{% extends "base.html" %} {% block title %}Connected Apps — Salesforce Security AI Scanner{% endblock %} {% block extra_head %} {% endblock %} {% block content %}

Connected Apps

Manage the Salesforce Connected Apps / External Client Apps used for OAuth login in scans.

{% if saved %}
Connected App saved successfully.
{% endif %} {% if error %}
{{ error }}
{% endif %}

What is a Connected App? A Salesforce Connected App (or External Client App since Spring '26) provides the OAuth credentials for this tool to authenticate on behalf of users into a Salesforce org.

Each Connected App must be registered inside the Salesforce org you want to scan (Setup → App Manager → New Connected App). Configure: OAuth 2.0 with PKCE, callback URL = {{ app_base_url }}/auth/sf/callback, scopes: api, web, openid.

PKCE-only — no secret required. This tool uses the OAuth 2.0 Authorization Code + PKCE (S256) flow, the same approach used by the Salesforce CLI sf org login web command. No Consumer Secret is stored — the PKCE code verifier is the security credential. In your Connected App, uncheck "Require Secret for Web Server Flow" (or enable "Require PKCE").

Spring '26 note: External Client Apps (the new type) are org-scoped — create one per org you scan. Pre-Spring '26 Connected Apps continue to work.

{% if connected_apps %}
{% for ca in connected_apps %}
{{ ca.name }} {{ ca.login_url | replace('https://', '') | replace('http://', '') }}
Client ID: {{ ca.client_id }}
{% if ca.app_base_url %}
Callback Base URL: {{ ca.app_base_url }}/auth/sf/callback
{% endif %}
Added {{ ca.created_at.strftime('%Y-%m-%d') if ca.created_at else '—' }}
{% endfor %}
{% else %}

No Connected Apps configured yet.

{% endif %}
{% endblock %} {% block extra_scripts %} {% endblock %}