REST API Developer Guide

Introduction to REST API
About REST API
Release Notes
Supported Editions and Required Permissions
REST Resources and Requests
REST API Architecture
Authorization Through External Client Apps or Connected Apps and OAuth 2.0
Headers
Send REST Requests with cURL
Valid Date and DateTime Formats
Status Codes and Error Responses
API End-of-Life Policy
Quick Start
Examples
Generating an OpenAPI 3.0 Document for sObjects REST API (Beta)
Reference
PDF

Authorization Through External Client Apps or Connected Apps and OAuth 2.0

For a client application to access REST API resources, it must be authorized as a safe visitor. To implement this authorization, use either an external client app or a connected app and an OAuth 2.0 authorization flow.

Creating connected apps is restricted as of Spring ‘26. You can continue to use existing connected apps during and after Spring ‘26. However, we recommend using external client apps instead. If you must continue creating connected apps, contact Salesforce Support.

See New connected apps can no longer be created in Spring ‘26 for more details.

Important

Configure an External Client App or a Connected App

Both external client apps and connected apps request access to REST API resources on behalf of the client application. For an external client app or connected app to request access, it must be integrated with your org’s REST API using the OAuth 2.0 protocol. OAuth 2.0 is an open protocol that authorizes secure data sharing between applications through the exchange of tokens.

For instructions to configure an external client app, see Create an External Client App or Enable OAuth Settings for API Integration in Salesforce Help. For more information about connected apps, see Connected Apps in Salesforce Help.

Apply an OAuth Authorization Flow

OAuth authorization flows grant a client app restricted access to REST API resources on a resource server. Each OAuth flow offers a different process for approving access to a client application, but in general the flows consist of three main steps.
  1. To initiate an authorization flow, a connected app on behalf of a client app requests access to a REST API resource.
  2. In response, an authorizing server grants access tokens to the external client app or connected app.
  3. A resource server validates these access tokens and approves access to the protected REST API resource.

After reviewing and selecting an OAuth authorization flow, apply it to your external client app or connected app. For details about each supported flow, see OAuth Authorization Flows in Salesforce Help.

More Resources

Salesforce offers the following resources to help you navigate connected apps and OAuth: