Exercise 1: Configure the Salesforce MCP Servers

In this exercise, you'll enable the MCP Service (Beta) in your Salesforce org, activate the Salesforce-hosted MCP servers, and create an External Client App so MCP clients can authenticate and connect.

Step 1: Activate Salesforce Hosted MCP Servers

1. From Setup, in the Quick Find box, enter MCP Servers, then select MCP Servers.

2. Click Salesforce Servers.

3. Open the sobject-all MCP server and click Activate.

4. Open the metadata-experts MCP server and click Activate.

5. Open the salesforce-api-context MCP server and click Activate.

   TIP

   Activating these servers exposes Salesforce object metadata, data and API context to your MCP clients. We'll connect to those servers with a third party MCP client and with Agentforce Vibes.

Step 2: Create an External Client App

1. From Setup, in the Quick Find box, enter External Client, then select External Client App Manager.

2. Click New External Client App.

3. Under Basic Information, Fill in the required fields:

   Field name	Field Value
   App Name	Workshop MCP Client
   API Name	Workshop_MCP_Client (auto-filled)
   Contact Email	Your email address

4. Expand the API (Enable OAuth Settings) section and configure the following app settings:

   1. Check Enable OAuth

   2. Callback URL:

      https://mcp-playground-360-b046d6fe27bc.herokuapp.com/oauth/sf/callback

   3. Selected OAuth Scopes:

      • Perform requests at any time (refresh_token, offline_access)
      • Access Salesforce hosted MCP servers (mcp_api)

5. Under Security, apply the following configuration:

   1. Uncheck these boxes:
      • Require secret for Web Server Flow
      • Require secret for Refresh Token Flow
   2. Check these boxes:
      • Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows
      • Issue JSON Web Token (JWT)-based access tokens for named users

   At this point, your configuration should look like this:

   

   TIP

   The Salesforce Hosted MCP gateway requires JWT-shaped bearer tokens. Without this setting the OAuth flow will succeed but every MCP call will be rejected with INVALID_AUTH_HEADER · INVALID_JWT_FORMAT. If this External Client App also needs to talk to the SOAP API or the Salesforce CLI, use a separate app for those — those APIs require opaque session-ID tokens and reject JWTs.

6. Click Create.

   TIP

   The External Client App can take up to 30 minutes to become available. The delay is similar to registering a new domain with DNS.

7. Click Settings, then under OAuth Settings click Consumer Key and Secret.

8. Check your inbox for a verification code email and enter the code in the form.

9. Copy the Consumer Key and Consumer Secret. Store them securely — you'll need them to connect MCP clients to your org.

Summary

In this exercise, you enabled the Salesforce-hosted MCP Service, activated the sobject-all and salesforce-api-context servers, and created a fully configured External Client App with the correct callback URLs, scopes, and JWT security settings. In the next exercise, you'll test these servers in the Headless 360 Playground.