> For the complete documentation index, see [llms.txt](https://docs.n8n.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.n8n.io/integrations/builtin/credentials/salesforce.md).
# Salesforce credentials
You can use these credentials to authenticate the following nodes:
* [Salesforce](/integrations/builtin/app-nodes/n8n-nodes-base.salesforce.md)
* [Salesforce trigger](/integrations/builtin/trigger-nodes/n8n-nodes-base.salesforcetrigger.md)
## Supported authentication methods
* JWT
* OAuth2
## Related resources
Refer to [Salesforce's developer documentation](https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_intro.htm) for more information about the service.
{% hint style="info" %}
**Salesforce External Client Apps**
Salesforce is deprecating Connected Apps in favor of External Client Apps. Both methods work with n8n. If you're creating a new integration, use External Client Apps. Existing Connected Apps will continue to work.
{% endhint %}
## Using JWT
To configure this credential, you'll need a [Salesforce](https://www.salesforce.com/) account and:
* Your **Environment Type** (Production or Sandbox)
* A **Client ID**: Generated when you create an external client app or connected app.
* Your Salesforce **Username**
* A **Private Key** for a self-signed digital certificate
### Create an External Client App (recommended)
To set things up, first you'll create a private key and certificate, then an external client app:
1. In n8n, select the **Environment Type** for your connection. Choose the option that best describes your environment from **Production** or **Sandbox**.
2. Enter your Salesforce **Username**.
3. Log in to your org in Salesforce.
4. You'll need a private key and certificate issued by a certification authority. Use your own key/cert or use OpenSSL to create a key and a self-signed digital certificate. Refer to the Salesforce [Create a Private Key and Self-Signed Digital Certificate documentation](https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_key_and_cert.htm) for instructions on creating your own key and certificate.
5. From **Setup** in Salesforce, enter `App Manager` in the Quick Find box, then select **App Manager**.
6. On the App Manager page, select **New External Client App**.
7. Enter the required **Basic Info** for your external client app, including a **Name** and **Contact Email address**.
8. Under **API (Enable OAuth Settings)**, select **Enable OAuth**.
9. In the **Callback URL** box, add the callback URL: `http://localhost:1717/OauthRedirect` (or your n8n instance URL if self-hosting).
10. In the **OAuth Scopes** section, select these scopes:
* **Full access (full)**
* **Perform requests at any time (refresh\_token, offline\_access)**
11. In the **Flow Enablement** section, select **Enable JWT Bearer Flow**.
12. Select **Upload Files** and upload the file that contains your digital certificate, such as `server.crt`.
13. Under **OAuth Policies**, make sure the following settings are **unchecked**:
* **Require Secret for Web Server Flow**
* **Require Secret for Refresh Token Flow**
* **Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows**
14. Select **Save**, then **Continue**.
15. Copy the **Consumer Key** and add it to your n8n credential as the **Client ID**.
16. Enter the contents of the private key file in n8n as **Private Key**.
* Use the multi-line editor in n8n.
* Enter the private key in standard PEM key format:
```
-----BEGIN PRIVATE KEY-----
KEY DATA GOES HERE
-----END PRIVATE KEY-----
```
Refer to Salesforce's [External Client App Basics](https://help.salesforce.com/s/articleView?id=sf.external_client_app_about.htm\&type=5) documentation for more information.
### Create a Connected App (legacy)
{% hint style="info" %}
**Legacy method**
Salesforce is deprecating Connected Apps. Use External Client Apps instead for new integrations.
{% endhint %}
To set things up, first you'll create a private key and certificate, then a connected app:
1. In n8n, select the **Environment Type** for your connection. Choose the option that best describes your environment from **Production** or **Sandbox**.
2. Enter your Salesforce **Username**.
3. Log in to your org in Salesforce.
4. You'll need a private key and certificate issued by a certification authority. Use your own key/cert or use OpenSSL to create a key and a self-signed digital certificate. Refer to the Salesforce [Create a Private Key and Self-Signed Digital Certificate documentation](https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_key_and_cert.htm) for instructions on creating your own key and certificate.
5. From **Setup** in Salesforce, enter `App Manager` in the Quick Find box, then select **App Manager**.
6. On the App Manager page, select **New Connected App**.
7. Enter the required **Basic Info** for your connected app, including a **Name** and **Contact Email address**. Refer to Salesforce's [Configure Basic Connected App Settings](https://help.salesforce.com/s/articleView?id=sf.connected_app_create_basics.htm\&type=5) documentation for more information.
8. Check the box to **Enable OAuth Settings**.
9. For the **Callback URL**, enter `http://localhost:1717/OauthRedirect`.
10. Check the box to **Use digital signatures**.
11. Select **Choose File** and upload the file that contains your digital certificate, such as `server.crt`.
12. Add these **OAuth scopes**:
* **Full access (full)**
* **Perform requests at any time (refresh\_token, offline\_access)**
13. Select **Save**, then **Continue**. The **Manage Connected Apps** page should open to the app you just created.
14. In the **API (Enable OAuth Settings)** section, select **Manage Consumer Details**.
15. Copy the **Consumer Key** and add it to your n8n credential as the **Client ID**.
16. Enter the contents of the private key file in n8n as **Private Key**.
* Use the multi-line editor in n8n.
* Enter the private key in standard PEM key format:
```
-----BEGIN PRIVATE KEY-----
KEY DATA GOES HERE
-----END PRIVATE KEY-----
```
These steps are what's required on the n8n side. Salesforce recommends setting refresh token policies, session policies, and OAuth policies too:
17. In Salesforce, select **Back to Manage Connected Apps**.
18. Select **Manage**.
19. Select **Edit Policies**.
20. Review the **Refresh Token Policy** field. Salesforce recommends using expire refresh token after 90 days.
21. In the **Session Policies** section, Salesforce recommends setting **Timeout Value** to 15 minutes.
22. In the **OAuth Policies** section, select **Admin approved users are pre-authorized for permitted users** for **Permitted Users**, and select **OK**.
23. Select **Save**.
24. Select **Manage Profiles**, select the profiles that are pre-authorized to use this connected app, and select **Save**.
25. Select **Manage Permission Sets** to select the permission sets. Create permission sets if necessary.
Refer to Salesforce's [Create a Connected App in Your Org](https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_connected_app.htm) documentation for more information.
## Using OAuth2
To configure this credential, you'll need a [Salesforce](https://www.salesforce.com/) account.
You will need to select your **Environment Type**. Choose between **Production** and **Sandbox**.
### Create an External Client App (recommended)
If you're [self-hosting](/deploy/host-n8n.md) n8n, you'll need to configure OAuth2 from scratch by creating an external client app:
1. In n8n, select the **Environment Type** for your connection. Choose the option that best describes your environment from **Production** or **Sandbox**.
2. Enter your Salesforce **Username**.
3. Log in to your org in Salesforce.
4. From **Setup** in Salesforce, enter `App Manager` in the Quick Find box, then select **App Manager**.
5. On the App Manager page, select **New External Client App**.
6. Enter the required **Basic Info** for your external client app, including a **Name** and **Contact Email address**.
7. Under **API (Enable OAuth Settings)**, select **Enable OAuth**.
8. In the **Callback URL** box, add your n8n OAuth callback URL (for example, `https://your-n8n-instance.com/rest/oauth2-credential/callback`. For n8n Cloud, this will be `https://oauth.n8n.cloud/oauth2/callback`).
9. In the **OAuth Scopes** section, select these scopes:
* **Full access (full)**
* **Perform requests at any time (refresh\_token, offline\_access)**
10. In the **Flow Enablement** section, select **Enable Authorization Code and Credentials Flow**.
11. Under **OAuth Policies**, make sure the following settings are **checked**:
* **Require Secret for Web Server Flow**
* **Require Secret for Refresh Token Flow**
* **Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows**
12. Select **Save**, then **Continue**.
13. Copy the **Consumer Key** and add it to your n8n credential as the **Client ID**.
14. Copy the **Consumer Secret** and add it to your n8n credential as the **Client Secret**.
Refer to Salesforce's [External Client App Basics](https://help.salesforce.com/s/articleView?id=sf.external_client_app_about.htm\&type=5) documentation for more information.
### Create a Connected App (legacy)
{% hint style="info" %}
**Legacy method**
Salesforce is deprecating Connected Apps. Use External Client Apps instead for new integrations.
{% endhint %}
If you're [self-hosting](/deploy/host-n8n.md) n8n, you can also configure OAuth2 by creating a connected app:
1. In n8n, select the **Environment Type** for your connection. Choose the option that best describes your environment from **Production** or **Sandbox**.
2. Enter your Salesforce **Username**.
3. Log in to your org in Salesforce.
4. From **Setup** in Salesforce, enter `App Manager` in the Quick Find box, then select **App Manager**.
5. On the App Manager page, select **New Connected App**.
6. Enter the required **Basic Info** for your connected app, including a **Name** and **Contact Email address**. Refer to Salesforce's [Configure Basic Connected App Settings](https://help.salesforce.com/s/articleView?id=sf.connected_app_create_basics.htm\&type=5) documentation for more information.
7. Check the box to **Enable OAuth Settings**.
8. For the **Callback URL**, enter `http://localhost:1717/OauthRedirect`.
9. Add these **OAuth scopes**:
* **Full access (full)**
* **Perform requests at any time (refresh\_token, offline\_access)**
10. Make sure the following settings are unchecked:
* **Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows**
* **Require Secret for Web Server Flow**
* **Require Secret for Refresh Token Flow**
11. Select **Save**, then **Continue**. The **Manage Connected Apps** page should open to the app you just created.
12. In the **API (Enable OAuth Settings)** section, select **Manage Consumer Details**.
13. Copy the **Consumer Key** and add it to your n8n credential as the **Client ID**.
14. Copy the **Consumer Secret** and add it to your n8n credential as the **Client Secret**.
These steps are what's required on the n8n side. Salesforce recommends setting refresh token policies and session policies, too:
15. In Salesforce, select **Back to Manage Connected Apps**.
16. Select **Manage**.
17. Select **Edit Policies**.
18. Review the **Refresh Token Policy** field. Salesforce recommends using expire refresh token after 90 days.
19. In the **Session Policies** section, Salesforce recommends setting **Timeout Value** to 15 minutes.
Refer to Salesforce's [Create a Connected App in Your Org](https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_auth_connected_app.htm) documentation for more information.
## Common issues
### Connection issues when authenticating with Salesforce from n8n Cloud
If you encounter connection issues when authenticating with Salesforce from n8n Cloud, you might need to enable a specific system permission in your Salesforce user profiles:
1. In Salesforce, go to **Setup**.
2. In the **Quick Find** box, search for `Profiles`.
3. Select the profile used by the user connecting to n8n (for example, System Administrator or the relevant profile).
4. Click **Edit** or use the new **Profile** interface if it's available.
5. Locate the **Administrative Permissions** section.
6. Enable the checkbox for **Approve Connected Apps for Non-Admins**. This checkbox might also appear as **Approve apps connected not installed** depending on your Salesforce language or translation.
7. Click **Save**.
This permission isn't enabled by default, even for administrator profiles, and must be manually activated. Without this permission, you might experience authentication failures when trying to connect n8n to Salesforce.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.n8n.io/integrations/builtin/credentials/salesforce.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.