Salesforce

Salesforce (opens new window) is a best-of-breed cloud customer relationship management app, enabling organizations to easily manage and track leads, contacts, and opportunities. It is built on the Force.com (opens new window) platform, and can be readily extended with an expansive range of third-party marketplace apps and other Salesforce products that encompass sales, marketing, customer service and commerce.

Use cases

Explore the capabilities of the Salesforce connector in our use cases documentation. Discover how you can use the Salesforce connector to create powerful multi-app workflows and automations:

• Display Salesforce account details directly in Slack with Workbot for Slack.
• Set up a workflow to track leads by creating a Salesforce task and adding a Snowflake row when new lead activity is detected in Marketo.
• Try a batch-sync solution that transfers data from MySQL to Salesforce.
• Ensure phone numbers are validated before syncing contacts from Salesforce to Snowflake.

API version

The Salesforce connector uses Salesforce REST API version 62.0 (opens new window).

Supported editions and versions

The Salesforce connector works with all Salesforce cloud instances, for example, Professional, Enterprise, Unlimited, and Developer. It also supports the following (not limited to) editions of Salesforce:

• Salesforce Sales Cloud
• Salesforce Service Cloud
• Salesforce Partner Community
  • To login, go to Advanced settings in the connection and provide the community custom domain
• Salesforce Consumer Goods Cloud
• Salesforce Marketing Cloud
  • SFMC has a separate connector
• Salesforce Data Cloud
  • Available as a community connector (opens new window) built and supported by Workato

It also works with Force.com applications. For all other editions not mentioned above, please contact your Workato representative for assistance.

How to connect to Salesforce

Workato supports the following types of connections to Salesforce:

• OAuth 2.0 authentication

• JWT bearer authentication

Refer to the Roles and permissions required to connect section for information about prerequisite permissions.

OAuth 2.0 authentication

Complete the following steps to connect to Salesforce using OAuth 2.0 authentication:

OAUTH RESTRICTIONS

As of early September 2025, Salesforce restricts the use of uninstalled Salesforce Connected Apps. Refer to OAuth restrictions for required actions if you encounter errors when you create a new connection. These steps are required for all new Salesforce connections starting September 17, 2025.

1

Click Create > Connection.

2

Search for and select Salesforce on the New connection page.

3

Provide a name for your connection in the Connection name field.

OAuth2.0 Salesforce connection setup

4

Use the Location drop-down menu to select the project where you plan to store the connection.

5

Use the Auth type drop-down menu to select OAuth 2.0 (Authorization Code Grant) as the authentication method.

6

Use the Sandbox drop-down menu to specify whether the Salesforce account is a sandbox account.

7

Optional. Expand Advanced settings to configure advanced connection options:

Advanced settings

1

Optional. Enter the URL to your Salesforce community's custom domain in the Organization/community custom domain URL field. This is required for community connections with unique domains.

2

Optional. Use the Requested permissions drop-down menu to select permissions (opens new window) to request for this connection. Defaults to full (all permissions) if left blank. Workato always requests the minimum permissions (basic info, manage data and make requests at any time).

3

Optional. Use the Verified user access configuration section to configure custom auth for personal connections. Refer to the Runtime user connection documentation for more information.

8

Optional. Use the Custom OAuth profile drop-down menu to select a custom OAuth profile for your connection. Refer to the Salesforce custom OAuth documentation for more information.

9

Click Connect.

10

Optional. Complete the following steps to connect to a Salesforce organization with a custom domain:

Connect to a custom domain

1

Click Use Custom Domain in the sign-in modal.

2

Enter your Custom domain, then click Continue.

Enter your Custom domain.

11

Enter your Salesforce Username and Password.

Log in to your Salesforce account

12

Click Log In to complete the setup.

CONNECTION ERRORS

If you see an error such as OAUTH_APPROVAL_ERROR_GENERIC, Salesforce is restricting the Workato app because it isn't installed. A Salesforce admin must install the app in Connected Apps OAuth Usage or assign the Salesforce permissions. Refer to the OAuth restrictions section for details.

OAuth restrictions

Salesforce enforces restrictions on OAuth Salesforce Connected Apps in early September 2025. These restrictions affect only new Salesforce connections created in Workato. Existing connections and recipes continue to run. Refer to Salesforce's official announcement (opens new window) for more information.

• If you already created a Salesforce connection in Workato: Your organization already displays the Workato connector in Connected Apps OAuth Usage. Existing connections keep working. If the app displays Install, a Salesforce admin must install it and configure OAuth policies to avoid errors when you create new connections. If the app displays Uninstall, the app is already installed and no further action is required.

• If this is your first Salesforce connection in Workato: Your organization doesn't display the Workato connector until a Salesforce admin creates a connection in Workato. After that, the app appears in Connected Apps OAuth Usage, where the admin can install it.

As an alternative, the admin can assign Salesforce permissions that allow OAuth without installation. This option is only recommended for trusted integration users, such as admins or developers. These include the following:

• Approve Uninstalled Connected Apps: Allows trusted users to self-authorize uninstalled apps. Available when API Access Control isn't enabled.
• Use Any API Client: Broader bypass permission that works when API Access Control is enabled.

Refer to Salesforce's documentation (opens new window) for details.

Token expiration

OAuth tokens may expire after a set amount of time, depending on their configuration in Salesforce. Optionally, you can set the Salesforce Refresh Token Policy to Refresh token is valid until revoked and provide Workato the Perform requests at any time scope to prevent unexpected disconnections.

Workato automatically requests the Perform requests at any time scope for OAuth 2.0 connections. Full access doesn't include this scope when you configure settings in Salesforce. You must configure Perform requests at any time independently.

Refer to the Salesforce Manage OAuth Access Policies for a Connected App (opens new window) and OAuth Tokens and Scopes (opens new window) guides for additional token expiration options and configuration steps.

JWT bearer authentication

JWT bearer authentication connects using a digital certificate that signs a JWT request. This differs from standard OAuth 2.0, which connects to a specific Salesforce account. Workato sends a JWT to the Salesforce OAuth token endpoint, where Salesforce processes the JWT and issues an access token based on prior approval of Workato in Salesforce.

ACTIONS ON-BEHALF-OF USER

JWT connections can perform actions on behalf of a user you specify using the On-behalf-of-user email field. Contact your Workato Customer Success Manager to enable this feature.

PERMISSIONS

Refer to the Roles and permissions section and the Salesforce JWT documentation (opens new window) to configure scopes granted by JWT.

Complete the following steps to connect to Salesforce using JWT bearer authentication:

1

Click Create > Connection.

2

Search for and select Salesforce on the New connection page.

3

Provide a name for your connection in the Connection name field.

Configure Salesforce JWT Bearer connection

4

Use the Location drop-down menu to select the project where you plan to store the connection.

5

Use the Auth type drop-down menu to select JWT token as the authentication method.

6

Use the Sandbox drop-down menu to specify whether the Salesforce account is a sandbox account.

7

Refer to the Salesforce Create a Private Key and Self-Signed Digital Certificate (opens new window) guide to create a private key and a digital certificate.

8

Refer to the Salesforce Create a Connected App in Your Org (opens new window) guide to upload your digital certificate to Salesforce.

9

Return to Workato and enter your Private key.

10

Enter the Issuer for the JWT connection. The issuer must contain the OAuth client ID of the connected app in Salesforce for which you registered the certificate.

11

Enter the Subject for the JWT connection. The subject must contain the username of the user you plan to authenticate as. This should contain the username of a valid Experience Cloud user if you're implementing for an Experience Cloud site. You can use principal (prn) instead of subject (sub) for backward compatibility. If both are specified, prn is used.

12

Enter your Salesforce Subdomain. For example, if your Salesforce URL is yourInstance.salesforce.com, the subdomain is yourInstance.

13

Optional. Use the Custom OAuth profile drop-down menu to select a custom OAuth profile for your connection. Refer to the Salesforce custom OAuth documentation for more information.

14

Click Connect.

15

Optional. Complete the following steps to connect to a Salesforce organization with a custom domain:

Connect to a custom domain

1

Click Use Custom Domain in the sign-in modal.

2

Enter your Custom domain, then click Continue.

Enter your Custom domain.

16

Enter your Salesforce Username and Password.

Log in to your Salesforce account

17

Click Log In to complete the setup.

Roles and permissions required to connect

We recommend provisioning and assigning a dedicated Salesforce integration user. Salesforce connections in Workato inherit the permissions (opens new window) of the account used for authentication, including access to fields and objects.

User permissions and access settings (opens new window) control what users can do in your Salesforce organization:

• Permissions: Define the actions a user can take, such as editing object records, accessing the Setup menu, permanently deleting items from the Recycle Bin, or resetting another user’s password.

• Access settings: Control broader features, such as the visibility of apps, access to Apex classes, and more.

You can define user permissions and access settings using profiles (opens new window) and permission Sets (opens new window). Each user is assigned one profile, but can have multiple permission sets. Use profiles to assign the minimum required permissions for a specific group of users. Then use permission sets to add additional permissions as needed.

API enabled permission

You must have the API Enabled permission in Salesforce to create a connection. Open Salesforce and go to Setup > Profiles to configure this permission. API enabled permission - profile setup

Standard and custom object permissions

We recommend that the connected user's account has permissions to read, write, edit, delete, view all, and modify all for the standard or custom object in your Salesforce organization. This ensures the connected user can interact with Salesforce objects.

Refer to the Salesforce Object Permissions (opens new window) guide for details about the difference between standard object privileges and the View all and Modify all permissions.

Salesforce standard object profile permissions setup

Salesforce custom object profile permissions setup

Object-level security is the broadest way to control data access. You can use object-level security to configure a user's ability to view, create, edit, or delete records of a specific object type, such as leads or opportunities. For example, object-level security can hide objects and their associated tabs from users, making a data type completely invisible.

MISSING OBJECTS

Object-level security settings prevent objects from appearing in Workato. Check with your Salesforce admin to confirm that the integration user can access all required objects.

Platform event permissions

Platform event triggers and actions require that platform events be enabled in your Salesforce organization. Additionally, the connected Salesforce account must have read and create permissions for platform events.

Salesforce platform events permissions - profile setup

Real-time trigger permissions

Your Salesforce organization must have Workflow rules set up to use real-time triggers. The connected user doesn't need to be the user who creates these rules.

Creating workflow rules requires the Customize application permission. Open Salesforce and go to Setup > Permission sets to configure this permission.

Customize application permission - profile setup

DEPRECATION NOTICE PERTAINING TO REAL-TIME TRIGGERS

Currently, the real-time triggers configured in Workato rely on Salesforce Workflow rules. These existing Workflow rules will continue to be supported. However, we recommend all new recipes to use Salesforce Flows as Workflow Rules and Process Builder have now been deprecated (opens new window) by Salesforce. There is a migration tool (opens new window) to move your Workflow rules into Flows. As the outbound messages configured in Salesforce will remain the same, the process should not affect Workato recipes. Nevertheless, we recommend testing the migration in the Salesforce sandbox account first to ensure that there are no unexpected issues.

Bulk/batch action permissions

Bulk actions require the Manage Data Integrations, View Setup and Configuration and API Enabled permissions on the connected Salesforce account. Refer to the Salesforce Manage Bulk Data Load Jobs (opens new window) guide for more information.

Field-level security

Field-level security (opens new window) controls the visibility of fields in Salesforce, including related lists, list views, reports, and search results. Field-level security also controls whether users can view or edit the values of individual object fields. This allows you to protect sensitive data without hiding entire objects.

You can configure field-level security using permission sets (opens new window) and profiles (opens new window).

MISSING FIELDS

Field-level security settings can prevent fields from appearing in Workato. Check with your Salesforce admin to confirm that the integration user can access all required fields.

Working with the Salesforce connector

Can I connect more than one Salesforce account in a single recipe?

Yes, you can connect to two accounts in a single recipe using the Salesforce Secondary connector. Refer to the Secondary connectors documentation for more information.

Best practices

When starting to use Workato with your Salesforce account, we recommend that you either do it on a sandbox account, or test on non-essential pieces of data. This would prevent any loss of crucial data, especially since actions performed through Workato cannot be undone.

Working with sandboxes on Workato

Salesforce sandboxes are isolated from your Salesforce production organization, so operations that you perform in your sandboxes don’t affect your Salesforce production organization, and conversely. Sandboxes are nearly identical to your Salesforce production organization. For a list of differences, see Sandbox Setup Tips and Considerations (opens new window).