Exercise 1: Configure the Salesforce MCP Servers

In this exercise, you'll set the default user's email address, create an External Client App so MCP clients can authenticate and connect and activate the Salesforce-hosted MCP servers.

Step 1: Set and Verify your User's Email

1. From Setup, in the Quick Find box, enter Users, then select Users.

2. Click Edit next to EPIC, OrgFarm in the user table.

3. Replace the Email value with your own email.

4. Click Save.

5. Click OK to confirm the email change.

6. Open your email inbox and look for an email from Salesforce titled "Finish changing your Salesforce account’s email address".

7. Click on the link to validate the email change.

8. Click Verify Email Address.

9. Click Continue.

   TIP

   Updating and verifying the email of your user allows you to reset your password in case you forget it and is required for a later exercise in which we'll send emails.

Step 2: Create an External Client App

1. From Setup, in the Quick Find box, enter External Client, then select External Client App Manager.

2. Click New External Client App.

3. Under Basic Information, fill in the required fields:

   Field name	Field Value
   App Name	Workshop MCP Client
   API Name	Workshop_MCP_Client (auto-filled)
   Contact Email	Your email address

4. Expand the API (Enable OAuth Settings) section and configure the following app settings:

   1. Check Enable OAuth

   2. Callback URL:

      https://mcp-playground-360-lb-75bfc079c1f3.herokuapp.com/oauth/sf/callback

   3. Selected OAuth Scopes:

      • Perform requests at any time (refresh_token, offline_access)
      • Access Salesforce hosted MCP servers (mcp_api)

5. Under Security, apply the following configuration:

   1. Uncheck these boxes:
      • Require secret for Web Server Flow
      • Require secret for Refresh Token Flow
   2. Check these boxes:
      • Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows
      • Issue JSON Web Token (JWT)-based access tokens for named users

   At this point, your configuration should look like this:

   

   TIP

   The Salesforce Hosted MCP gateway requires JWT-shaped bearer tokens. Without this setting the OAuth flow will succeed but every MCP call will be rejected with INVALID_AUTH_HEADER · INVALID_JWT_FORMAT. If this External Client App also needs to talk to the SOAP API or the Salesforce CLI, use a separate app for those APIs. They require opaque session-ID tokens and reject JWTs.

6. Click Create.

   TIP

   The External Client App can take up to 30 minutes to become available. The delay is similar to registering a new domain with DNS.

7. Click Settings, then under OAuth Settings click Consumer Key and Secret.

8. Check your inbox for a verification code email and enter the code in the form.

9. Copy the Consumer Key and Consumer Secret. Store them securely because you'll need them to connect MCP clients to your org.

Step 3: Activate Salesforce Hosted MCP Servers

1. From Setup, in the Quick Find box, enter MCP Servers, then select MCP Servers under API Catalog.

2. Click Salesforce Servers.

3. Open the sobject-all MCP server and click Activate.

4. Open the salesforce-api-context MCP server and click Activate.

5. Open the metadata-experts MCP server and click Activate.

   TIP

   Activating these servers exposes Salesforce object metadata, data, and API context to your MCP clients. We'll connect to those servers with a third party MCP client and with Agentforce Vibes.

Summary

In this exercise, you enabled the Salesforce-hosted MCP Service, activated the sobject-all and salesforce-api-context servers, and created a fully configured External Client App with the correct callback URLs, scopes, and JWT security settings. In the next exercise, you'll test these servers in the Headless 360 Playground.