How to Integrate API with Salesforce Safely and Easily Using New External Client Apps

This article will explore how to integrate any API with an External Client App (ECA) in Salesforce, which can be helpful for those who want new integrations with Salesforce or who are seeking to replace old Connected Apps (CA) with this new technology. In this case, we are going to cover how to connect an API with the OAuth 2.0 to Salesforce using Client Credentials with the new Spring'26 Release changes.

Create an External Client App and set up security configurations

To create your External Client App, we'll head to Setup, type External Client Apps in the Quick Find box, and then click on External Client App Manager.

Following that, we are going to click on New External Client App:

There, we'll open the Basic Information tab, type the External Client App Name as "Client App Test", insert your email as the "Contact Email", and we'll use the following Logo URL and Icon URL: - https://login.salesforce.com/logos/Salesforce/SalesforcePlatform/logo.png - https://login.salesforce.com/logos/Salesforce/SalesforcePlatform/icon.png

The result will look like this:

Following that, open the tab API(Enable OAuth Settings) and select the Checkbox Enable OAuth:

There, we are going to use the following Callback URL: https://oauth.pstmn.io/v1/callback

In OAuth Scopes, select the following options:

• Full access (full);

• Manager user data via APIs (api)

• Access Unique user identifiers (openid)

In this case, we'll need these scopes to monitor the results and ensure that we won't have issues due to a lack of permissions during the API tests in Postman.

In Flow Enablement, select the option "Enable Client Credentials Flow" as we will run as the Admin user from the Platform:

Just before we save the changes, scroll down to Security, deselect the option "Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows", and select "Enable Refresh Token Rotation." This will make your App look like this:

Then click on the Create button. After creating the External Client App, go to Policies inside the app and select the button edit near App Policies:

Then open the section OAuth Policies and select Enable Client Credentials Flow:

And then insert inside the field Run As (Username) the Username inside Salesforce of the user that you want to run the Application, in this case, I used my own user's Username. And the result will look like this:

Then click on the Save button.

Retrieving Credentials

Just before retrieving the credentials from Salesforce in Postman, go back to the OAuth settings, inside the Settings on the app, and click on Consumer Key and Secret, as we will need them inside Postman for making the requests:

Then get the credentials after a Salesforce Identity verification:

Make the requests in Postman

Once the Consumer Key and Secret are retrieved, get your domain URL in Salesforce. In this case, if you don't know your domain, go to Setup, type My Domain, and get the Current My Domain URL, as in the image below:

After doing that, create a POST request on Postgres and use the following endpoint:

https://{YOUR_DOMAIN_URL}/services/oauth2/token 

Go to the body of your request and insert the following keys and values:

{
	"grant_type": "client_credentials"
	"client_id": "YOUR_COSTUMER_KEY"
	"client_secret": "YOUR_COSTUMER_SECRET"
}

Which will make your request look like this in Postman:

Then, after clicking on the button Send, it will generate the Access Token that you'll need to send all the requests from your App through the API, as in the following image:

After doing this, you can use the credentials and the Access Token to get, create, update, or delete any standard or custom object in Salesforce in the same way that the Connected Apps allow, but with better filters and a very clear line between users' credentials and integration credentials.

Conclusion

Although replacing Connected Apps for the External Client Apps can seem like a very small change in Salesforce, in reality, this strategic measure was taken due to the necessity of security improvements in Salesforce external integrations, including a necessary split between user authentication and app authentication that the new External Client Apps successfully implemented.

By following the updated steps in this article, you'll be able to improve your security and make maintenance easier by migrating your current Connect Apps to this new Architecture and creating new API connections with Salesforce in the future.