Configure Postman

Postman can be configured to authenticate with the Salesforce hosted MCP server using OAuth 2.0 with PKCE (Proof Key for Code Exchange).

  1. Open Postman and create a new request.

  2. Click the icon next to the label Untitled Request and select MCP.

  3. In the main text input below the Untitled Request label, switch the dropdown value from STDIO to HTTP and paste the URL of your chosen MCP server.

    Server URL format:

    • For a All production orgs: https://api.salesforce.com/platform/mcp/v1/<SERVER-NAME>
    • For sandbox or scratch orgs: https://api.salesforce.com/platform/mcp/v1/sandbox/<SERVER-NAME>

    Example: To use the platform/sobject-all server in a sandbox org:

  4. Navigate to the Authorization tab.

  5. Set Auth Type to OAuth 2.0.

  6. Set Add authorization data to to Request Headers.

  7. Click Configure New Token in the right-hand pane and enter the following values:

    • Token Name: Enter a descriptive name (example: Postman Sandbox)

    • Grant Type: Select Authorization Code (With PKCE)

    • Callback URL: Leave the callback URL in place, and ensure it matches the callback URL in the External Client App

      • Desktop Postman: https://oauth.pstmn.io/v1/callback
      • Web browser Postman: https://oauth.pstmn.io/v1/browser-callback
      • Check the box for Authorize using browser

    • Auth URL: Enter the authorization URL based on org type:

      • Production orgs: https://login.salesforce.com/services/oauth2/authorize
      • Sandbox/scratch org: https://test.salesforce.com/services/oauth2/authorize

    • Access Token URL: Enter the token URL based on org type:

      • Production orgs: https://login.salesforce.com/services/oauth2/token
      • Sandbox/scratch org: https://test.salesforce.com/services/oauth2/token

    • Client ID: Paste the consumer key that you saved from the external client app

    • Client Secret: Leave this blank (PKCE enables you to omit the client secret)

    • Code Challenge Method: Select SHA-256

    • Code Verifier: Leave blank (automatically generated)

    • Scope: mcp_api refresh_token

    • State: Leave blank

    • Client Authentication: Select Send client credentials in body

  8. Click Get New Access Token. A browser window opens for Salesforce authentication.

  9. Log in with your Salesforce credentials if needed, and authorize the application when prompted.

    Note: You may need to enable pop-up windows in your browser.

  10. When you return to Postman, click the Use Token button if presented with the Manage Access Tokens modal window so that Postman can capture and use the token.

You can now test the connection to the MCP server using Postman's request features. See Testing with Postman for examples.