Skip to content

Create an External Client App

Jump to bottom
Ross Belmont edited this page Oct 8, 2025 · 5 revisions

Introduction

Your Salesforce org will use an External Client App to register and enable third-party applications to integrate with your org using APIs and security controls.

Note: you need to create an External Client App to connect an MCP client. Do not attempt to use Connected Apps. Connected Apps are a legacy construct that do not work and will not be supported. External Client Apps represent the modern evolution of Connected Apps.

Create an External Client App

  1. From Setup, in the Quick Find box, enter external client, and then select External Client App Manager.
  2. Click New External Client App.
  3. Fill out the Basic Information section.
  4. In Callback URL, enter the applicable URL.
    1. Enter http://localhost:8080/oauth/callback for a local installation of an MCP client like Cursor or Claude.
    2. Enter https://claude.ai/api/mcp/auth_callback if you plan to use the web-based version of Claude. (For other clients, consult the provider’s documentation for the callback URL.)
  5. In OAuth Scopes, add the Manage user data via APIs (api), Access the Salesforce API Platform (sfap_api) and Perform requests at any time (refresh_token, offline_access) scopes. If you’re using prompt templates, add the Access Einstein GPT services (einstein_gpt_api) scope.
    1. ℹ️ This step will change when this feature becomes generally available. An additional OAuth scope will be required to use MCP.
  6. Under Security:
    1. Select Issue JSON Web Token (JWT)-based access tokens for named users.
    2. Select Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows.
    3. Deselect all other options.
  7. Click Create.
  8. Click Settings, then click Consumer Key and Secret under OAuth Settings to get the consumer key. Store the consumer key for later use.

⚠️ Note: the External Client App may not be immediately available for use with your MCP client. Depending on your geographical location, it may need up to 30 minutes to become available and operational worldwide. (It’s similar to registering a new domain with DNS.)

Next Step

Next, you will log into your target org.

Note on Dynamic Client Registration

Dynamic client registration in OAuth is a process that allows a client application to register with an OAuth 2.0 authorization server programmatically, rather than through a manual process. Such a process would create the External Client App when the first user attempted to connect, sidestepping the setup steps outlined above.

This can be useful in consumer applications, but is problematic in the enterprise. Salesforce admins need to retain control of which applications can access their org using APIs, so dynamic client registration is not supported. Given the security challenges, there are no plans on the roadmap to pursue this direction.

Some MCP clients may only be able to authenticate via dynamic client registration, and those are not supported. Work with the vendor of that client application to explore other options that maintain the trust required to interact with Salesforce. The other clients documented here illustrate a path forward.

Clone this wiki locally