Skip to Content
ReferencesAuth ProvidersSalesforce

Salesforce

The Salesforce enables tools and to call Salesforce APIs on behalf of a .

What’s documented here

This page describes how to use and configure Salesforce auth with Arcade.

This is used by:

Create a Salesforce app

When using your own app credentials, make sure you configure your to use a custom user verifier. Without this, your end-users will not be able to use your app or in production.

Salesforce Spring ‘26 Update: Starting Spring ‘26, Salesforce is recommending External Client Apps  instead of Connected Apps for new OAuth integrations. If you haven’t created an app yet, use an External Client App - the OAuth configuration is identical and works the same way with Arcade. Existing Connected Apps will continue to work without any changes.

For this guide, we’ll create an External Client App. Make sure to follow the instructions below while you create your External Client App .

When creating your app, make sure to:

  • Under “API (Enable OAuth Settings)”, check the Enable OAuth option
  • Set the callback URL to the redirect URL generated by Arcade (see below) or set any temporary URL for now, you can change it later.
  • In the OAuth Scopes section, add the two following scopes:
    • “Manage Data Via APIs (api)”
    • “Perform requests at any time (refresh_token, offline_access)”
  • Check “Enable Token Exchange Flow” and keep the “Require secret for Token Exchange Flow” also checked.
  • Check “Enable Refresh Token Rotation”
  • Leave all other settings as default and save your app

Right after creating the app, Salesforce will redirect you to the app’s page. In the “Settings” tab, under “OAuth Settings”, click the “Consumer Key and Secret” button. It will open a page showing the Consumer Key and Consumer Secret values. Take note of these values, you will need them to configure Salesforce in Arcade.

Go back to the App’s page and click the Policies tab and follow the instructions below:

  • Under “OAuth Settings”, select the custom OAuth scopes listed in the Create and Assign Custom Scopes to your External Client App section.
  • In the “App Authorization” area:
    • Under “Refresh Token Policy”, check the option “Refresh token is valid until revoked”.
    • In “IP Relaxation”, select Relax IP Restrictions.
  • Click the “Save” button to save your changes.

With that, your Salesforce app is ready to be used with Arcade.

Get your Salesforce Org Subdomain

Follow the steps below to find your Salesforce Org Subdomain:

  1. In the Setup menu, click on Quick Find in the top left corner and type "my domain".
  2. In the search results, under Company Settings, click on My Domain.
  3. Under My Domain Details, check the value of the Current My Domain URL field.

Your Salesforce Org Subdomain is the value before the .my.salesforce.com part. For example, if your Salesforce domain is https://acme-inc.my.salesforce.com, your Salesforce Org Subdomain is acme-inc. If you have a developer , your URL might look like https://acme-inc.develop.my.salesforce.com. In this case, your Salesforce Org Subdomain is acme-inc.develop.

Take note of your Salesforce Org Subdomain. You will need this value in the next steps.

Set the Salesforce Org Subdomain Secret

Refer to the previous step to find your Salesforce Org Subdomain.

Set the SALESFORCE_ORG_SUBDOMAIN secret in the Arcade Dashboard:

  • Click on the “Secrets” section in the Arcade Dashboard left-side menu.
  • Click on the “Add Secret” button.
  • Enter SALESFORCE_ORG_SUBDOMAIN as the secret ID.
  • Enter your Salesforce Org Subdomain as the secret value.
  • Click on the “Create” button.

Create and Assign Custom Scopes to your External Client App

The Salesforce API requires the App developer to create OAuth custom scopes  defining granular permissions for their application to authorize.

The custom scopes required by the Arcade Salesforce MCP Server are listed below, along with their descriptions:

The custom scopes listed below are only required if you are using the Arcade Salesforce MCP Server.

If you’re creating your own custom Salesforce tools or using Arcade to authorize and call Salesforce APIs directly, you are free to define custom scope(s) that fit best your application use cases. Observe that you must have at least one custom scope assigned to your Salesforce app in order to use the Salesforce API.

  • read_account: Read access to data.
  • read_contact: Read access to contact data.
  • read_lead: Read access to lead data.
  • read_note: Read access to note data.
  • read_opportunity: Read access to opportunity data.
  • read_task: Read access to task data.
  • write_contact: Write access to create contact.

Follow the Create an OAuth Custom Scope  and Assign an OAuth Custom Scope to an External Client App  Salesforce documentation to understand how to define and assign these scopes to your Salesforce app.

The scope names aren’t really attached to any endpoint or action. It’s the developer’s job to honor the permissions communicated to the when authorizing the app. You could, in theory, assign one single scope (e.g. fullaccess) and use it to query any Salesforce API endpoint.

Configuring Salesforce Auth

Configure Salesforce Auth Using the Arcade Dashboard GUI

Access the Arcade Dashboard

Go to the Arcade Dashboard  and log in with your Arcade credentials.

Navigate to the OAuth Providers page

  • Under the Connections section of the Arcade Dashboard left-side menu, click Connected Apps.
  • Click Add OAuth Provider in the top right corner.
  • Select the Custom Provider tab at the top.

Enter the provider details

  • Enter salesforce as the ID for your provider (the ID must be salesforce to use the Arcade Salesforce MCP Server).
  • Optionally enter a Description.
  • Enter your Client ID (Consumer Key) and Client Secret (Consumer Secret) from your Salesforce External Client App.
  • Note the Redirect URL generated by Arcade. This must be set as your Salesforce External Client App’s callback URL.

Configure the auth endpoints

Replace salesforce-org-subdomain with your Salesforce Org Subdomain.

  • Enter the auth endpoints:
    • Authorization Endpoint: https://salesforce-org-subdomain.my.salesforce.com/services/oauth2/authorize
    • Token Endpoint: https://salesforce-org-subdomain.my.salesforce.com/services/oauth2/token
  • Under Refresh Token Settings:
    • Enter the Refresh Token Endpoint: https://salesforce-org-subdomain.my.salesforce.com/services/oauth2/token
    • In Response Content Type, select application/json.
  • Under Token Introspection Settings:
    • Check the Enable Token Introspection option.
    • Enter the Token Introspection Endpoint: https://salesforce-org-subdomain.my.salesforce.com/services/oauth2/introspect
    • In HTTP Method, select POST
    • In Authentication Method, select Client Secret Basic
    • In Request Content Type, select application/x-www-form-urlencoded.
    • Under Request Parameters section, add the following key-value pair:
      • Key: token
      • Value: {{access_token}}
    • In Response Content Type, select application/json.
    • In Expiration Format, select Absolute Unix Timestamp.
    • Under the Response Map section:
      • Set the expires_in field to $.exp
      • Set the scope field to $.scope
      • Leave the other fields as default
    • Under Triggers section, enable the On Token Grant and On Token Refresh options.

Optional Auth Settings

  • Under PKCE Settings, check the Enable PKCE option if you have enabled PKCE when creating your Salesforce app.
  • Leave the Authorization Settings and Token Settings sections as default.

Create the provider

Click the Create button and the provider will be ready to be used in the .

Using the Arcade Salesforce MCP Server

The Arcade Salesforce MCP Server provides tools to interact with various Salesforce objects, such as , contacts, leads, opportunities, notes, tasks, email messages, call logs, etc.

Refer to the MCP Server documentation and examples to learn how to use the Server to build and AI apps that interact with Salesforce services.

Check our introductory documentation to understand what are and how tool calling works.

Calling Salesforce APIs directly

Use the Salesforce to get a user authorization token and call Salesforce API endpoints directly, without the use of any . See How Arcade helps with Agent Authorization to understand how this works.

Prerequisites

  1. Create an Arcade
  2. Get an Arcade API key.
  3. Set the ARCADE_API_KEY environment variable (export ARCADE_API_KEY=<your-api-key> on Bash, $env:ARCADE_API_KEY="<your-api-key>" on PowerShell).
  4. Make sure to have Python 3.10+ or Node.js 18+ installed.

Install the Arcade Python Client

Python
pip install arcadepy

Import necessary modules and instantiate the client

Create a new script called salesforce_example.py. Import the necessary modules and instantiate the :

The service is available at http://localhost:9099 by default. Replace the host and port, if necessary, to match your environment.

Python
import requests
from arcadepy import Arcade
 
client = Arcade(base_url="http://localhost:9099")  # Automatically finds the `ARCADE_API_KEY` env variable

Set the values required for the Salesforce API call

Python
salesforce_provider_id = "salesforce"
salesforce_org_subdomain = "salesforce-org-subdomain"
user_id = "{arcade_user_id}"
scopes = ["read_account"]

Here’s a break down of each value:

Start the authorization process and wait for completion

The will prompt the to access a URL and authorize the app to access their Salesforce data. At the end of the auth process, you will have a token that can be used to call Salesforce APIs on behalf of that user.

Python
auth_response = client.auth.start(
    user_id=user_id,
    provider=salesforce_provider_id,
    scopes=scopes,
)
 
if auth_response.status != "completed":
    print("Please complete the authorization challenge in your browser:")
    print(auth_response.url)
 
# Wait for the authorization to complete
auth_response = client.auth.wait_for_completion(auth_response)
 
token = auth_response.context.token
 
if not token:
    raise ValueError("No token found in auth response")

If the same scopes have already been authorized by the before and the token is still valid, the auth process will be skipped and the token will be returned immediately, without prompting with the authorization URL. The Arcade Engine associates a previously authorized token with the user_id you provided.

Call the Salesforce API

We will now call the Salesforce /parameterizedSearch API endpoint to search and retrieve data.

Replace the q value of "acme" with any keyword combination of your choice. In a real-world scenario, this value would most likely come from a ’s input. Observe that the q argument must be a string with two or more characters.

Python
response = requests.post(
    f"https://{salesforce_org_subdomain}.my.salesforce.com/services/data/v63.0/parameterizedSearch",
    headers={"Authorization": f"Bearer {token}"},
    json={
        "q": "acme",
        "sobjects": [
            {"name": "Account", "fields": ["Id", "Name", "Website", "Phone"]},
        ],
        "in": "ALL",
        "overallLimit": 10,
        "offset": 0,
    },
)
 
if not response.ok:
    raise ValueError(
        f"Failed to retrieve Salesforce data: {response.status_code} - {response.text}"
    )

 

Create your own Salesforce Tools

If the pre-built in the Arcade Salesforce MCP Server don’t meet your needs, you can create your own custom tools that interact with the Salesforce APIs.

The code implemented in the Arcade Salesforce is the best guide for you to understand how to implement your own.

PLAINTEXT
Last updated on
RedditSlack