{% extends "base.html" %} {% block title %}Connected Apps — Salesforce Security AI Scanner{% endblock %} {% block extra_head %} {% endblock %} {% block content %}
Manage the Salesforce Connected Apps / External Client Apps used for OAuth login in scans.
What is a Connected App? A Salesforce Connected App (or External Client App since Spring '26) provides the OAuth credentials for this tool to authenticate on behalf of users into a Salesforce org.
Each Connected App must be registered inside the Salesforce org you want to scan
(Setup → App Manager → New Connected App). Configure:
OAuth 2.0 with PKCE, callback URL = {{ app_base_url }}/auth/sf/callback,
scopes: api, web, openid.
PKCE-only — no secret required.
This tool uses the OAuth 2.0 Authorization Code + PKCE (S256) flow,
the same approach used by the Salesforce CLI sf org login web command.
No Consumer Secret is stored — the PKCE code verifier is
the security credential. In your Connected App, uncheck
"Require Secret for Web Server Flow" (or enable "Require PKCE").
Spring '26 note: External Client Apps (the new type) are org-scoped — create one per org you scan. Pre-Spring '26 Connected Apps continue to work.
{{ ca.client_id }}
{{ ca.app_base_url }}/auth/sf/callback
No Connected Apps configured yet.