Create an External Client App

To integrate third-party applications with your Salesforce org via APIs and security controls, you must use an External Client App for registration and enablement.

Note: Use an External Client App to connect an MCP client to a Salesforce org. Connected Apps aren't supported.

Note: You can't create External Client Apps directly in scratch orgs using the Setup UI. To test in a scratch org, create the External Client App in a developer hub org, add it to a package, and install the package in the target scratch org.

  1. From Setup, in the Quick Find box, enter external client, and then select External Client App Manager.

  2. Click New External Client App.

  3. Fill out the Basic Information section.

  4. Expand the section labeled API (Enable OAuth Settings) and click the Enable OAuth checkbox.

  5. In Callback URL, enter the applicable URL based on your MCP client:

    • Postman: Enter https://oauth.pstmn.io/v1/callback to use Postman's MCP capability via HTTP (not STDIO). If you're using the web browser version of Postman, enter https://oauth.pstmn.io/v1/browser-callback instead. Consult Postman's documentation if you're unsure.
    • Cursor: Enter cursor://anysphere.cursor-mcp/oauth/callback
    • Claude: Enter https://claude.ai/api/mcp/auth_callback
    • ChatGPT: Copy the callback URL from ChatGPT's Advanced settings (see Configure ChatGPT for details)
    • Other clients: Consult the provider's documentation for the callback URL.

  6. In OAuth Scopes, include the following:

    • Access MCP servers (mcp_api)
    • Perform requests at any time (refresh_token)

  7. Under Security:

    • Select Issue JSON Web Token (JWT)-based access tokens for named users
    • Select Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows
    • Deselect all other options in the Security section, including:
      • Issue access tokens in access_token parameter (do not select)
      • Enable Client Credentials Flow (do not select)
      • Require Secret for Web Server Flow (do not select)
      • Require Secret for Refresh Token Flow (do not select)
      • Enable Authorization Code and Credentials Flow (do not select)

  8. Click Create.

Note: The External Client App can take up to 30 minutes to become available and operational for use with your MCP client. (The delay is similar to registering a new domain with DNS.)

  1. Click Settings, then click Consumer Key and Secret under OAuth Settings to get the consumer key. Store the consumer key for later use.

Before deploying your MCP integration to production, consider implementing these additional security measures. Each enhancement is independent and can be applied based on your organization's security requirements.

For web-based MCP clients, requiring a client secret adds an additional layer of verification during authentication. The MCP client must present both the client ID and a secret to authenticate.

When to use: Web-based MCP clients where the secret can be securely stored on the server side.

When to avoid: Desktop applications, unless the vendor confirms secure secret storage. Embedded secrets in desktop applications can potentially be exposed through decompilation.

To enable:

  1. In your External Client App settings, expand the Security section.
  2. Select Require Secret for Web Server Flow.
  3. Generate and securely store the client secret.
  4. Configure your MCP client with both the consumer key and client secret.

By default, any user in your org can authenticate through the External Client App. You can limit access to specific users by requiring a custom Permission Set.

When to use: When you need granular control over which users can access MCP servers through this client.

To enable:

  1. Create a custom Permission Set that includes the necessary permissions for MCP server access.
  2. In your External Client App settings, navigate to OAuth Policies.
  3. Configure the policy to require the Permission Set for pre-authorization.
  4. Assign the Permission Set only to authorized users.

If your MCP client connects from known IP address ranges, you can restrict the External Client App to accept connections from only those addresses.

When to use: When your MCP client operates from predictable, stable IP ranges.

Important: Some MCP clients operate from IP ranges that exceed Salesforce's allowlist capacity. Verify with your MCP client vendor before enabling IP restrictions.

To enable:

  1. In your External Client App settings, navigate to OAuth Policies.
  2. Add the allowed IP address ranges.
  3. Save your changes.

By default, refresh tokens remain valid indefinitely. Shortening their validity period limits exposure if tokens are compromised.

Recommended settings:

  • Refresh Token Validity: 30 days or less
  • Refresh Token Rotation: Enable to invalidate old tokens when new ones are issued

To enable:

  1. In your External Client App settings, navigate to OAuth Policies.
  2. Set Refresh Token Validity to 30 days or your preferred timeframe.
  3. Enable Refresh Token Rotation.
  4. Save your changes.

When single logout is enabled, revoking a Salesforce session terminates the corresponding MCP client session simultaneously.

When to use: When you need immediate access revocation, such as when employees leave the organization.

To enable:

  1. In your External Client App settings, navigate to Session Settings.
  2. Enable Single Logout.
  3. Save your changes.

After creating your External Client App, proceed to connect your MCP client.