A powerful sales/CRM agent that can create/update leads and contacts, log activities (calls, emails), generate reports, and automate case management in Service Cloud.

Connect Salesforce to Auth0

1

Salesforce setup

  1. Sign up for a Salesforce Developer account or use your existing Salesforce org.
  2. In your Salesforce org, navigate to SetupPlatform ToolsAppsApp Manager.
  3. Click New External Client App.
  4. Fill in the basic information:
    • Connected App Name: Enter a descriptive name for your integration
    • API Name: This will be auto-generated based on the app name
    • Contact Email: Your email address
  5. In the API (Enable OAuth Settings) section:
    • Check Enable OAuth Settings
    • Callback URL: https://YOUR_AUTH0_DOMAIN/login/callback
    You can find the Auth0 domain in the Auth0 Dashboard.You can find this under Applications > [Your Application] > Settings > Basic Information > Domain.If you are using the custom domains feature, your Auth0 domain is the custom domain. You can find this under Branding > Custom Domains.
    • Selected OAuth Scopes: Add the following scopes:
      • api - Access and manage your data (api)
      • refresh_token - Perform requests on your behalf at any time (refresh_token, offline_access)
      • openid - Access your identity URL service
  6. Important Token Configuration (for optimal Token Vault compatibility):
    • Require Secret for Web Server Flow: Check this option for enhanced security
    • Require Secret for Refresh Token Flow: Check this option to secure token refresh operations
    • Enable Refresh Token Rotation: Check this option to enable rotation on each refresh
    • Issue JSON Web Token (JWT)-based access tokens for named users: check this option, it provides longer token validity and better performance
  7. Click Create and wait for the app to be created.
  8. After creation, note your Consumer Key (Client ID) and Consumer Secret (Client Secret).
Token Configuration Important Notes:
  • If you select opaque tokens instead of JWT, Token Vault will default the expiry time to 10 minutes, which may cause frequent token refreshes.
  • Ensure the refresh_token scope is enabled in your Connected App settings, not just requested in Auth0. Without this scope enabled on the Salesforce side, Auth0 cannot request refresh tokens.
  • Consider enabling refresh token rotation for better security practices.
To learn more about Salesforce Connected App setup, read the Create a Connected App documentation.
2

Auth0 setup

  1. In the Auth0 Dashboard, go to Authentication > Social.
  2. Select Create Connection, then choose Salesforce.
  3. Click Continue.
  4. In General:
    1. Enter the Client ID and Client Secret from your Salesforce OAuth app.
    2. Under Scopes, select the scope(s) required for your application. These determine what permissions your application can request from Salesforce, whether for authentication (such as accessing basic profile details) or for API access (such as connecting to the provider's APIs).
    3. Add any additional scopes your application requires in the Additional Scopes field.
  5. In Advanced, Enable Token Vault. This lets the connection retrieve and securely store access tokens for third‑party APIs. Learn more in Configure Token Vault.
  6. Click Create.
  7. After creation, you are redirected to the Applications page. Select the application(s) to enable this connection for.
    Note: In a new Auth0 tenant, you can select the Default App.
  8. Once you have created your Salesforce social connection, test your connection to ensure the setup is working correctly before using it in your application.
Required Scopes: Make sure to include the following scopes in your Auth0 connection configuration:
  • openid - Access your identity URL service
  • api - Access and manage your data
  • refresh_token - Perform requests on your behalf at any time
  • offline_access - Maintain access when you’re not present
These scopes must also be enabled in your Salesforce Connected App configuration.
This guide walks you through setting up the Salesforce connection in Auth0. For an end-to-end example that shows how to set up your app to call third-party APIs on the user's behalf using a connection like this, read the Call Other's APIs on User's Behalf Quickstart.

Token Vault configuration example

To configure the Token Vault for your Salesforce connection, you can use the following code snippet in your application: 
const auth0AI = new Auth0AI();

export const withSalesforceConnection = auth0AI.withTokenForConnection({
  connection: "salesforce",
  scopes: ["openid", "api", "refresh_token", "offline_access", ...],
  refreshToken: getAuth0RefreshToken(),
});

Troubleshooting

Invalid Grant Errors

If you encounter invalid_grant errors with expired access/refresh tokens:
  1. Check token configuration: Ensure your Connected App uses JWT tokens instead of opaque tokens.
  2. Verify refresh token policy: Set the refresh token policy to “valid until revoked” in your Connected App.
  3. Scope configuration: Confirm that the refresh_token and offline_access scopes are enabled in both your Salesforce Connected App and Auth0 connection.
  4. Token rotation: If using refresh token rotation, ensure your application handles the new refresh token returned with each refresh request.

Common Issues

  • Scope errors: Ensure all required scopes are enabled in your Salesforce Connected App settings, not just requested in Auth0.
  • Token expiry: JWT tokens have longer expiry times than opaque tokens. If using opaque tokens, expect frequent token refreshes.
  • Multiple authorizations: Avoid authorizing the same user multiple times rapidly, as this may cause token invalidation issues.
For additional troubleshooting resources, refer to Salesforce’s OAuth troubleshooting documentation and error code references.

Next steps