.png?fit=max&auto=format&n=gKqTvJPtsRi2bLNx&q=85&s=8abbce3efb590630de2102c43d32aadf)
.png?fit=max&auto=format&n=Dy9YsIECUbR9JZiT&q=85&s=a1f404cd7f7aeb1727c89d81137ae1ac)
When you connect a Salesforce MCP URL, MCP Manager’s authentication
detection lands on OAuth with client pre-registration — Salesforce
won’t dynamically register a client, so you’ll paste the Consumer Key and Consumer Secret from your External Client App, then approve the
OAuth screen.
This guide is a convenience based on Salesforce’s setup at the time of writing. Salesforce’s own Hosted MCP Servers
documentation is authoritative and may
be more current. The requirements below — the External Client App, the scopes, PKCE, the server URL — come from Salesforce, not from MCP Manager. If
a step here has drifted or a connection problem is specific to how Salesforce works, Salesforce support is the fastest path to an answer.
Before you start
Salesforce requires you to set up the org-side OAuth app before MCP Manager can connect. Bring the following:- An Enterprise Edition org or above. Hosted MCP Servers became generally available for Enterprise Edition and higher.
- System Administrator access, or an admin who can create an External Client App and enable MCP servers in Setup.
- An External Client App registered in your org for OAuth. Use an External Client App, not a legacy Connected App.
- The OAuth scopes the app needs:
api(manage user data via APIs),sfap_api(access the Salesforce API Platform), andrefresh_token/offline_access. - PKCE and JWT-based access tokens enabled on the app — Salesforce requires Proof Key for Code Exchange and JWT-based tokens for named users.
- Your activated MCP servers. In Setup → MCP Servers (under API Catalog), toggle on the servers your team needs. Activation can take up to two minutes.
Connect the server
Register an External Client App
In Setup, create an External Client App to act as the OAuth client. Enable OAuth, and configure it as described in the next steps. This app — not a Connected App — is what MCP Manager authenticates against.
Grant the OAuth scopes
Add the scopes Salesforce’s MCP servers require:
| Scope | Grants |
|---|---|
api | Manage user data via APIs |
sfap_api | Access the Salesforce API Platform |
refresh_token, offline_access | Perform requests at any time |
Enable PKCE and JWT-based tokens
In the app’s OAuth settings, turn on Require Proof Key for Code Exchange (PKCE) and Issue JSON Web Token (JWT)-based access tokens for named
users. Both are required for the hosted servers.
Copy the Consumer Key and Consumer Secret
From the External Client App’s settings, copy the Consumer Key (this is the Client ID) and the Consumer Secret. You’ll paste both into MCP
Manager. Treat the secret like a password.
Activate the server and resolve its URL
Enable the server in Setup → MCP Servers, then build the URL. Hosted servers live under
Substitute
api.salesforce.com, with the path differing by environment and server name:| Environment | MCP server URL |
|---|---|
| Production | https://api.salesforce.com/platform/mcp/v1/<server-name> |
| Sandbox / scratch | https://api.salesforce.com/platform/mcp/v1/sandbox/<server-name> |
<server-name> with an activated server — for example sobject-reads (read-only), sobject-all (full CRUD), sobject-mutations, sobject-deletes, or data-360. The full read-only production URL is https://api.salesforce.com/platform/mcp/v1/sobject-reads.Add the server in MCP Manager
On the Servers page, add a server, paste the server URL from the previous step, and click Continue. Detection resolves to OAuth with client pre-registration; supply the credentials from your External Client App:
- Client ID — the External Client App’s Consumer Key.
- Client Secret — the External Client App’s Consumer Secret.
Gotchas & things to keep in mind
- External Client App, not Connected App. Salesforce’s hosted MCP servers authenticate against an External Client App. A legacy Connected App is the wrong object here and won’t carry the right OAuth settings.
- PKCE and JWT tokens are non-negotiable. If either is left off, the OAuth handshake fails. Confirm both are enabled on the app before connecting.
- Production and sandbox URLs differ. Sandbox and scratch orgs insert
/sandbox/into the path (.../v1/sandbox/<server-name>); production omits it. Pointing a sandbox connection at the production path — or vice versa — fails to connect. - The server name is part of the URL. Each activated server has its own slug (
sobject-reads,sobject-all,data-360, and so on). One URL maps to one server; connect each server you need separately. - Activation isn’t instant. After you toggle a server on in Setup, it can take up to two minutes to become active. Connecting before then can fail.
- Per-user permissions still apply. The hosted servers respect Salesforce’s standard security model — field-level security, object permissions, and sharing rules apply to every tool call. A connected user can only do through MCP Manager what they can do in Salesforce. Decide whether the credential should be per-user or shared — see per-user versus shared identity.
Further reading
Find & Connect MCP Servers
How MCP Manager detects authentication type, and how to find other servers’ URLs.
How MCP Manager authenticates
What OAuth with client pre-registration means for the credentials you just pasted.
How your credentials are secured
How MCP Manager stores the Consumer Key and Consumer Secret you provided.
Connect your AI client
Point Claude, Cursor, or another client at the gateway once the server is added.
External sources
Salesforce Hosted MCP Servers
Salesforce’s authoritative reference for the hosted MCP servers — availability, setup, and supported servers.
Set Up Your Org
Salesforce’s own setup steps — the External Client App, OAuth scopes, and PKCE/JWT security settings.