A REST API request fails with an authentication error. Postman returns an invalid client response. An external application cannot access Salesforce data even though the API endpoint is correct. In most cases, the problem isn’t the API itself. The missing piece is usually a properly configured Connected App.
When an external application needs access to Salesforce, Salesforce must know who is requesting access and what permissions should be granted. Simply knowing the username and password isn’t enough. Salesforce uses OAuth 2.0 authentication, and Connected Apps act as the bridge between Salesforce and external systems.
Whether you’re integrating Salesforce with Postman, a custom web application, MuleSoft, mobile applications, or third-party platforms, creating a Connected App is usually the first step. Without it, generating access tokens and securely calling Salesforce APIs becomes impossible.
In this guide, you’ll learn how to set up a Connected App in Salesforce for API Integration, understand how OAuth authentication works, and configure everything required for secure communication between Salesforce and external applications.
What Is a Connected App in Salesforce?
A Connected App is a framework that allows external applications to securely communicate with Salesforce using standard authentication protocols such as OAuth 2.0, OpenID Connect, and SAML.
Think of a Connected App as a trusted gateway between Salesforce and another application.
For example, if a web application wants to read Account records from Salesforce through the REST API, Salesforce first needs to verify the application’s identity. The Connected App provides that identity and controls what level of access the application receives.
Without a Connected App:
- Access tokens cannot be generated
- OAuth authentication cannot occur
- External applications cannot securely access Salesforce APIs
This is why Connected Apps are considered a core component of Salesforce integrations.
Organizations implementing Salesforce REST API Tutorial for Beginners with Real Integration Examples concepts often create a Connected App before making their first API request because OAuth authentication depends on it.
Why Is a Connected App Required for API Integration?
Many beginners assume Salesforce APIs can be accessed directly using a username and password. While some legacy approaches exist, modern integrations rely heavily on OAuth 2.0 because it is more secure and scalable.
A Connected App provides:
- Authentication
- Authorization
- Access token generation
- Permission control
- API security
Consider a common business scenario.
A company has a custom customer portal where users can view Salesforce data without logging directly into Salesforce. The portal needs access to Account records, Contacts, and Cases.
Instead of sharing Salesforce credentials, the application authenticates through a Connected App and receives an access token.
The access token then allows the application to securely interact with Salesforce APIs.
This approach is safer and aligns with Salesforce security best practices.
How Connected App Authentication Works
Before creating a Connected App, it’s helpful to understand the authentication flow.
External Application
↓
Connected App
↓
OAuth 2.0 Authentication
↓
Consumer Key Validation
↓
Access Token Generated
↓
Salesforce REST API
↓
Salesforce Data
The process begins when an external application sends an authentication request.
Salesforce validates the Connected App configuration and OAuth settings. If everything is configured correctly, Salesforce generates an access token. The application then uses that token when making API requests.
Understanding this flow makes troubleshooting much easier later.
Common Use Cases for Connected Apps
Connected Apps are used in a wide variety of Salesforce integration projects.
One of the most common examples is Postman testing. Developers frequently create a Connected App so they can generate access tokens and test REST API endpoints before building a production integration.
Another common use case involves middleware platforms such as MuleSoft. These tools require OAuth authentication to communicate securely with Salesforce.
Mobile applications also depend heavily on Connected Apps because users need a secure way to access Salesforce data from their devices.
Similarly, custom web applications often use Connected Apps to authenticate users and retrieve Salesforce records through APIs.
If you’ve already explored Types of Salesforce Integrations: Complete Guide for Beginners, you’ll notice that many integration architectures eventually rely on a Connected App for authentication.
Before You Create a Connected App
Before starting the setup process, verify the following:
- Salesforce administrator access
- API Enabled permission
- Access to Salesforce Setup
- A callback URL
- Basic understanding of OAuth
Although a callback URL may sound complicated, it is simply the location where Salesforce sends authentication responses after login.
For testing purposes, many developers initially use:
https://login.salesforce.com/services/oauth2/success
Later, this can be replaced with the actual URL used by the application.
Step 1: Open App Manager
Log in to Salesforce and open Setup.
Inside the Quick Find box, search for:
App Manager
Then select App Manager from the Setup menu.
App Manager contains all Salesforce applications, Connected Apps, and Lightning applications.
From this screen, click:
New Connected App
This launches the Connected App configuration wizard.
Step 2: Configure Basic Information
The first section contains general application details.
Complete the following fields:
Connected App Name
My API Integration App
API Name
This field is generated automatically.
Example:
My_API_Integration_App
Contact Email
Enter an email address that Salesforce can use for notifications.
Example:
[email protected]
You can also upload a logo and provide a description, although these settings are optional.
At this stage, Salesforce simply creates the application record. API authentication settings are configured in the next step.
Step 3: Enable OAuth Settings
This is the most important section of the entire configuration.
Locate:
Enable OAuth Settings
and check the box.
Once enabled, Salesforce displays additional OAuth configuration options.
Callback URL
Enter the application’s redirect URL.
Example:
https://login.salesforce.com/services/oauth2/success
For production integrations, use the actual application callback URL.
The callback URL must match exactly what the application sends during authentication.
Even a small mismatch can cause OAuth authentication failures.
Selecting OAuth Scopes
OAuth scopes determine what the external application is allowed to do.
For most API integrations, Salesforce administrators commonly select:
Access and manage your data (api)
and
Perform requests on your behalf at any time
(refresh_token, offline_access)
The API scope allows external applications to access Salesforce APIs.
The refresh token scope allows applications to generate new access tokens without requiring users to log in repeatedly.
Choosing the correct OAuth scopes is important because they directly affect application permissions.
In the next section, we’ll configure policies, retrieve the Consumer Key and Consumer Secret, generate access tokens, and test the Connected App using Postman.
Step 4: Save the Connected App
After configuring the basic information and OAuth settings, click Save.
Salesforce doesn’t make the Connected App available immediately. In most orgs, it can take a few minutes for the configuration to become active. Many developers think something is broken because they cannot find the Consumer Key right away. However, this delay is completely normal.
Once the setup is complete, Salesforce displays a confirmation page containing the Connected App details.
At this point, the application exists, but we still need to configure security policies and retrieve the credentials required for authentication.
Step 5: Configure OAuth Policies
After saving the Connected App, open it from App Manager and click:
Manage Consumer Details
or
Manage Connected Apps
depending on your Salesforce version.
Next, open:
Edit Policies
OAuth policies control who can use the application and how authentication behaves.
One commonly used setting is:
Permitted Users
For many enterprise integrations, administrators select:
Admin approved users are pre-authorized
This provides better control because administrators decide exactly who can access the application.
Organizations implementing Salesforce Integration Best Practices: Complete Guide for Scalable Systems often prefer this option because it reduces security risks associated with unrestricted access.
Understanding the Consumer Key and Consumer Secret
Every Connected App generates two important values:
Consumer Key
Acts like a public identifier for the application.
Consumer Secret
Acts like a password for the application.
To view them:
Setup
↓
App Manager
↓
Connected App
↓
Manage Consumer Details
You’ll see:
Consumer Key
Consumer Secret
These values are required whenever an external application requests an access token.
Never expose the Consumer Secret publicly. Anyone with access to both values may be able to authenticate against Salesforce if additional security controls are not in place.
Step 6: Generate an Access Token
After creating the Connected App, the next step is authentication.
The external application sends:
- Client ID (Consumer Key)
- Client Secret (Consumer Secret)
- Username
- Password
- OAuth parameters
Salesforce validates the request and returns an access token.
The access token is then included in future API requests.
A simplified flow looks like this:
Application
↓
Consumer Key
Consumer Secret
↓
Salesforce OAuth Endpoint
↓
Access Token Returned
↓
REST API Request
↓
Salesforce Data
Without a valid access token, Salesforce rejects API requests.
This is why Connected Apps are the foundation of secure API integrations.
Testing the Connected App Using Postman
One of the easiest ways to verify your configuration is by using Postman.
Developers commonly use Postman before building a production integration because it allows API requests to be tested quickly.
Configure:
Method
POST
URL
https://login.salesforce.com/services/oauth2/token
Body Parameters
grant_type=password
client_id=Consumer Key
client_secret=Consumer Secret
username=Your Username
password=Your Password + Security Token
After sending the request, Salesforce returns:
{
"access_token":"xxxxxxxx",
"instance_url":"https://yourorg.my.salesforce.com"
}
If you successfully receive an access token, the Connected App is working correctly.
This testing approach pairs well with the concepts covered in Salesforce REST API Tutorial for Beginners with Real Integration Examples, where access tokens are used to retrieve Salesforce data.
Real Project Example
I first configured a Connected App while integrating a customer portal with Salesforce. The portal needed to display Account and Contact information without requiring users to log directly into Salesforce.
Initially, every API request failed because OAuth authentication had not been configured. After creating a Connected App, enabling OAuth settings, and generating an access token, the integration started working immediately. The biggest lesson from that project was how critical OAuth scopes and callback URLs are. A single configuration mistake can prevent the entire integration from working.
Common Connected App Errors
Connected Apps are usually straightforward to configure, but several common mistakes appear repeatedly.
| Error | Cause | Solution |
|---|---|---|
| invalid_client_id | Incorrect Consumer Key | Verify Consumer Key |
| invalid_grant | Username or password issue | Check credentials |
| redirect_uri_mismatch | Callback URL mismatch | Update callback URL |
| insufficient_scope | Missing OAuth scope | Add required scopes |
| invalid_client | Incorrect Consumer Secret | Verify secret value |
| access denied | User not authorized | Review Connected App policies |
Most OAuth problems are configuration issues rather than Salesforce platform issues.
Security Best Practices
Connected Apps provide access to Salesforce data, so security should always be a priority.
Only grant the OAuth scopes that are actually required. Excessive permissions increase risk without providing additional value.
Store Consumer Secrets securely and never include them in client-side code repositories.
Use dedicated integration users whenever possible. This makes auditing and troubleshooting easier because API activity is separated from normal user activity.
Additionally, review Connected App usage regularly and remove unused applications.
Organizations building large-scale integrations often combine Connected Apps with Named Credentials vs Remote Site Settings in Salesforce to simplify authentication management and improve security.
Connected App vs Named Credential
Many beginners confuse these two features because both are related to integrations.
| Feature | Connected App | Named Credential |
|---|---|---|
| Purpose | OAuth Authentication | Manage External Authentication |
| Used By | External Applications | Salesforce Callouts |
| Generates Consumer Key | Yes | No |
| Generates Access Tokens | Yes | No |
| Integration Direction | Into Salesforce | From Salesforce |
A simple way to remember this:
Connected Apps help external systems access Salesforce.
Named Credentials help Salesforce access external systems.
When Should You Create a Connected App?
You typically need a Connected App when:
- Building REST API integrations
- Connecting Salesforce with Postman
- Creating mobile applications
- Authenticating third-party systems
- Using OAuth 2.0 authentication
- Integrating middleware platforms
If an external application needs secure access to Salesforce data, a Connected App is usually part of the solution.
Frequently Asked Questions
What is a Connected App in Salesforce?
A Connected App allows external applications to securely access Salesforce using OAuth authentication and APIs.
Why do I need a Connected App for API integration?
Because Salesforce requires OAuth authentication before external applications can access APIs.
What is the Consumer Key?
The Consumer Key is the application’s public identifier used during OAuth authentication.
What is the Consumer Secret?
The Consumer Secret acts like a password for the application and is used during token generation.
Can I use Postman with a Connected App?
Yes. Postman is one of the most common tools used to test Connected Apps and Salesforce APIs.
Which OAuth scopes should I select?
Most API integrations require API access and refresh token permissions.
What happens if the callback URL is incorrect?
OAuth authentication will fail and Salesforce may return a redirect URI mismatch error.
Is a Connected App required for REST API access?
In most modern OAuth-based integrations, yes.
Can multiple applications use one Connected App?
Yes, although many organizations prefer separate Connected Apps for different integrations.
How long does Connected App activation take?
It usually becomes available within a few minutes after saving.
Conclusion
Understanding How to Set Up a Connected App in Salesforce for API Integration is essential for anyone working with Salesforce integrations. A Connected App acts as the foundation of OAuth authentication, allowing external applications to securely communicate with Salesforce APIs.
By configuring OAuth settings correctly, selecting appropriate scopes, securing Consumer Keys and Secrets, and testing authentication with tools like Postman, you can build reliable and secure integrations. Whether you’re connecting a web application, mobile app, middleware platform, or API testing tool, a properly configured Connected App is often the first step toward a successful Salesforce integration.
