Apideck API Skills — teach AI agents to build integrations with Apideck

Apideck Documentation Page

Salesforce guide for creating an OAuth app

Salesforce is a leading customer relationship management (CRM) platform that helps businesses of all sizes manage and grow their customer relationships. With the Salesforce CRM connector, you can easily connect your Salesforce account to Apideck and automate your customer relationship management workflows.

Important: Salesforce has replaced Connected Apps

As of early 2026, Salesforce has replaced Connected Apps with External Client Apps for new OAuth integrations. New Connected Apps can no longer be created by default.

If you already have a Connected App, it will continue to work — no changes are needed. For new integrations, follow the External Client App steps below.

Create your OAuth app

Go to the Salesforce Portal (https://login.salesforce.com) and sign in with your Salesforce account. If you are setting up a sandbox environment, use https://test.salesforce.com instead.

After you are logged in, navigate to Setup using the gear icon in the top-right corner. In the side menu, go to Platform Tools > Apps > App Manager.

Click the New External Client App button in the top right, then select "Create an External Client App".

Basic Information

Fill in the following required fields under the Basic Information section:

  • External Client App Name: A name to identify the app, for example "Apideck". The name must be unique within your org.
  • API Name: A unique identifier used to refer to the app within Salesforce. This auto-fills from the app name.
  • Contact Email: The email address of the person responsible for the app.
  • Distribution State: Select Local (for single-org use).

OAuth Settings

Expand the "API (Enable OAuth Settings)" section and check "Enable OAuth".

  • In the Callback URL field, enter https://unify.apideck.com/vault/callback

  • In the Selected OAuth Scopes field, move the following scopes to Selected:

    • "Manage user data via APIs (api)"
    • "Access unique user identifiers (openid)"
    • "Perform requests at any time (refresh_token, offline_access)"

    If you want broader access, you can use the "Full access (full)" scope instead.

    Note: Scope labels in External Client Apps may differ slightly from Connected Apps, but the scope values (shown in parentheses) are the same.

  • Check "Introspect All Tokens"

Flow Enablement

  • Check "Enable Authorization Code and Credentials Flow"
  • Leave "Require user credentials in the POST body" unchecked

Security

The Security section is where External Client Apps differ most from Connected Apps. Review each setting carefully:

  • Require secret for Web Server Flow: Leave checked (default)
  • Require secret for Refresh Token Flow: Uncheck this — Apideck handles token refresh without the client secret
  • Require Proof Key for Code Exchange (PKCE): Leave checked (default) — Apideck fully supports PKCE
  • Enable Refresh Token Rotation: Leave unchecked — Apideck stores refresh tokens; rotation would require updating the stored token on every refresh
  • Issue JSON Web Token (JWT)-based access tokens: Leave unchecked

When you are finished, click Create. It can take up to 10 minutes for the new app to become active.

Consumer Key & Secret

After creating your External Client App, you need to retrieve the Consumer Key and Secret to connect your Salesforce account to Apideck.

  1. After creation, you will land on the Manage External Client Apps page (Policies tab)
  2. Click the Settings tab (this navigates to a separate page)
  3. Scroll to the OAuth Settings section
  4. Click the "Consumer Key and Secret" link
  5. Copy the Consumer Key and Consumer Secret

Tip: External Client Apps support two active credential sets (main and staged), which allows zero-downtime credential rotation. For most use cases, you only need the main credentials.

Vault Connection Setup

Go to Apideck > Configuration > CRM > Salesforce.

To connect your Salesforce account to Apideck, enter the Consumer Key & Secret from Salesforce in the relevant fields. Review the scopes granted in Salesforce to ensure that they match the scopes you are requesting in Apideck. Once you have entered your credentials, click "Save settings".

To test the connection, click the "Test Vault" button. This will verify that the connection is working properly.

After completing these steps, you can allow your clients to authorize the connection to their Salesforce accounts securely.

Troubleshooting

Token refresh fails after connecting

If the initial authorization succeeds but token refresh fails, check that "Require Secret for Refresh Token Flow" is unchecked in your External Client App's Security settings. This is the most common misconfiguration — Apideck handles token refresh without sending the client secret, so this setting must be disabled.

To fix it: go to Setup > App Manager > find your External Client App > Edit > scroll to Security > uncheck "Require Secret for Refresh Token Flow" > Save.

Authorization fails immediately

If authorization fails with a missing required code challenge error, verify that "Require Proof Key for Code Exchange (PKCE)" is checked in your app's Security settings. Apideck sends PKCE parameters during authorization, and this setting must be enabled for them to be validated.

App not yet active

After creating your External Client App, it can take up to 10 minutes for the app to become active. If authorization fails immediately after setup, wait a few minutes and try again.

Existing Connected App customers

If you previously created a Connected App for your Salesforce integration, it will continue to work without any changes. Existing Connected Apps are not affected by the transition to External Client Apps.

Migrating a Connected App to an External Client App: If you choose to migrate using Salesforce's migration tool, be aware that new credentials are generated — the old Consumer Key and Consumer Secret will no longer work. You must update your credentials in Apideck after migration.

For more details on migration, see Salesforce's Connected App to External Client App Migration guide.