Salesforce's OAuth 2.0 Client Credentials Flow lets your workflows authenticate to Salesforce as a dedicated integration user instead of through a person's OAuth login. An admin creates an External Client App once, enables the flow, and picks the "Run As" user whose permissions every API call executes with — no user consent to expire, and data access that's governed entirely by that user's profile and permission sets.
This is the recommended way to use Salesforce in production workflows: nothing depends on a person staying logged in, and what the credential can touch is exactly what the integration user can touch.
Prerequisites
You need a Salesforce admin to create the External Client App and the integration user. Every API call Sim makes runs with the integration user's permissions, so plan that user's profile and permission sets deliberately.
Setting Up the External Client App
1. Create a Dedicated Integration User
In Salesforce, go to Setup → Users → New User. Set License to Salesforce Integration (the free API-only license) and Profile to Minimum Access - API Only Integrations
Create a permission set backed by the Salesforce API Integration permission set license, grant it the object and field permissions your workflows need (least privilege), and assign it to the user
If your org doesn't have Salesforce Integration licenses, any standard user with the API Enabled permission works too — but a dedicated API-only user keeps the credential's access explicit and auditable.
2. Create the External Client App
External Client Apps are Salesforce's current-generation connected apps and the default way to create new OAuth apps.
Go to Setup → External Client App Manager → New External Client App, give the app a name and contact email, and keep it local to your org (not packaged for distribution)
In the OAuth settings section, enable OAuth (exact labels vary by Salesforce release)
Enter any placeholder Callback URL (e.g. https://login.salesforce.com/services/oauth2/callback) — it's required by the form but unused by this flow
Add the OAuth scopes Manage user data via APIs (api) and Access unique user identifiers (openid) — api is required for the flow, and openid lets Sim look up the integration user's name via the userinfo endpoint (the instance URL comes back in the token response itself)
Enable the Client Credentials Flow in the OAuth settings, acknowledge the warning, and create the app
3. Configure the Run As User
Open your app in External Client App Manager and edit its Policies
Under OAuth Policies → Client Credentials Flow, check Enable Client Credentials Flow and set Run As to the integration user from step 1, then save
Every API call Sim makes executes with this user's permissions.
4. Copy the Consumer Key and Secret
Open the app's Settings → OAuth Settings and click Consumer Key and Secret (Salesforce prompts for identity verification). Copy the Consumer Key and Consumer Secret.
The Consumer Secret plus the Run As configuration is full API access as the integration user. Treat both values like passwords — do not commit them to source control or share them publicly. Sim encrypts them at rest.
Using an Existing Connected App (Legacy)
Creating new Connected Apps is blocked by default: since Summer '25 new orgs ship with Connected App creation disabled, and Spring '26 turned it off across all orgs — re-enabling it requires a request to Salesforce Support. Use an External Client App for new setups.
If you already have a classic Connected App, it keeps working and the credential fields are identical — the token endpoint and Sim configuration don't change. Configure it the classic way:
In Setup → App Manager, confirm the app has Enable OAuth Settings, the Manage user data via APIs (api) and Access unique user identifiers (openid) scopes, and Enable Client Credentials Flow checked
From App Manager, open the app's Manage page, click Edit Policies, and set Run As under Client Credentials Flow to your integration user. Permitted Users policies don't apply to the Client Credentials Flow's execution user, so no pre-authorization is needed
Open the app with View and click Manage Consumer Details to copy the Consumer Key and Consumer Secret
5. Find Your My Domain Host
Go to Setup and search for My Domain. The host is required — Salesforce rejects the Client Credentials Flow at login.salesforce.com and test.salesforce.com. Depending on your org type it looks like:
- Production:
yourorg.my.salesforce.com - Sandbox:
yourorg--sandboxname.sandbox.my.salesforce.com - Developer Edition:
yourorg-dev-ed.develop.my.salesforce.com
Sim also accepts other partitioned My Domain hosts (scratch, demo, patch, trailblaze, free). Government and military domains (*.my.salesforce.mil) aren't currently supported.
Permissions Instead of Scopes
There's no scope picking beyond the api and openid scopes on the app — what the credential can actually do is the integration user's profile plus permission sets. In particular:
- Object and field access for every object your workflows read or write, plus API Enabled
- Customize Application for tools that manage custom fields and custom objects (Tooling API) — a Minimum Access API-only user passes validation but fails these specific tools without it
- Run Reports and folder access for report and dashboard tools
A permissions gap surfaces at run time as a Salesforce API error; fix it on the integration user's permission sets — no changes are needed in Sim.
Adding the Service Account to Sim
Open Integrations from your workspace sidebar
Search for "Salesforce" and open it, then click Add to Sim and choose Add integration user app
In the Add Salesforce integration user app dialog, paste the Consumer key, Consumer secret, and My Domain host (e.g. yourorg.my.salesforce.com), and optionally set a display name and description
Click Add integration user app. Sim verifies the credentials by minting a real access token against your My Domain host. A host that doesn't resolve gets its own error message; a bad consumer key or secret and a flow that isn't fully configured both surface as a general authentication error — re-check all three values and the app's Client Credentials Flow policies.
Using the Service Account in Workflows
Add a Salesforce block to your workflow. In the credential dropdown, your Salesforce service account appears alongside any OAuth credentials. Select it and configure the block as you normally would.
The block calls your org's REST API with a freshly minted access token — the same requests as the OAuth flow, so every Salesforce tool works, subject to the integration user's permissions.
Token Behavior
Access tokens from this flow have no fixed lifetime in the response — an opaque token stays valid until the Run As user's session times out (2 hours by default; configurable from 15 minutes to 24 hours in Session Settings). There is no refresh token; Sim mints a new token whenever one is needed, so session timeouts are invisible to your workflows.
Deactivating or freezing the Run As user stops all token minting with an invalid_grant error, halting every workflow that uses the credential. Password policies that expire the user's API access have the same effect. Treat the integration user as production infrastructure.