How to

āŒ˜K
  2. Home
  4. Docs
  6. How to
  8. How to Create an External Client App in Salesforce? (Step-by-Step Guide)

How to Create an External Client App in Salesforce? (Step-by-Step Guide)

This guide covers everything you need to know about External Client Apps and moving your current Connected Apps to External Client Apps.

Difference between External Client App vs Connected App

External Client Apps are the modern, more secure version of Connected Apps. While Connected Apps have always been the standard for linking external tools to Salesforce, they are difficult to package and move between environments because their settings are all lumped together. While Connected Apps are being retired, the exact same functionality can be easily setup on External Client Apps.

For Sawfish and other integrations that use OAuth 2.0 to connect to Salesforce, the shift to External Client Apps offers better control over usage policies and connection settings. While the setup process differs, the connection can be easily configured to maintain the exact functionality that came with Connected Apps.

Moving your current Connected Apps to External Client App

Here’s how to connect or migrate your apps to the External Client App framework.

    1. Open Setup by clicking on the gear icon on the top right
      Setup icon Salesforce
    2. You can use the search bar to quickly find.Ā External Client AppĀ Manager.
      Steps to Access External Client App from Setup
    3. Click onĀ Create New External Client App.Screenshot of Create new External Client App
    4. In the Basic Information section you can enter the details of your application. Enter the app name and your email.Screenshot of Details to enter in External Client App

What to Enter in Distribution State in External Client App?

If you’re a Salesforce admin setting up the connection for your particular organization, you would only need to set Distribution State as local. The Packaged option if useful if you would like to package it for further distribution.

Setting up OAuth 2.0 Apps with External Client

Scroll further down on the page and open theĀ API (Enable OAuth Settings)Ā tab. Click on theĀ Enable Auth checkbox to open the menu. Here you will enter the the app Callback URL and OAuth Scopes.

Screenshot of OAuth Settings in External Client App

What is Callback URL in External Client App

The Callback URL acts as the designated secure path for the OAuth connection. It is the address
where Salesforce sends the authorization code or access token after a user is validated.

After installing the Sawfish plugin, you can copy the URL directly from Sawfish Connect page in WordPress dashboard.

Screenshot of Copy Callback URL

What Scopes to Select in External Client App

OAuth scopes define what actions and resources that application has access to.

Screenshot of App Settings and OAuth Scopes

For the Sawfish plugin select

  • Perform requests at any time (refresh_token, offline_access)
  • Manage user data via APIs (api)

. The plugin uses this to send and receive data between Salesforce and your WordPress website.

Note: Make sure to uncheck the checkbox Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows

Screenshot for Checkboxes for Secret Token

Almost set! Click on the Create button at the bottom.

External Client Apps has an additional setting that you would need to update to ensure uninterrupted connection. Re-open the newly created app from the Manage External Client Apps Menu.

Screenshot

Click on the EditĀ  button in the Policies tab.

Screenshot for Refresh Token Policy to Ensure Connection

Find the App AuthorizationĀ policy setting at the bottom left and selectĀ Refresh token is valid until revoked.

Click Save.

In Connected App all apps were set to be permanently connected until they were revoked from Salesforce OAuth page.

What is Refresh Token Expiration

A Refresh Token is a like a digital key that allows your integration to stay connected and request new access sessions automatically without requiring a user to log in again.

So setting the Refresh Token Expiration determines how long your app can stay connected to Salesforce without a human having to log in again.

Setting it to Refresh token is valid until revokedĀ ensures there are

  • No Interruptions: If the token expires, your integration (like Sawfish) will suddenly stop working until someone manually re-authenticates.

  • Set It and Forget It: Ensures that background tasks and automated syncs keep running 24/7 without needing constant maintenance.

  • Better User Experience: You won’t have to deal with annoying “session expired” errors or “re-connect your account” prompts every few weeks.

Where to See Consumer Key and Consumer Secret in External Client App

Next you can access the Consumer Key and Consumer Secret needed to connect your application. In External Client Apps you can view this info anytime selecting the App from the External Client App Manager and then selecting the SettingsĀ tab.

Scroll down and open the OAuth Settings section and click onĀ Consumer Key and Secret.

Screenshot of where to View Consumer Key and Consumer Secret in External Client App

You can then Copy the Consumer Key and Consumer Secret shown on the screen.

 

Insufficient Privileges

You do not have the level of access necessary to perform the operation you requested. Please contact the owner of the record or your administrator if access is necessary. For more information, see Insufficient Privileges Errors.

Screenshot

If you see this error in External Client App, make sure to add to add the below permission.

How to Grant Permission to Consumer Key and Consumer Secret

Shows Permissions to Access External Client App Settings

In order to resolve the Insufficient Privileges error, open the profile associated with your Profile and add the View all External Client Apps, views their settings, and edit policies permission.

Stuck on a particular step? Feel free to send us a message or email us if youā€™d like more information on setting this up.