAuth flow is being modernized.

Documentation hygiene for the legacy term

Customers maintaining a corporate runbook or integration architecture document should standardize on Connected App as the current term. Any references to Remote Access Application should be updated with a brief note explaining the rename, both for clarity and for searchability. New employees joining the Salesforce ecosystem will not know the legacy term unless they encounter old documentation, and consistent vocabulary saves training time. The cost of the update is small (a search and replace) and the long-term benefit is consistent communication across the org.

§ 03

Translate a Remote Access Application reference to current Salesforce

When you encounter a Remote Access Application reference in legacy documentation or code, the right action is to translate it to the modern Connected App equivalent. The walkthrough below covers the typical sequence for updating documentation, code, and configuration to current terminology and capabilities. The goal is not just terminology consistency; it is also an opportunity to evaluate whether the legacy integration still uses the right OAuth flow and security posture for current threat models.

Locate the equivalent Connected App in Setup
From Setup, navigate to App Manager and find the Connected App that corresponds to the legacy Remote Access Application. The matching record has the same client ID; the name may have changed during the rename or may be the same. Review the configuration: OAuth scopes, callback URLs, profile and permission set authorization, IP restrictions, session policies. Confirm the Connected App is still active and serving the integration as expected.
Update internal documentation
Search the org's runbook, wiki, and integration architecture documents for references to Remote Access Application. Replace each occurrence with Connected App. Add a brief note about the historical rename for any document that is heavily referenced by new staff. Update any architectural diagrams that show the integration topology. The goal is consistent vocabulary across all internal communication.
Update code, URLs, and external references
Search the Apex codebase, external integration repos, and partner documentation for references to the legacy term. Update class names, variable names, and comment text to use connected_app or similar modern conventions. Update any hardcoded URL paths that include remoteaccess to use the current connectedapp equivalent. Test the updated code in sandbox to confirm no behavior change before promoting to production.
Modernize the OAuth flow if appropriate
Evaluate whether the integration is using the most appropriate OAuth flow for its scenario. Legacy Remote Access Application integrations were often built on username-password flow, which is now discouraged. Modern alternatives include OAuth 2.0 JWT bearer flow for server-to-server integrations, authorization code with PKCE for browser-based apps, and OAuth 2.0 client credentials for trusted machine-to-machine scenarios. Update the Connected App configuration to support the new flow, update the integration code, and test thoroughly before retiring the legacy flow.

Gotchas

Some old documentation refers to Setup paths that no longer exist (Setup > Develop > Remote Access). The modern path is Setup > Apps > App Manager > Connected Apps.
Username-password OAuth flow is still supported for backward compatibility but is discouraged. Modern integrations should use JWT bearer, authorization code with PKCE, or client credentials.
Client secrets from the original Remote Access Application registration are still valid in the migrated Connected App. Rotating the secret is good security hygiene but is not forced by the rename.
Some legacy customer integrations still hit the old Salesforce documentation URLs that redirect to the new Connected App pages. The redirects work but the URL itself may look outdated.
Updating documentation without updating the underlying mental model is a half-measure. Train the team on what a Connected App is and why the rename happened.

Trust & references

Sources

Cross-checked against the following references.

Connected Apps OverviewSalesforce Help

Official documentation

Straight from the source - Salesforce's reference material on Remote Access Application.

Connected AppsSalesforce Help
OAuth FlowsSalesforce Help

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.

Test your knowledge

Q1. What is a Remote Access Application?

Q2. What should you use instead?

Q3. What does the feature do?

Discussion

Loading…

Loading discussion…

Back to Dictionary