> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mcpmanager.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Connect Salesforce

> Connect Salesforce's hosted MCP server to MCP Manager: register an External Client App in your org, grant the api and sfap_api scopes with refresh_token, enable PKCE and JWT-based tokens, pick the right server URL (api.salesforce.com/platform/mcp/v1/<server>), then add the server and supply the Consumer Key and Consumer Secret.

Salesforce runs **Hosted MCP Servers** on its own infrastructure, and connecting them is an OAuth flow with one prerequisite: you must register an **External Client App** in your org first. The app gives you a **Consumer Key (Client ID)** and **Consumer Secret** that MCP Manager supplies when it connects.

<Note>
  When you connect a Salesforce MCP URL, MCP Manager's [authentication
  detection](/mcp-server-guides/overview#how-mcp-manager-detects-the-authentication-type) lands on **OAuth with client pre-registration** — Salesforce
  won't dynamically register a client, so you'll paste the **Consumer Key** and **Consumer Secret** from your External Client App, then approve the
  OAuth screen.
</Note>

<Info>
  This guide is a convenience based on Salesforce's setup at the time of writing. **Salesforce's own [Hosted MCP Servers
  documentation](https://developer.salesforce.com/docs/platform/hosted-mcp-servers/guide/hosted-mcp-servers-overview.html) is authoritative** and may
  be more current. The requirements below — the External Client App, the scopes, PKCE, the server URL — come from Salesforce, not from MCP Manager. If
  a step here has drifted or a connection problem is specific to how Salesforce works, **Salesforce support** is the fastest path to an answer.
</Info>

## Before you start

Salesforce requires you to set up the org-side OAuth app before MCP Manager can connect. Bring the following:

* **An Enterprise Edition org or above.** Hosted MCP Servers became generally available for Enterprise Edition and higher.
* **System Administrator access**, or an admin who can create an External Client App and enable MCP servers in Setup.
* **An External Client App** registered in your org for OAuth. Use an **External Client App**, not a legacy Connected App.
* **The OAuth scopes the app needs:** `api` (manage user data via APIs), `sfap_api` (access the Salesforce API Platform), and `refresh_token` / `offline_access`.
* **PKCE and JWT-based access tokens enabled** on the app — Salesforce requires Proof Key for Code Exchange and JWT-based tokens for named users.
* **Your activated MCP servers.** In **Setup → MCP Servers** (under API Catalog), toggle on the servers your team needs. Activation can take up to two minutes.

<Tip>
  Start with the read-only `sobject-reads` server. It exposes query and read tools without create, update, or delete, so you can validate the
  connection before granting write access. Add the broader `sobject-all` server later if your users need to mutate records.
</Tip>

## Connect the server

<Steps>
  <Step title="Register an External Client App">
    In **Setup**, create an **External Client App** to act as the OAuth client. Enable OAuth, and configure it as described in the next steps. This app — not a Connected App — is what MCP Manager authenticates against.
  </Step>

  <Step title="Grant the OAuth scopes">
    Add the scopes Salesforce's MCP servers require:

    | Scope                             | Grants                             |
    | --------------------------------- | ---------------------------------- |
    | `api`                             | Manage user data via APIs          |
    | `sfap_api`                        | Access the Salesforce API Platform |
    | `refresh_token`, `offline_access` | Perform requests at any time       |
  </Step>

  <Step title="Enable PKCE and JWT-based tokens">
    In the app's OAuth settings, turn on **Require Proof Key for Code Exchange (PKCE)** and **Issue JSON Web Token (JWT)-based access tokens for named
    users**. Both are required for the hosted servers.
  </Step>

  <Step title="Copy the Consumer Key and Consumer Secret">
    From the External Client App's settings, copy the **Consumer Key** (this is the Client ID) and the **Consumer Secret**. You'll paste both into MCP
    Manager. Treat the secret like a password.
  </Step>

  <Step title="Activate the server and resolve its URL">
    Enable the server in **Setup → MCP Servers**, then build the URL. Hosted servers live under `api.salesforce.com`, with the path differing by environment and server name:

    | Environment       | MCP server URL                                                     |
    | ----------------- | ------------------------------------------------------------------ |
    | Production        | `https://api.salesforce.com/platform/mcp/v1/<server-name>`         |
    | Sandbox / scratch | `https://api.salesforce.com/platform/mcp/v1/sandbox/<server-name>` |

    Substitute `<server-name>` with an activated server — for example `sobject-reads` (read-only), `sobject-all` (full CRUD), `sobject-mutations`, `sobject-deletes`, or `data-360`. The full read-only production URL is `https://api.salesforce.com/platform/mcp/v1/sobject-reads`.
  </Step>

  <Step title="Add the server in MCP Manager">
    On the [Servers](https://app.mcpmanager.ai/settings/servers) page, add a server, paste the server URL from the previous step, and click **Continue**. Detection resolves to **OAuth with client pre-registration**; supply the credentials from your External Client App:

    * **Client ID** — the External Client App's **Consumer Key**.
    * **Client Secret** — the External Client App's **Consumer Secret**.

    Approve the Salesforce OAuth screen when prompted. MCP Manager stores the credentials encrypted and the server's tools are now available to add to a gateway.
  </Step>
</Steps>

## Gotchas & things to keep in mind

* **External Client App, not Connected App.** Salesforce's hosted MCP servers authenticate against an External Client App. A legacy Connected App is the wrong object here and won't carry the right OAuth settings.
* **PKCE and JWT tokens are non-negotiable.** If either is left off, the OAuth handshake fails. Confirm both are enabled on the app before connecting.
* **Production and sandbox URLs differ.** Sandbox and scratch orgs insert `/sandbox/` into the path (`.../v1/sandbox/<server-name>`); production omits it. Pointing a sandbox connection at the production path — or vice versa — fails to connect.
* **The server name is part of the URL.** Each activated server has its own slug (`sobject-reads`, `sobject-all`, `data-360`, and so on). One URL maps to one server; connect each server you need separately.
* **Activation isn't instant.** After you toggle a server on in Setup, it can take up to two minutes to become active. Connecting before then can fail.
* **Per-user permissions still apply.** The hosted servers respect Salesforce's standard security model — field-level security, object permissions, and sharing rules apply to every tool call. A connected user can only do through MCP Manager what they can do in Salesforce. Decide whether the credential should be per-user or shared — see [per-user versus shared identity](/security/authentication-and-identity#per-user-identity-versus-shared-identity).

## Further reading

<CardGroup cols={2}>
  <Card title="Find & Connect MCP Servers" icon="compass" href="/mcp-server-guides/overview">
    How MCP Manager detects authentication type, and how to find other servers' URLs.
  </Card>

  <Card title="How MCP Manager authenticates" icon="key" href="/security/authentication-and-identity#how-mcp-manager-authenticates-to-a-server">
    What OAuth with client pre-registration means for the credentials you just pasted.
  </Card>

  <Card title="How your credentials are secured" icon="lock" href="/mcp-gateway-concepts/mcp-servers/remote#how-your-credentials-are-secured">
    How MCP Manager stores the Consumer Key and Consumer Secret you provided.
  </Card>

  <Card title="Connect your AI client" icon="plug" href="/tutorials/connect-your-ai-client">
    Point Claude, Cursor, or another client at the gateway once the server is added.
  </Card>
</CardGroup>

## External sources

<CardGroup cols={2}>
  <Card title="Salesforce Hosted MCP Servers" icon="salesforce" href="https://developer.salesforce.com/docs/platform/hosted-mcp-servers/guide/hosted-mcp-servers-overview.html">
    Salesforce's authoritative reference for the hosted MCP servers — availability, setup, and supported servers.
  </Card>

  <Card title="Set Up Your Org" icon="gear" href="https://developer.salesforce.com/docs/platform/hosted-mcp-servers/guide/setup-overview.html">
    Salesforce's own setup steps — the External Client App, OAuth scopes, and PKCE/JWT security settings.
  </Card>
</CardGroup>
