With the Summer ’24 release, Salesforce introduces “External Client Apps,” a new generation of Connected Apps designed to address previous limitations and bolster security. External Client Apps represent the future of connected apps in Salesforce, offering a more secure and streamlined method for external applications to interact with your Salesforce data.
The External Client Apps framework in Salesforce supports various OAuth flows, including:
- Client Credentials Flow
- Authorization Code and Credentials Flow
- Device Flow
- JWT Bearer Flow
- Token Exchange Flow
In this blog post, we’ll explore how to configure and test the OAuth Client Credentials Flow using the External Client Apps framework. The Client Credentials Flow provides a secure way for applications to access Salesforce data without direct user involvement. Here’s an outline of how this flow works:
- External app sends its unique client credentials (consumer key and consumer secret) to Salesforce OAuth token endpoint
- Salesforce verifies these credentials against the External Client App settings
- If valid, Salesforce returns an access token on behalf of the integration user assigned in the External Client App settings
- External app uses this access token to call Salesforce API
- Salesforce executes the API call and returns the response
Below is a pictorial representation of this flow using the Salesforce Diagramming Framework. In this guide, we will use Postman to connect to Salesforce and make API calls.

IMPORTANT: With this flow enabled, any person or app that has access to your connected app’s consumer key and consumer secret can obtain an access token. Maintain security by periodically changing your consumer secret, and update it immediately if it becomes compromised.
Additionally, note that this flow does not support refresh tokens.
Here is a step-by-step guide on how to configure & test External Client App with OAuth Client Credentials Flow in Salesforce in just under 10-15 minutes.
NOTE: Certain sections of the guide will appear as locked in the free preview. You can download the unlocked version of the guide in PDF format by subscribing to our “All Access” Pass through the link below.
References & Useful URLs
- Salesforce help article – External Client Apps
- Salesforce help article – OAuth 2.0 Client Credentials Flow for Server-to-Server Integration
Getting this error in Postman. I created the External Client App following your guide, but still no luck.
Error: oauth_flow_disabled, Description: The external client app or the OAuth plugin is disabled.
Hi Rohit, I have faced this problem too. Can you navigate to your External Client App Setting and ensure that you see the button ‘Disable OAuth’. This will mean that the OAuth is enabled. If not, then edit the configuration and enable it again.