Authenticate with the Data Cloud Rest API

Understand the prerequisites required to get started with the Data Cloud Rest API, also known as the Data Cloud Direct API.

Set up a connected app to authenticate and request access to Data Cloud APIs. The connected app enables standard OAuth protocols for authentication and authorization. Follow the instructions in Create a Connected App, and configure the app as needed. In your connected app, select Enable OAuth Settings and the necessary OAuth scopes. The possible scopes are:

  • cdp_query_api: Execute ANSI SQL queries against Data Cloud data.
  • cdp_profile_api: Read and write Data Cloud profile and entity data.
  • refresh_token: Obtain refresh tokens for offline access.
  • api: Access Salesforce APIs (required for token exchange).

Your orgs must be provisioned with Data Cloud licenses and users must be assigned to appropriate roles to have full access to objects in Data Cloud. Refer to User Roles and Permission Sets in Data Cloud before setting up the Connected App.

Send a request to acquire the Salesforce access token. Here’s an example request.

Refer to OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration for creating a JWT assertion.

Response Format

Use the access_token and instance_url to get a Data Cloud token. The instance_url is where you post to get a Data Cloud token.

After you've acquired the Salesforce access token, issue this request to get the Data Cloud access token to invoke the APIs.

Response Format

You need three values from the response:

  • access_token: The token used to access Data Cloud resources.
  • instance_url: The tenant-specific endpoint where Data Cloud API requests are sent.
  • expires_in: The number of seconds until the token expires and you must reauthenticate. Use this value as part of your access logic to avoid having to repeat the access steps for each call.

The Data Cloud application assigns a unique, system-generated endpoint to each of your organizations.

After you've acquired your endpoints in Data Cloud, use them for your organization's API calls. No other Data Cloud customer can use your endpoint for their API requests.

You can only use your endpoint with the c360a.salesforce.com endpoint structure.

When you need to revoke access tokens for security purposes or when decommissioning an application, you can revoke both the Salesforce access token and the Data Cloud token.

For detailed instructions on revoking tokens, see Revoke OAuth Tokens in the Salesforce Help documentation.