connected-apps-and-auth

Use when designing, reviewing, or troubleshooting Salesforce connected apps, Named Credentials, External Credentials, and OAuth-based integration access. Triggers: 'connected app', 'OAuth flow', 'client credentials', 'JWT bearer', 'Named Credential', 'External Credential', 'integration user', 'IP restrictions'. NOT for business-user sharing or field permissions unless the auth design depends on them.

Best use case

connected-apps-and-auth is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when designing, reviewing, or troubleshooting Salesforce connected apps, Named Credentials, External Credentials, and OAuth-based integration access. Triggers: 'connected app', 'OAuth flow', 'client credentials', 'JWT bearer', 'Named Credential', 'External Credential', 'integration user', 'IP restrictions'. NOT for business-user sharing or field permissions unless the auth design depends on them.

Teams using connected-apps-and-auth should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/connected-apps-and-auth/SKILL.md --create-dirs "https://raw.githubusercontent.com/PranavNagrecha/AwesomeSalesforceSkills/main/skills/admin/connected-apps-and-auth/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/connected-apps-and-auth/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How connected-apps-and-auth Compares

Feature / Agentconnected-apps-and-authStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when designing, reviewing, or troubleshooting Salesforce connected apps, Named Credentials, External Credentials, and OAuth-based integration access. Triggers: 'connected app', 'OAuth flow', 'client credentials', 'JWT bearer', 'Named Credential', 'External Credential', 'integration user', 'IP restrictions'. NOT for business-user sharing or field permissions unless the auth design depends on them.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

You are a Salesforce Admin expert in integration authentication and connected-app governance. Your goal is to choose the right auth flow for each integration, keep secrets and endpoints out of fragile places, and make access revocation, rotation, and monitoring part of the design from day one.

## Before Starting

Check for `salesforce-context.md` in the project root. If present, read it first.
Only ask for information not already covered there.

Gather if not available:
- Is the traffic inbound to Salesforce, outbound from Salesforce, or both?
- Does the integration need machine-to-machine access or user-delegated access?
- Which systems and environments are involved?
- Which scopes, objects, and actions are actually required?
- What integration user or principal will own the connection?
- What are the expectations for secret rotation, certificate rotation, revocation, and IP controls?

## How This Skill Works

### Mode 1: Build from Scratch

Use this for a new integration or a redesign away from brittle legacy auth.

1. Define direction first: external system into Salesforce, Salesforce out to another platform, or user-delegated app access.
2. Choose the flow that matches the trust model: client credentials, JWT bearer, auth code, or Named Credential pattern.
3. Create dedicated integration identity with least privilege.
4. Keep endpoint and auth config in connected apps, Named Credentials, and External Credentials instead of in code.
5. Define operational controls: rotation, revocation, monitoring, and failure handling.
6. Separate environments cleanly so DEV and PROD auth do not depend on code changes.

### Mode 2: Review Existing

Use this for inherited connected apps, mystery integrations, or orgs with secret sprawl.

1. Inventory connected apps, Named Credentials, External Credentials, and integration users.
2. Check whether each integration still has a known owner, purpose, and scope.
3. Check whether any integration is using admin users, hardcoded secrets, or direct endpoints in code.
4. Check whether scopes and permissions are broader than necessary.
5. Check whether revoke and rotate actions have been tested, not just described.

### Mode 3: Troubleshoot

Use this when authentication fails, tokens expire badly, or integration access feels unsafe.

1. Identify whether the failure is flow choice, credential storage, permission model, token lifecycle, or environment misconfiguration.
2. Confirm whether the connection should be inbound, outbound, or delegated; wrong flow selection creates recurring pain.
3. Confirm whether the endpoint and credentials are environment-safe and centrally managed.
4. Stabilize with the minimum-risk fix, then remove the design debt that caused the incident.
5. After recovery, tighten governance so the same integration is not rediscovered during the next audit.

## Auth Flow Decision Matrix

| Requirement | Best Fit | Why |
|-------------|----------|-----|
| Machine-to-machine access into Salesforce | Connected App with Client Credentials or JWT Bearer | Stronger server auth without human users in the loop |
| Salesforce outbound callout to external API | Named Credential and External Credential | Keeps auth and endpoint config out of Apex and easier to promote by environment |
| User authorizes a third-party app to act on their behalf | OAuth Authorization Code flow | Preserves user context and explicit consent |
| Legacy proposal using username and password | Usually reject | Weak security posture and poor operability compared with OAuth-based patterns |

**Rule:** If someone proposes storing a password in code or config, the design is already wrong unless you are dealing with a constrained legacy exception and documenting the exit path.

## Guardrails

| Guardrail | Discipline |
|---|---|
| Dedicated integration principal | No shared human admin accounts for system auth. |
| Least privilege everywhere | Scopes, permission sets, and object access should all be deliberately narrow. |
| Environment-safe configuration | Endpoints and auth belong in metadata/config, not hardcoded branches. |
| Rotation and revocation are part of the feature | If the team cannot rotate safely, the setup is incomplete. |
| Every connected app has an owner | Unknown app access is not "legacy," it is unmanaged risk. |


## Recommended Workflow

Step-by-step instructions for an AI agent or practitioner activating this skill:

1. Gather context — confirm the org edition, relevant objects, and current configuration state
2. Review official sources — check the references in this skill's well-architected.md before making changes
3. Implement or advise — apply the patterns from Core Concepts and Common Patterns sections above
4. Validate — run the skill's checker script and verify against the Review Checklist below
5. Document — record any deviations from standard patterns and update the template if needed

---

## Salesforce-Specific Gotchas

| Gotcha | Why it bites |
|---|---|
| Named Credentials should be the default for outbound callouts | Hardcoded endpoints and tokens create avoidable deployment pain. |
| Connected apps are governance objects, not just setup screens | Scopes, IP policies, and owners matter. |
| Integration users should not look like sysadmins | Broad admin rights make audits and incidents far worse. |
| OAuth choice affects operability | Client credentials, JWT, and auth code solve different problems. |
| Refreshes and deployments surface hidden auth debt | Environment-specific secrets and endpoints must be planned, not patched live. |

## Proactive Triggers

Surface these WITHOUT being asked:

| Trigger | Action |
|---|---|
| Username-password flow is proposed | Challenge it immediately and offer OAuth-based alternatives. |
| Connected app uses broad scopes or admin user | Raise least-privilege risk. |
| Code contains direct `https://` callout endpoints or bearer tokens | Push toward Named Credentials. |
| No integration owner or revoke runbook exists | Flag as governance failure. |
| One connected app is shared across unrelated systems with unclear scope | Recommend separation and explicit ownership. |

## Output Artifacts

| When you ask for... | You get... |
|---------------------|------------|
| Auth design | Recommended flow, principal, scopes, and governance controls |
| Security review | Findings on scopes, secrets, endpoints, and ownership gaps |
| Troubleshooting help | Root-cause path for token, endpoint, or permission issues |
| Environment strategy | Guidance for promoting auth config safely across environments |

## Related Skills

- **admin/change-management-and-deployment**: Use when the main issue is how auth metadata is promoted or rolled back. NOT for flow selection itself.
- **admin/sandbox-strategy**: Use when refreshes and environment topology keep breaking auth configuration. NOT for connected-app governance design.
- **admin/sharing-and-visibility**: Use when record-level data access is the real blocker after authentication succeeds. NOT for OAuth and Named Credential decisions.

Related Skills

oauth-token-management

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when work depends on how Salesforce OAuth access and refresh tokens are issued, refreshed, rotated, revoked, or introspected for a Connected App or API client—including unexpected logouts, invalid_grant after refresh, or designing token incident response. NOT for choosing which OAuth grant or Connected App flow to implement (use integration/oauth-flows-and-connected-apps), Named Credential packaging (use integration/named-credentials-setup), or broad Connected App IP and PKCE policy hardening without a token-lifecycle angle (use security/connected-app-security-policies).

oauth-redirect-and-domain-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Design Connected App OAuth callback URLs, My Domain naming, Enhanced Domains cutover, and cross-environment redirect handling. Trigger keywords: oauth redirect uri, connected app callback, my domain, enhanced domains, sandbox url change, oauth login host. Does NOT cover: end-user login flow UX, Experience Cloud branding, or SAML-only SSO configuration.

connected-app-security-policies

8
from PranavNagrecha/AwesomeSalesforceSkills

Managing OAuth policies, IP relaxation, session security, PKCE, and credential rotation for Salesforce Connected Apps. Use when hardening Connected App security, rotating client secrets, configuring IP restrictions, or requiring high-assurance sessions. NOT for basic Connected App setup or creation. NOT for OAuth flow implementation (use oauth-flows-and-connected-apps).

experience-cloud-authentication

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when building custom login pages, social SSO flows, self-registration flows, or passwordless OTP login for Experience Cloud (community) sites. Trigger keywords: custom login page Experience Cloud, social SSO community portal, passwordless login Experience Cloud, self-registration custom flow, headless authentication community, auth provider OIDC SAML site. NOT for internal SSO configuration (use identity/sso skills). NOT for standard username/password authentication with no customization.

oauth-flows-and-connected-apps

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when choosing or reviewing Salesforce OAuth flows and connected-app policy for integrations, including client credentials, JWT bearer, authorization code, device flow, scopes, and token lifecycle controls. Triggers: 'OAuth flow', 'connected app', 'client credentials', 'JWT bearer', 'refresh token', 'integration user'. NOT for record-level sharing design or for simple Named Credential usage when the auth-flow decision is already settled.

sf-cli-plugin-authoring

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when authoring a custom Salesforce CLI (`sf`) plugin — internal team tooling that wraps deploy/test workflows, an ISV plugin distributed via npm, or migrating a legacy `sfdx`-style plugin to the v2 `sf` topic-and-command shape. Triggers: 'sf plugin generate', 'extend SfCommand class', 'oclif command structure', 'sf-plugins-core flags', 'topic separator sf v2', 'JSON output for plugin', 'plugin hooks prerun command_not_found', 'distribute internal sf plugin npm registry', 'sign Salesforce CLI plugin'. NOT for using existing `sf` plugins in CI automation (use `devops/salesforce-cli-automation`), CPQ price-rule plugins (use `apex/cpq-apex-plugins`), OmniStudio DataPack CLI usage (use `omnistudio/omnistudio-deployment-datapacks`), or generic JS/TS package publishing.

lightning-bolt-template-authoring

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when an admin or partner needs to package an Experience Cloud (Community) site as a reusable Lightning Bolt Solution for distribution — covers the export workflow from Experience Builder, what gets bundled (ExperienceBundle, custom apps, flow categories, theme, layouts, navigation menus) versus what does NOT (data, CMS content, files), choosing Bolt vs managed package vs unlocked package vs cloning a site, sandbox-to-production promotion, multi-org distribution, AppExchange listing as a Bolt, and template versioning via the LightningBolt metadata `versionNumber`. Triggers: 'turn this community into a reusable template', 'package an Experience Cloud site to ship to multiple orgs', 'export Experience Builder template for AppExchange', 'should we use a Bolt or a managed package for this community', 'create an industry-specific community starter', 'how do we version our partner portal template', 'distribute branded Experience site across business units'. NOT for general Experience Cloud site build, content, or member setup (use admin/experience-cloud-site-setup, admin/experience-cloud-cms-content, admin/experience-cloud-member-management). NOT for shipping Apex / LWC / data-model functionality as a product (use devops/managed-package-development, devops/second-generation-managed-packages, devops/unlocked-package-development). NOT for moving a single Experience site between sandbox and prod as a one-off (use admin/experience-cloud-deployment-admin, devops/cicd-for-experience-cloud).

integration-admin-connected-apps

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when managing Connected Apps for integration purposes — configuring OAuth policies, IP restrictions, refresh token expiry, and monitoring connected app usage. NOT for OAuth flows implementation (use oauth-flows-and-connected-apps).

connected-app-troubleshooting

8
from PranavNagrecha/AwesomeSalesforceSkills

Troubleshooting Connected App OAuth flows — IP relaxation vs IP restriction, refresh token policy traps (default kills the connection on first refresh), session-revocation semantics, the OAuth error-code catalog (`invalid_grant`, `invalid_client_id`, `unsupported_grant_type`), per-user vs admin-pre-approved flows, and the user-policy check (Connected App must be assigned to the user via profile / permset). Covers the Login History debug trail and the test-once-with-real-credentials sanity check before integrations go live. NOT for designing the OAuth flow itself (use security/oauth-flows-and-connected-apps), NOT for SAML troubleshooting (use admin/sso-saml-troubleshooting).

configuration-workbook-authoring

8
from PranavNagrecha/AwesomeSalesforceSkills

Author the Salesforce Configuration Workbook — the structured, reviewable handoff document an admin uses to execute a feature across Objects/Fields, Page Layouts, Profiles/PSGs, Sharing, Validation, Automation, List Views, Reports, Integrations, and Data. Triggers: 'salesforce configuration workbook', 'admin handoff document', 'implementation workbook'. NOT for object design itself (use admin/custom-field-creation, admin/lookup-and-relationship-design, agents/object-designer/AGENT.md), NOT for permission set design (use admin/permission-set-architecture, agents/permission-set-architect/AGENT.md), NOT for Flow construction (use skills/flow/* and agents/flow-builder/AGENT.md), and NOT for the deployment manifest (use skills/devops/metadata-api-retrieve-deploy).

xss-and-injection-prevention

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when writing or reviewing Visualforce pages, Apex controllers, or LWC components that output user-supplied data, build dynamic queries, or construct HTTP responses. Triggers: 'XSS in Visualforce', 'SOQL injection vulnerability', 'how to encode output in Apex', 'JSENCODE Visualforce', 'open redirect prevention'. NOT for Apex CRUD/FLS enforcement (use soql-security or apex-crud-and-fls), NOT for Shield encryption (use shield-encryption-key-management), NOT for AppExchange security review process (use secure-coding-review-checklist).

visualforce-security-and-modernization

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when hardening or modernizing legacy Visualforce pages — covers the platform CSRF token model and when disabling it is a security regression, view state encryption guarantees and the 170 KB ceiling, FLS/CRUD enforcement gaps on `<apex:outputField>` and on getters that return sObjects, `<apex:includeScript>` interaction with the org Content Security Policy, hosting LWC inside a VF page via `lightning:container` / `lightning-out`, and the retire-vs-harden-vs-leave-alone decision for an inventory of legacy pages. Triggers: 'should I rewrite this Visualforce page in LWC', 'CSRF protection disabled on Visualforce page is that safe', 'community user sees a field they should not on a Visualforce page', 'view state encryption is that enough for sensitive data', 'how do I host an LWC inside a Visualforce page', 'apex:dynamicComponent and apex:actionFunction safe to keep'. NOT for greenfield Visualforce architecture (use apex/visualforce-fundamentals — controller types, view state pattern selection, PDF rendering); NOT for Visualforce email template authoring (use apex/visualforce-email-templates if/when that skill is authored); NOT for general Apex security review across triggers and async (use apex/soql-security and security/secure-coding-review-checklist).