Client Credentials Flow

Introduction

The Client Credentials Flow is an OAuth 2.0 authorization flow used when a system (server-to-server) needs to access resources without user interaction. In Salesforce, this flow allows external applications to authenticate and interact with Salesforce APIs using only client credentials (client ID and client secret), without requiring a user login and user context.

Learning Objectives

By the end of this article, you will:

Understand what Client Credentials Flow is and how it differs from other OAuth flows.
Learn when to use this flow in Salesforce.
See a sequence diagram for better clarity.
Implement and test the Client Credentials Flow using Postman and Apex.
Learn common mistakes and best practices.

What is the Client Credentials Flow?

The Client Credentials Flow is used when:

A backend service (without user interaction) needs to authenticate with Salesforce.
An application wants to call Salesforce APIs using only a client ID and client secret.
A secure server-to-server communication is required.

When to Use This Flow?

Background processes that require Salesforce data.
Server-to-server API calls.
Integrations where user authentication is not required.

Where is This Flow Used?

Machine-to-machine authentication.
External automation systems integrating with Salesforce.
Cloud applications interacting with Salesforce APIs.

How to Implement the Client Credentials Flow in Salesforce?

Step 1: Create a Connected App

Go to Setup → App Manager.
Click New Connected App.
Enter App Name and Email.
Enable OAuth Settings and select:
- OAuth Scopes: “Full Access” (or required scopes like API access).
- Enable Client Credentials Flow.
Save and copy the Consumer Key and Consumer Secret.

Step 2: Obtain Access Token

Use Postman or any API tool to request an access token.

Endpoint:

https://login.salesforce.com/services/oauth2/token

Request (POST, x-www-form-urlencoded):

grant_type=client_credentials
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET

Response:

{
  "access_token": "00Dxxxxxxxxx!xxxxxxxx",
  "instance_url": "https://your-instance.salesforce.com",
  "token_type": "Bearer"
}

Step 3: Call Salesforce API Using the Access Token

Once you have the access token, use it in API requests.

Example API Call (Get User Info):

GET https://your-instance.salesforce.com/services/data/v59.0/sobjects/User/
Authorization: Bearer 00Dxxxxxxxxx!xxxxxxxx

Step 4: Implement in Apex

You can also make API calls from Apex.

public class ClientCredentialsAuth {
    public static void callSalesforceAPI() {
        String tokenUrl = 'https://login.salesforce.com/services/oauth2/token';
        HttpRequest req = new HttpRequest();
        req.setEndpoint(tokenUrl);
        req.setMethod('POST');
        req.setHeader('Content-Type', 'application/x-www-form-urlencoded');
        req.setBody('grant_type=client_credentials'
                  + '&client_id=YOUR_CLIENT_ID'
                  + '&client_secret=YOUR_CLIENT_SECRET');

        Http http = new Http();
        HttpResponse res = http.send(req);
        
        if (res.getStatusCode() == 200) {
            System.debug('Access Token: ' + res.getBody());
        } else {
            System.debug('Error: ' + res.getStatusCode());
        }
    }
}

Advantages and disadvantages

advantages

Fully Automated Authentication
- Ideal for server-to-server communication without user involvement.
Fast and Reliable API Access
- Enables instant authentication and seamless API interactions.
Enhanced Security and Access Control
- Eliminates the need for storing user passwords, reducing security risks.

disadvantages

No User Context or Personalization
- Tokens apply at the application level, not per user.
High Risk if Client Secret is Compromised
- Exposure of credentials grants full API access to attackers.
Not Suitable for Interactive Applications
- Lacks support for user authentication and SSO.

Common Mistakes and Tips

Mistake 1 : Using the wrong OAuth flow.
Tip: Use Client Credentials Flow only for machine-to-machine authentication.
Mistake 2 : Exposing Client Secret in frontend applications.
Tip: Store the Client ID and Secret securely in a backend or environment variables.
Mistake 3 : Forgetting required OAuth scopes.
Tip: Ensure API scopes are enabled in the Connected App.
Mistake 4 : Expired access token usage.
Tip: Implement token refresh mechanisms where needed.

Summary

The Client Credentials Flow is used for server-to-server authentication in Salesforce.
It requires only the Client ID and Client Secret to obtain an access token.
The flow is useful for automated processes and backend integrations.
Security best practices should be followed to protect sensitive credentials.

Quiz or Self-Assessment

When should you use the Client Credentials Flow?
a) When a user logs in manually
b) When an external system interacts with Salesforce without a user
c) When using SSO
What are the required parameters to get an access token?
a) Client ID and Secret
b) Username and Password
c) Authorization Code
Which endpoint is used for getting the access token?
a) /services/oauth2/token
b) /services/oauth2/auth
c) /services/oauth2/logout

Conclusion

The Client Credentials Flow is an essential part of Salesforce integrations when a backend service needs to access data securely without user intervention. Implementing this correctly ensures secure and scalable integrations. By following the steps outlined, you can efficiently use this flow in your Salesforce applications.

Additional Resources

https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_web_server_flow.htm&type=5