Salesforce Integration Users

Salesforce's OAuth 2.0 Client Credentials Flow lets your workflows authenticate to Salesforce as a dedicated integration user instead of through a person's OAuth login. An admin creates an External Client App once, enables the flow, and picks the "Run As" user whose permissions every API call executes with — no user consent to expire, and data access that's governed entirely by that user's profile and permission sets.

This is the recommended way to use Salesforce in production workflows: nothing depends on a person staying logged in, and what the credential can touch is exactly what the integration user can touch.

Prerequisites

You need a Salesforce admin to create the External Client App and the integration user. Every API call Sim makes runs with the integration user's permissions, so plan that user's profile and permission sets deliberately.

Setting Up the External Client App

1. Create a Dedicated Integration User

In Salesforce, go to SetupUsersNew User. Set License to Salesforce Integration (the free API-only license) and Profile to Minimum Access - API Only Integrations

Create a permission set backed by the Salesforce API Integration permission set license, grant it the object and field permissions your workflows need (least privilege), and assign it to the user

If your org doesn't have Salesforce Integration licenses, any standard user with the API Enabled permission works too — but a dedicated API-only user keeps the credential's access explicit and auditable.

2. Create the External Client App

External Client Apps are Salesforce's current-generation connected apps and the default way to create new OAuth apps.

Go to SetupExternal Client App ManagerNew External Client App, give the app a name and contact email, and keep it local to your org (not packaged for distribution)

In the OAuth settings section, enable OAuth (exact labels vary by Salesforce release)

Enter any placeholder Callback URL (e.g. https://login.salesforce.com/services/oauth2/callback) — it's required by the form but unused by this flow

Add the OAuth scopes Manage user data via APIs (api) and Access unique user identifiers (openid)api is required for the flow, and openid lets Sim look up the integration user's name via the userinfo endpoint (the instance URL comes back in the token response itself)

Enable the Client Credentials Flow in the OAuth settings, acknowledge the warning, and create the app

3. Configure the Run As User

Open your app in External Client App Manager and edit its Policies

Under OAuth PoliciesClient Credentials Flow, check Enable Client Credentials Flow and set Run As to the integration user from step 1, then save

Every API call Sim makes executes with this user's permissions.

4. Copy the Consumer Key and Secret

Open the app's SettingsOAuth Settings and click Consumer Key and Secret (Salesforce prompts for identity verification). Copy the Consumer Key and Consumer Secret.

The Consumer Secret plus the Run As configuration is full API access as the integration user. Treat both values like passwords — do not commit them to source control or share them publicly. Sim encrypts them at rest.

Using an Existing Connected App (Legacy)

Creating new Connected Apps is blocked by default: since Summer '25 new orgs ship with Connected App creation disabled, and Spring '26 turned it off across all orgs — re-enabling it requires a request to Salesforce Support. Use an External Client App for new setups.

If you already have a classic Connected App, it keeps working and the credential fields are identical — the token endpoint and Sim configuration don't change. Configure it the classic way:

In SetupApp Manager, confirm the app has Enable OAuth Settings, the Manage user data via APIs (api) and Access unique user identifiers (openid) scopes, and Enable Client Credentials Flow checked

From App Manager, open the app's Manage page, click Edit Policies, and set Run As under Client Credentials Flow to your integration user. Permitted Users policies don't apply to the Client Credentials Flow's execution user, so no pre-authorization is needed

Open the app with View and click Manage Consumer Details to copy the Consumer Key and Consumer Secret

5. Find Your My Domain Host

Go to Setup and search for My Domain. The host is required — Salesforce rejects the Client Credentials Flow at login.salesforce.com and test.salesforce.com. Depending on your org type it looks like:

  • Production: yourorg.my.salesforce.com
  • Sandbox: yourorg--sandboxname.sandbox.my.salesforce.com
  • Developer Edition: yourorg-dev-ed.develop.my.salesforce.com

Sim also accepts other partitioned My Domain hosts (scratch, demo, patch, trailblaze, free). Government and military domains (*.my.salesforce.mil) aren't currently supported.

Permissions Instead of Scopes

There's no scope picking beyond the api and openid scopes on the app — what the credential can actually do is the integration user's profile plus permission sets. In particular:

  • Object and field access for every object your workflows read or write, plus API Enabled
  • Customize Application for tools that manage custom fields and custom objects (Tooling API) — a Minimum Access API-only user passes validation but fails these specific tools without it
  • Run Reports and folder access for report and dashboard tools

A permissions gap surfaces at run time as a Salesforce API error; fix it on the integration user's permission sets — no changes are needed in Sim.

Adding the Service Account to Sim

Open Integrations from your workspace sidebar

Search for "Salesforce" and open it, then click Add to Sim and choose Add integration user app

In the Add Salesforce integration user app dialog, paste the Consumer key, Consumer secret, and My Domain host (e.g. yourorg.my.salesforce.com), and optionally set a display name and description

Click Add integration user app. Sim verifies the credentials by minting a real access token against your My Domain host. A host that doesn't resolve gets its own error message; a bad consumer key or secret and a flow that isn't fully configured both surface as a general authentication error — re-check all three values and the app's Client Credentials Flow policies.

Using the Service Account in Workflows

Add a Salesforce block to your workflow. In the credential dropdown, your Salesforce service account appears alongside any OAuth credentials. Select it and configure the block as you normally would.

The block calls your org's REST API with a freshly minted access token — the same requests as the OAuth flow, so every Salesforce tool works, subject to the integration user's permissions.

Token Behavior

Access tokens from this flow have no fixed lifetime in the response — an opaque token stays valid until the Run As user's session times out (2 hours by default; configurable from 15 minutes to 24 hours in Session Settings). There is no refresh token; Sim mints a new token whenever one is needed, so session timeouts are invisible to your workflows.

Deactivating or freezing the Run As user stops all token minting with an invalid_grant error, halting every workflow that uses the credential. Password policies that expire the user's API access have the same effect. Treat the integration user as production infrastructure.

Common Questions

The credential authenticates as a dedicated API-only user, not a person — nothing expires when someone leaves or their login lapses. What it can access is exactly the integration user's profile and permission sets, which makes the credential's reach explicit and auditable.
Salesforce likely rejected the token request with invalid_grant (e.g. 'no client credentials user enabled'), which Sim reports as not being able to authenticate with those credentials. The app either doesn't have Enable Client Credentials Flow checked, or no Run As user is set. Edit the app's OAuth policies (External Client App Manager → your app → Policies, or a legacy Connected App's Manage → Edit Policies), enable the flow, and set Run As to your integration user.
Salesforce disabled new Connected App creation by default (new orgs since Summer '25, all orgs since Spring '26); re-enabling it requires a Salesforce Support request. You don't need it — create an External Client App instead (Setup → External Client App Manager), which supports the same Client Credentials Flow and produces the same consumer key and secret.
Salesforce only supports the Client Credentials Flow at your org's My Domain URL — login.salesforce.com and test.salesforce.com are explicitly rejected for this flow. Find yours under Setup → My Domain.
Every call runs as the Run As user, so the failing tool needs a permission that user doesn't have. Common gaps: Customize Application for custom field/object tools, Run Reports plus folder access for report tools, and object or field permissions for the records involved. Fix it on the integration user's permission sets and re-run.
Yes — enter the sandbox host (yourorg--sandboxname.sandbox.my.salesforce.com) or Developer Edition host (yourorg-dev-ed.develop.my.salesforce.com) as the My Domain host. Government/military domains (*.my.salesforce.mil) aren't currently supported.
Rotate the Consumer Secret from the app's OAuth settings (External Client App: Settings → OAuth Settings → Consumer Key and Secret; legacy Connected App: Manage Consumer Details), then update the credential in Sim with the new secret. If you instead recreate the app, remember to re-enable the Client Credentials Flow and re-set the Run As user before swapping the key and secret in Sim.
All token minting fails with invalid_grant and every workflow using the credential stops. Reactivate the user (or point Run As at a new integration user) and runs resume — no changes needed in Sim.

On this page