Create an External Client App

To integrate third-party applications with your Salesforce org via APIs and security controls, you must use an External Client App for registration and enablement.

Note: Use an External Client App to connect an MCP client to a Salesforce org. Connected Apps aren't supported.

Note: You can't create External Client Apps directly in scratch orgs using the Setup UI. To test in a scratch org, create the External Client App in a developer hub org, add it to a package, and install the package in the target scratch org.

  1. From Setup, in the Quick Find box, enter external client, and then select External Client App Manager.

  2. Click New External Client App.

  3. Fill out the Basic Information section.

  4. Expand the section labeled API (Enable OAuth Settings) and click the Enable OAuth checkbox.

  5. In Callback URL, enter the applicable URL based on your MCP client:

    • Postman: Enter https://oauth.pstmn.io/v1/callback to use Postman's MCP capability via HTTP (not STDIO). If you're using the web browser version of Postman, enter https://oauth.pstmn.io/v1/browser-callback instead. Consult Postman's documentation if you're unsure.
    • Cursor: Enter cursor://anysphere.cursor-mcp/oauth/callback
    • Claude: Enter https://claude.ai/api/mcp/auth_callback
    • ChatGPT: Copy the callback URL from ChatGPT's Advanced settings (see Configure ChatGPT for details)
    • Other clients: Consult the provider's documentation for the callback URL.

  6. In OAuth Scopes, include the following:

    • Access MCP servers (mcp_api)
    • Perform requests at any time (refresh_token)

  7. Under Security:

    • Select Issue JSON Web Token (JWT)-based access tokens for named users
    • Select Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows
    • Deselect all other options in the Security section, including:
      • Issue access tokens in access_token parameter (do not select)
      • Enable Client Credentials Flow (do not select)
      • Require Secret for Web Server Flow (do not select)
      • Require Secret for Refresh Token Flow (do not select)
      • Enable Authorization Code and Credentials Flow (do not select)

  8. Click Create.

  9. Click Settings, then click Consumer Key and Secret under OAuth Settings to get the consumer key. Store the consumer key for later use.

Note: The External Client App may not be immediately available for use with your MCP client. Depending on your geographical location, it may need up to 30 minutes to become available and operational worldwide. (It's similar to registering a new domain with DNS.)

After creating your External Client App, proceed to connect your MCP client.