VitePress

Appearance

Step 2: Create the App

In this step, you'll register an external client app for OAuth access. Salesforce uses this app to let Claude sign in securely and call Salesforce Hosted MCP servers as the logged-in user.

Create the external client app

  1. From Setup, in the Quick Find box, enter External Client, then select External Client App Manager.

  2. Click New External Client App.

  3. Under Basic Information, enter:

    FieldValue
    App NameHeadless 360 Quick Start
    API NameHeadless_360_Quick_Start
    Contact EmailYour email address

  4. Expand API (Enable OAuth Settings).

  5. Check Enable OAuth.

  6. For Callback URL, enter Claude's callback URL:

    txt
    https://claude.ai/api/mcp/auth_callback

  7. Add these OAuth scopes:

    • Perform requests at any time (refresh_token, offline_access)
    • Access Salesforce hosted MCP servers (mcp_api)

  8. Under Security, uncheck:

    • Require secret for Web Server Flow
    • Require secret for Refresh Token Flow

  9. Under Security, check:

    • Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows
    • Issue JSON Web Token (JWT)-based access tokens for named users

    Your configuration should look similar to this, with your own app name, callback URL, and contact email:

    Screenshot showing External Client App OAuth and security settings

WARNING

Salesforce Hosted MCPs require JWT-shaped bearer tokens. If JWT-based access tokens are not enabled, OAuth can appear to succeed, but MCP calls can fail with INVALID_AUTH_HEADER or INVALID_JWT_FORMAT.

Copy the client ID

  1. Click Create.

  2. Click Settings, then under OAuth Settings click Consumer Key and Secret.

  3. Complete the email verification prompt if Salesforce asks for a code.

  4. Copy the Consumer Key into a secure temporary note. Claude uses it as the OAuth Client ID.

  5. Copy the Consumer Secret only if Claude explicitly asks for it in your environment.

TIP

The external client app can take several minutes to become available. If Claude fails with invalid_client_id, wait a few minutes and try again.

Keep these values handy

You'll use these values in the next step:

ValueWhere it comes from
Consumer KeyExternal client app OAuth settings; used as the OAuth Client ID
Salesforce MCP server URLStep 3
Claude callback URLhttps://claude.ai/api/mcp/auth_callback

Summary

You created the app that lets Claude authenticate into Salesforce. Next, connect Claude to the Salesforce Hosted MCP sobject-reads server.