Metadata API Developer Guide

Introduction to Metadata API
Using Metadata API
Reference
File-Based Calls
CRUD-Based Calls
Utility Calls
Result Objects
Metadata Types
Metadata Components and Types
Metadata Coverage Report
Unsupported Metadata Types
Special Behavior in Metadata API Deployments
Data Cloud Metadata Types
AccountRelationshipShareRule
AccountingFieldMapping
AccountingModelConfig
ActionLinkGroupTemplate
ActionPlanTemplate
ActionableListDefinition
AdvAccountForecastSet
AffinityScoreDefinition
AIApplication
AIApplicationConfig
AIScoringModelDefinition
AIUsecaseDefinition
AnalyticSnapshot
AnimationRule
ArticleType
ApexClass
ApexComponent
ApexEmailNotifications
ApexPage
ApexTestSuite
ApexTrigger
AppMenu
AppointmentAssignmentPolicy
AppointmentSchedulingPolicy
ApprovalProcess
AssignmentRules
AssessmentQuestion
AssessmentQuestionSet
Audience
AuraDefinitionBundle
AuthProvider
AutoResponseRules
BatchCalcJobDefinition
BatchProcessJobDefinition
BillingSettings
BlacklistedConsumer
Bot
BotBlock
BotTemplate
BotVersion
BrandingSet
BriefcaseDefinition
BusinessProcessGroup
CallCenter
CallCoachingMediaProvider
CampaignInfluenceModel
CaseSubjectParticle
CareBenefitVerifySettings
CareLimitType
CareSystemFieldMapping
CareProviderSearchConfig
CareRequestConfiguration
Certificate
ChatterExtension
ChoiceList
ClaimFinancialSettings
ClauseCatgConfiguration
CleanDataService
CMSConnectSource
Community (Zone)
CommerceSettings
CommunityTemplateDefinition
CommunityThemeDefinition
ConnectedApp
ContentAsset
ContextDefinition
ConversationMessageDefinition
ConversationVendorInfo
CorsWhitelistOrigin
CspTrustedSite
CustomApplication
CustomApplicationComponent
CustomFeedFilter
CustomHelpMenuSection
CustomIndex
CustomLabels
Custom Metadata Types (CustomObject)
CustomNotificationType
CustomObject
CustomObjectTranslation
CustomPageWebLink
CustomPermission
CustomSite
CustomTab
CustomValue
Dashboard
DataCategoryGroup
DataWeaveResource
DecisionTable
DecisionTableDatasetLink
DecisionMatrixDefinition
DelegateGroup
DigitalExperienceBundle
DigitalExperienceConfig
DisclosureDefinition
DisclosureDefinitionVersion
DisclosureType
DiscoveryAIModel
DiscoveryGoal
DiscoveryStory
Document
DocumentCategory
DocumentCategoryDocumentType
DocumentChecklistSettings
DocumentType
DuplicateRule
EclairGeoData
EmailServicesFunction
EmailTemplate
EmbeddedServiceBranding
EmbeddedServiceConfig
EmbeddedServiceFieldService
EmbeddedServiceFlowConfig
EmbeddedServiceLiveAgent
EmbeddedServiceMenuSettings
EnablementMeasureDefinition
EnablementProgramDefinition
EnblProgramTaskSubCategory
EntitlementProcess
EntitlementTemplate
EscalationRules
EventDelivery
EventRelayConfig
EventSubscription
ExperienceBundle
ExperiencePropertyTypeBundle (Beta)
ExplainabilityMsgTemplate
ExpressionSetDefinition
ExpressionSetMessageToken
ExpressionSetObjectAlias
ExternalAuthIdentityProvider
ExternalClientApplication
ExternalCredential
ExternalAIModel
ExternalServiceRegistration
ExtlClntAppConfigurablePolicies
ExtlClntAppGlobalOauthSettings
ExtlClntAppOauthConfigurablePolicies
ExtlClntAppOauthSettings
FeatureParameterBoolean
FeatureParameterDate
FeatureParameterInteger
FieldRestrictionRule
FlexiPage
Flow
FlowCategory
FlowDefinition
FlowTest
Folder
ForecastingFilter
ForecastingFilterCondition
ForecastingSourceDefinition
ForecastingType
ForecastingTypeSource
FuelType
FuelTypeSustnUom
FunctionReference
FundraisingConfig
GatewayProviderPaymentMethodType
GenAiFunction
GenAiPlanner
GenAiPlugin
GenAiPluginInstructionDef
GenAiPromptTemplate
GenAiPromptTemplateActv
GlobalPicklist
GlobalPicklistValue
GlobalValueSet
GlobalValueSetTranslation
Group
HomePageComponent
HomePageLayout
IdentityVerificationProcDef
IdentityVerificationProcDtl
IdentityVerificationProcFld
InboundCertificate
InboundNetworkConnection
IndustriesPricingSettings
IndustriesRatingSettings
InstalledPackage
IntegrationProviderDef
IPAddressRange
KeywordList
Layout
LearningItemType
Letterhead
LightningBolt
LightningComponentBundle
LightningExperienceTheme
LightningMessageChannel
LightningOnboardingConfig
LiveChatAgentConfig
LiveChatButton
LiveChatDeployment
LiveChatSensitiveDataRule
LoyaltyProgramSetup
ManagedContentType
ManagedEventSubscription (Beta)
ManagedTopics
MarketingAppExtension
MatchingRule
MessagingChannel
Metadata
MetadataWithContent
MfgProgramTemplate
MilestoneType
MlDomain
MLDataDefinition
MLPredictionDefinition
MobileApplicationDetail
MobileSecurityAssignment
MobileSecurityPolicy
MobSecurityCertPinConfig
ModerationRule
MutingPermissionSet
MyDomainDiscoverableLogin
NamedCredential
NavigationMenu
Network
NetworkBranding
NotificationTypeConfig
OauthCustomScope
OauthTokenExchangeHandler
OcrSampleDocument
OcrTemplate
OmniExtTrackingDef
OmniScript
OmniSupervisorConfig
OmniTrackingGroup
OutboundNetworkConnection
Package
ParticipantRole
PathAssistant
PaymentGatewayProvider
PermissionSet
PermissionSetGroup
PermissionSetLicenseDefinition (Developer Preview)
PersonAccountOwnerPowerUser
PipelineInspMetricConfig
PlatformCachePartition
PlatformEventChannel
PlatformEventChannelMember
PlatformEventSubscriberConfig
Portal
PortalDelegablePermissionSet
PostTemplate
ProductAttributeSet
PresenceDeclineReason
PresenceUserConfig
Profile
ProfileActionOverride
ProfilePasswordPolicy
ProfileSessionSetting
Prompt
PublicKeyCertificate
PublicKeyCertificateSet
Queue
QueueRoutingConfig
QuickAction
RedirectWhitelistUrl
RecommendationStrategy
RecordActionDeployment
RecordAggregationDefinition
RecordAlertCategory
RegisteredExternalService
ReferencedDashboard
RelatedRecordAssocCriteria
RelationshipGraphDefinition
RemoteSiteSetting
Report
ReportType
RestrictionRule
Role
RoleOrTerritory
SalesWorkQueueSettings
SamlSsoConfig
SchedulingObjective
SchedulingRule
Scontrol
SearchCustomization
SearchOrgWideObjectConfig
ServiceAISetupDefinition
ServiceAISetupField
ServiceChannel
ServicePresenceStatus
ServiceProcess
Settings
SharedTo
SharingBaseRule
SharingRules
SharingSet
SiteDotCom
Skill
StandardValueSet
StandardValueSetTranslation
StaticResource
SustainabilityUom
SustnUomConversion
SvcCatalogCategory
SvcCatalogFulfillmentFlow
SvcCatalogItemDef
SynonymDictionary
Territory
Territory2
Territory2Model
Territory2Rule
Territory2Type
TimelineObjectDefinition
TimeSheetTemplate
TopicsForObjects
TransactionSecurityPolicy
Translations
UiFormatSpecificationSet
UIObjectRelationConfig
UserAccessPolicy
UserAuthCertificate
UserCriteria
UserProfileSearchScope
UserProvisioningConfig
VirtualVisitConfig
WaveAnalyticAssetCollection
WaveApplication
WaveComponent
WaveDataflow
WaveDashboard
WaveDataset
WaveLens
WaveRecipe
WaveTemplateBundle
WaveXmd
WebStoreBundle
WebStoreTemplate
Workflow
WorkSkillRouting
Headers
Appendices
PDF

Newer Version Available

This content describes an older version of this product. View Latest

AuthProvider

Represents an authentication provider (auth provider). An auth provider lets users log in to Salesforce from an external service provider such as Facebook, Google, or GitHub. This type extends the Metadata metadata type and inherits its fullName field.

File Suffix and Directory Location

Authentication providers are stored in the authproviders directory. The file name matches the URL suffix, and the extension is .authprovider. For example, an auth provider with URL suffix FacebookProvider is stored in authproviders/FacebookProvider.authprovider.

Version

Authentication providers are available in API version 27.0 and later.

Special Access Rules

Only users with the Customize Application and Manage AuthProviders permissions can access this object.

Fields

Field Name Field Type Description
appleTeam string Required when using Apple as a third-party authentication provider. A 10-character team ID, obtained from an Apple developer account. Available in API version 48.0 and later.
authorizeUrl string Required when creating an OpenID Connect authentication provider. The OAuth authorization endpoint URL. Available in API version 29.0 and later.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see “Usage.”
consumerKey string The app’s key that is registered at the third-party (external) authentication provider.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see “Usage.”
consumerSecret string The consumer secret of the app that is registered at the third-party provider. After it’s set, you can’t change the value. When using create(), this field must be encrypted. To create an encrypted form of the consumer secret from plaintext:
  1. Create an authentication provider with the consumerSecret plaintext value.
  2. Save the authentication provider.
  3. Create an outbound change set that includes the authentication provider component.
The new change set .xml file has an entry in the form <consumerSecret>++XYZ++</consumerSecret> where ++XYZ++ is the encrypted secret.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see Usage.

If a consumer secret is defined on an authentication provider, the consumer secret is always exported as a placeholder value, not as an encrypted secret.
controlPlane MuleSoftControlPlane (enumeration of type string) Required when using MuleSoft as a third-party authentication provider. Environment where the MuleSoft Anypoint Platform control plane is hosted. The control plane is the part of the Anypoint Platform architecture that includes Anypoint Exchange and determines the login URL. If you select User-Specified, you must enter the Consumer Key and Consumer Secret. Obtain the values from the MuleSoft connected app that you created to store the authentication details for your Salesforce org. Available in API version 57.0 and later. Valid values include:
  • None—User-specified control plane. If you select None, you must enter the Consumer Key and Consumer Secret. Obtain the values from the MuleSoft connected app that you created to store the authentication details for your Salesforce org.
  • US—US control plane
  • EU—EU control plane
customMetadataTypeRecord string Required when creating a custom authentication provider plug-in. The API name of the custom authentication provider. Available in API version 36.0 and later.
defaultScopes string For OpenID Connect authentication providers, the scopes to send with the authorization request, if not specified when a flow starts. Available in API version 29.0 and later.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. See “Usage.”
ecKey string Required when using Apple as a third-party authentication provider. A private key generated by Apple. Available in API version 48.0 and later.
errorUrl string A custom error URL for the authentication provider to use to report errors.
executionUser string

Required when specifying a registration handler class. The username of the Salesforce admin or system user who runs the Apex handler, which provides the context in which the Apex handler runs. For example, if the Apex handler creates a contact, the creation can be easily traced back to the registration process. In production, use a system user. The user must have the Manage Users permission. Available in API version 27.0 and later.
friendlyName string Required. A user-friendly name for the authentication provider.
iconUrl string The path to an icon to use as a button on the login page. Users click the button to log in with the associated authentication provider, such as Twitter or Facebook. Available in API version 32.0 and later.
idTokenIssuer string The source of the authentication token in https: URI format. This field is available when configuring an OpenID Connect or Microsoft authentication provider. If provided, Salesforce validates the returned id_token value. OpenID Connect requires returning an id_token value with the access_token value. Available in API version 30.0 and later.
includeOrgIdInIdentifier boolean Used to differentiate between users with the same user ID from two sources (such as two sandboxes). If enabled (true), Salesforce stores the org ID of the third-party identity in addition to the user ID. After you enable this setting, you can’t disable it. Applies only to a Salesforce-managed auth provider. Available in API version 32.0 and later.
isPkceEnabled boolean Indicates whether the OAuth 2.0 Proof Key for Code Exchange (PKCE) security extension is enabled (true) or not (false). You can enable PKCE for these providerType values.
  • Custom
  • Facebook
  • Google
  • Microsoft
  • OpenIdConnect
  • Salesforce.

This field is available in API version 59.0 and later.
linkKickoffUrl string The URL for linking existing Salesforce users to a third-party account. This field is read-only. Available in API version 43.0 and later.
logoutUrl string The destination for users after they log out if they authenticated using single sign-on. The URL must be fully qualified with an http or https prefix, such as https://acme.my.salesforce.com. Available in API version 33.0 and later.
oauthKickoffUrl string The URL for obtaining OAuth access tokens for a third party. This field is read-only. Available in API version 43.0 and later.
paramForwardAllowlist AuthProvParamFwdAllowlist[] An allowlisted URL parameter that can be forwarded from the authentication provider's client configuration URLs to the authorization URL. Available in API version 62.0 and later.
plugin string An existing Apex class that extends the Auth.AuthProviderPluginClass abstract class. Available in API version 36.0 and later.
portal string This field is used only with portals, which are deprecated. Salesforce doesn’t support creating portals, but existing portals are supported.
providerType AuthProviderType (enumeration of type string) Required. The third-party authentication provider to use. Valid values include:
  • Apple
  • Bitbucket—Provides authentication for a Bitbucket provider. Enables you to connect to Bitbucket from a Lightning Platform application. When logged in to Bitbucket, the app can makes calls to Bitbucket APIs. The Bitbucket provider isn’t available as an SSO provider, so users can’t log in to a Salesforce org using their Bitbucket login credentials. Available in API version 61.0 and higher.
  • Custom—A provider configured with a custom authentication provider plug-in. Available in API version 36.0 and later.
  • Facebook.
  • GitHub—Provides authentication for a GitHub provider. Used to log in users of your Lightning Platform app to GitHub using OAuth. When logged in to GitHub, your app can make calls to GitHub APIs. The GitHub provider isn’t available as an SSO provider, so users can’t log in to your Salesforce org using their GitHub login credentials. Available in API version 35.0 and later.
  • Google.
  • Janrain.
  • LinkedIn. Available in API version 32.0 and later.
  • Microsoft—Provides authentication for all services that can be accessed via Microsoft Azure Active Directory. Available in API version 55.0 and later.
  • MicrosoftACS—Microsoft Access Control Service typically provides authentication for a Microsoft Office 365 service, like SharePoint Online. The MicrosoftACS provider doesn't support SSO. Available in API version 31.0 and later.
  • MuleSoft. Available in API version 57.0 and later.
  • OpenIdConnect. Available in API version 29.0 and later.
  • Salesforce.
  • Slack. Available in API version 54.0 and later.
  • Twitter. Available in API version 32.0 and later.
registrationHandler string An existing Apex class that implements the Auth.RegistrationHandler interface.
requireMfa boolean Requires multi-factor authentication (MFA) for single sign-on with this auth provider based on the MFA status of each user. For this setting to trigger MFA, you must apply MFA directly to users via one of two methods. 1) Enable the org setting Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org. 2) Assign the user permission multi-factor authentication for User Interface Logins.
sendAccessTokenInHeader boolean If enabled (true), the access token is sent to the UserInfoUrl in a header instead of a query string. Available in API version 30.0 and later.
sendClientCredentialsInHeader boolean Required when creating an OpenID Connect authentication provider. If enabled (true), the client credentials are sent in a header to the tokenUrl instead of a query string. The credentials are in the standard OpenID Connect Basic Credentials header format, which is Basic <token>, where <token> is the base64-encoded string "clientkey:clientsecret". Available in API version 30.0 and later.
sendSecretInApis boolean
Determines whether the encrypted consumer secret appears in API responses. If enabled (default), the secret appears in the response. If disabled (false), responses don’t include the consumer secret. For security, you can disable the setting. However, keep in mind that:
  • By disabling this setting, the consumer secret is excluded from API responses in all API versions.
  • Change sets and other metadata deployments break because both the consumer key and secret are expected. To fix this problem, insert the consumer key manually during deployment.
Available in API version 47.0 and later.

The consumer secret is always included in the response as a placeholder value, regardless of the value provided for sendSecretInApis.

ssoKickoffUrl string The URL for performing single sign-on into Salesforce from a third party by using its third-party credentials. This field is read-only. Available in API version 43 and later.
tokenUrl string The OAuth token endpoint URL of an OpenID Connect authentication provider. Available in API version 29.0 and later.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see “Usage.”
userInfoUrl string The OpenID Connect endpoint URL of the OpenID Connect authentication provider. Available in API version 29.0 and later.

In API version 33.0 and later, for Salesforce-managed auth providers, leave the field blank to let Salesforce supply and manage the value. For details, see “Usage.”

AuthProvParamFwdAllowlist

Represents an allowlisted URL parameter that can be forwarded from authentication provider client configuration URLs to the authorization URL. Use this type to add custom functionality to authentication providers. For example, allowlist a ui_locales parameter and use it to send a user's language preference from Salesforce to the third-party provider's login page.

Filed Name Field type Description
description string A description for the allowlisted URL parameter.
param string The name of the parameter, such as ui_locales or login_hint.

Declarative Metadata Sample Definition

Starting in November 2022, enter the consumerSecret value as plaintext, for example, <consumerSecret>yourplaintextconsumersecret</consumerSecret>. Existing consumer secrets that were entered as encrypted values can be deployed throughout the Winter ‘23 release.

Note

1<?xml version="1.0" encoding="UTF-8"?>
2<AuthProvider xmlns="http://soap.sforce.com/2006/04/metadata">
3    <consumerKey>yourappkey</consumerKey>
4    <consumerSecret>PwdVxXjzu3NCZ3MD4He+wA==</consumerSecret>
5    <executionUser>admin@your.org</executionUser>
6    <friendlyName>FacebookAuthProvider</friendlyName>
7    <providerType>Facebook</providerType>
8    <registrationHandler>RegistrationHandler</registrationHandler>
9    <sendSecretInApis>true</sendSecretInApis>     
10</AuthProvider>
This example package manifest references the previous AuthProvider definition.
1<?xml version="1.0" encoding="UTF-8"?>
2<Package xmlns="http://soap.sforce.com/2006/04/metadata">
3    <types>
4        <members>FacebookAuthProvider</members>
5        <name>AuthProvider</name>
6    </types>
7    <version>28.0</version>
8</Package>

Usage

Salesforce provides default authentication providers, called Salesforce-managed auth providers, to simplify setting up these service providers for authentication.

  • Apple
  • Bitbucket
  • Facebook
  • GitHub
  • Google
  • Janrain
  • LinkedIn
  • Microsoft
  • Microsoft Access Control Service
  • MuleSoft
  • Salesforce
  • Slack

To use a Salesforce-managed auth provider, leave these fields blank when creating your auth provider from the Auth. Provider Setup page.

  • authorizeUrl
  • consumerKey
  • consumerSecret
  • defaultScopes
  • tokenURL
  • userInfoUrl

If you provide a value for one of these fields, you must also provide a value for consumerKey and consumerSecret.

Note

Wildcard Support in the Manifest File

This metadata type supports the wildcard character * (asterisk) in the package.xml manifest file. For information about using the manifest file, see Deploying and Retrieving Metadata with the Zip File.