- Getting started
- Notifications
- Licensing
- Troubleshooting
- Connector Builder
- Act! 365
- ActiveCampaign
- Active Directory - Preview
- Adobe Acrobat Sign
- Adobe PDF Services
- Amazon Bedrock
- Amazon Connect
- Amazon Polly
- Amazon SES
- Amazon Transcribe
- Amazon Web Services
- Anthropic Claude
- Asana
- AWeber
- Azure AI Document Intelligence
- Azure Defender for Cloud
- Azure Maps
- BambooHR
- Box
- Brevo
- Calendly
- Campaign Monitor
- Cisco Webex Teams
- Citrix Hypervisor
- Citrix ShareFile
- Clearbit
- Confluence Cloud
- Constant Contact
- Coupa
- CrewAI – Preview
- Customer.io
- Database Hub - Preview
- Databricks Agent
- Datadog
- DeepSeek
- Deputy
- Discord - Preview
- DocuSign
- Drip
- Dropbox
- Dropbox Business
- Egnyte
- Eventbrite
- Exchangerates
- Exchange Server - Preview
- Expensify
- Facebook
- Freshbooks
- Freshdesk
- Freshsales
- Freshservice
- GetResponse
- GitHub
- Gmail
- Google Cloud Platform
- Google Docs
- Google Drive
- Google Forms - Preview
- Google Maps
- Google Sheets
- Google Speech-to-Text
- Google Text-to-Speech
- Google Tasks - Preview
- Google Vertex
- Google Vision
- Google Workspace
- GoToWebinar
- Greenhouse
- Hootsuite
- HTTP
- HTTP Webhook
- Hubspot CRM
- HubSpot Marketing
- HyperV - Preview
- Icertis
- iContact
- Insightly CRM
- Intercom
- Jina.ai
- Jira
- Keap
- Klaviyo
- LinkedIn
- Mail
- Mailchimp
- Mailgun
- Mailjet
- MailerLite
- Marketo
- Microsoft 365
- Microsoft Azure
- Microsoft Azure Active Directory
- Microsoft Azure AI Foundry
- Microsoft Azure OpenAI
- Microsoft Azure Sentinel
- Microsoft Dynamics 365 CRM
- Microsoft OneDrive & Sharepoint
- Microsoft Outlook 365
- Microsoft Power Automate – Preview
- Microsoft Sentiment
- Microsoft Sentinel Threat Intelligence
- Microsoft Teams
- Microsoft Translator
- Microsoft Vision
- Miro
- NetIQ eDirectory
- Nvidia NIM – Preview
- Okta
- OpenAI
- OpenAI V1 Compliant LLM
- Oracle Eloqua
- Oracle NetSuite
- PagerDuty
- PayPal
- PDFMonkey
- Perplexity
- Pinecone
- Pipedrive
- QuickBooksOnline
- Quip
- Salesforce
- About the Salesforce connector
- Salesforce authentication
- Salesforce events
- Salesforce AgentForce & Flows – Preview
- Salesforce Marketing Cloud
- SAP BAPI
- SAP Cloud for Customer
- SAP Concur
- SAP OData
- SendGrid
- ServiceNow
- Shopify
- Slack
- SmartRecruiters
- Smartsheet
- Snowflake
- Snowflake Cortex
- Stripe
- Sugar Enterprise
- Sugar Professional
- Sugar Sell
- Sugar Serve
- System Center - Preview
- TangoCard
- Todoist
- Trello
- Twilio
- UiPath Apps - Preview
- UiPath Data Fabric – Preview
- UiPath GenAI Activities
- UiPath Orchestrator
- X (formerly Twitter)
- Xero
- watsonx.ai
- WhatsApp Business
- WooCommerce
- Workable
- Workday
- Workday REST
- VMware ESXi vSphere
- YouTube
- Zendesk
- Zoho Campaigns
- Zoho Desk
- Zoho Mail
- Zoom
- ZoomInfo
Integration Service user guide
Salesforce authentication
Supported editions
To authenticate on Salesforce, you must have an edition that includes API support. The Salesforce connector works with the following edition (not limited to):
- Salesforce Sales Cloud (Enterprise or Professional with API support)
For all other editions not listed, contact your UiPath representative for assistance.
The connector uses the Salesforce REST API. Confirm that your Salesforce edition includes API access before proceeding.
Prerequisites
To create a connection, you need the following credentials:
- OAuth 2.0 Authorization code: username, password.
- OAuth 2.0 Password: username, password, security token.
- Bring your own OAuth 2.0 app: Client ID, Client secret.
- Personal Access Token (PAT): JWT base64 encoded key, Audience, Issuer, Subject.
Additionally, you may need an authenticator application installed on your mobile phone if your Salesforce organization enforces multi-factor authentication (MFA).
Before creating a connection, also ensure the following:
- You have a Salesforce Sales Cloud Enterprise edition, Professional edition with API support, or another supported edition listed above.
- You have Administrator privileges in Salesforce Sales Cloud to set up applications. Contact your system administrator if you do not have these privileges.
- The API Enabled permission is activated for your Salesforce user profile. To verify: open Salesforce and go to Setup > Administration > Users > Profiles, select the relevant profile, and confirm that API Enabled is checked.
- How to check your assigned profile: Click your profile avatar in the top-right corner of Salesforce, then click Settings > Advanced User Details. Your profile name is listed in the Profile field. Alternatively, go to Setup > Administration > Users > Users and check the Profile column for your username.
- We recommend provisioning and assigning a dedicated Salesforce integration user for UiPath connections. Connections inherit the permissions of the account used for authentication, including access to fields and objects. Using a dedicated user ensures consistent, auditable access.
Authentication methods
The UiPath Salesforce connector supports the following authentication methods. The credentials required depend on the method you choose:
| Auth method | Description | Required credentials |
|---|---|---|
| OAuth 2.0 Authorization Code | Redirects to Salesforce for login and consent. | Salesforce username and password |
| OAuth 2.0 Password | Legacy authentication for older Salesforce accounts/apps. Blocked by default for new orgs as per Salesforce release notes. Only use for special scenarios. | Username, password, security token |
| JWT Bearer (PAT) | JSON Web Token-based server-to-server authentication using a digital certificate. Ideal for unattended automations where no interactive login is possible. | JWT base64 encoded private key, Audience, Issuer (Client ID), Subject (username) |
| Bring Your Own App (BYOA) | Uses a private application you create in Salesforce. Recommended by UiPath since it gives you full control over scopes, policies, and branding. | Client ID, Client Secret (from your Salesforce External Client App) |
To learn more about the different types of authentication available for Salesforce, refer to the official Salesforce documentation in Create an External Client App.
OAuth 2.0 Authorization code
This method uses the public UiPath connected application and redirects you to Salesforce for authentication. Follow these steps:
- Select Orchestrator from the UiPath product launcher.
- Select a folder, then navigate to the Connections tab.
- Select Add connection.
- Search for and select the Salesforce connector from the list.
- Select the environment: Production or Sandbox.
- Select OAuth 2.0 Authorization Code as the authentication method.
- Select Connect. You will be redirected to the Salesforce login page.
- Enter your Salesforce username and password.
- If prompted by MFA, enter the verification code from your authenticator app.
- Review the permissions requested by UiPath and click Allow.
- You are redirected back to Orchestrator. The connection status should show as Connected.
Custom domain: If your Salesforce organization uses a custom domain, click Use Custom Domain on the Salesforce login screen, enter your custom domain URL (e.g., yourcompany.my.salesforce.com), then click Continue and enter your credentials.
This method uses the public UiPath Connected App. If you encounter an OAUTH_APPROVAL_ERROR_GENERIC error, see the Troubleshooting section.
OAuth 2.0 Password (legacy)
This authentication method is blocked by default for new Salesforce organizations. Salesforce has deprecated the Username-Password OAuth flow for most use cases. Only use this method if your organization explicitly requires it for backward compatibility.
If you need to use this method, first enable it by following the Salesforce documentation: OAuth 2.0 Username-Password Flow for Special Scenarios. Then:
- Follow steps 1–5 from the OAuth 2.0 Authorization Code instructions above.
- Select OAuth 2.0 Password as the authentication method.
- Enter your Salesforce username, password, and security token.
- Select Connect.
Obtaining your security token: In Salesforce, go to your profile settings > Reset My Security Token. The token is sent to your email. Append it to your password when connecting.
JWT Bearer authentication (PAT)
JWT bearer authentication uses a digital certificate to sign a JWT request, enabling server-to-server integration without interactive login. This is ideal for unattended automations. Follow these steps:
- Create a private key and self-signed digital certificate. Refer to the Salesforce guide: Create a Private Key and Self-Signed Digital Certificate.
- Create an External Client App in Salesforce. Go to Setup > Apps > External Client Apps > External Client App Manager and click New External Client App. Upload your digital certificate in the app configuration. (See the BYOA / External Client App Setup section below for detailed steps.)
- Configure the JWT Bearer flow. In the External Client App settings, enable the JWT Bearer flow under Flow Enablement. Assign the required OAuth scopes.
- Pre-authorize the app for your integration user. Go to Setup > Connected Apps > Manage Connected Apps, find your app, and under Policies, set Permitted Users to "Admin approved users are pre-authorized." Then add the relevant profile or permission set.
- In UiPath Orchestrator, select Orchestrator > folder > Connections > Add connection > Salesforce.
- Select the environment (Production or Sandbox).
- Select Personal Access Token (PAT) as the authentication method.
- Enter the required credentials:
- JWT base64 encoded key: Your private key in base64 format.
- Issuer: The OAuth Client ID (Consumer Key) from your External Client App.
- Subject: The username of the Salesforce user you want to authenticate as.
- Audience: The Salesforce token endpoint URL (e.g.,
https://login.salesforce.comfor production orhttps://test.salesforce.comfor sandbox).
- Select Connect.
For more details on enabling JWT Tokens, refer to the Salesforce documentation: OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration, Enable JSON Web Token (JWT)-Based Access Tokens, and JWT-Based Access Tokens.
Bring your own app (BYOA) (recommended)
Salesforce has deprecated the legacy Connected App model. All new applications must be created as External Client Apps. Existing Connected Apps continue to function, but Salesforce recommends migrating to External Client Apps. The steps below reflect the new External Client App workflow.
This method uses a private application that you create and manage in Salesforce, giving you full control over OAuth scopes and security policies. Follow these steps:
Step A: Create an External Client App in Salesforce
- Sign in to your Salesforce account and go to Setup.
- Navigate to Apps > External Client Apps > External Client App Manager.
- Click New External Client App.
- Fill in the required fields:
- External Client App Name: A descriptive name (e.g., "UiPath Integration").
- API Name: Must contain only underscores and alphanumeric characters, be unique, start with a letter, and not end with an underscore or contain consecutive underscores.
- Contact Email: The email address for the app owner.
- Distribution State: Select Local (for single-org use) or Packaged.
- Expand the API (Enable OAuth Settings) section and check Enable OAuth.
- In the Callback URL field, enter the UiPath OAuth callback URL provided in your Orchestrator connection setup screen.
- Select the required OAuth Scopes and move them to Selected OAuth Scopes. At minimum, include: Access the identity URL service, Manage user data via APIs, and Perform requests at any time.
- Under Flow Enablement, select Enable Authorization Code and Credentials Flow.
- Under Security, check both Require secret for Web Server Flow and Require secret for Refresh Token Flow.
- Click Create.
Step A.1: Configure policies (required)
After creating the External Client App, you must configure its policies:
- Go to Setup > Connected Apps > Manage Connected Apps.
- Find your External Client App and click Edit Policies.
- Set the following:
- Permitted Users: "All users may self-authorize"
- IP Relaxation: "Relax IP restrictions"
- Refresh Token Policy: "Refresh token is valid until revoked"
- Click Save.
Step B: Retrieve the Client ID and Client Secret
- In the External Client App, go to the Settings tab.
- Expand OAuth Settings.
- Click Consumer Key and Secret.
- Enter your credentials (and OTP if prompted).
- Copy the Consumer Key (this is your Client ID) and Consumer Secret (this is your Client Secret). Store these securely.
After creating or modifying an External Client App, Salesforce can take up to 10 minutes to propagate the changes. Wait before attempting to connect.
Step C: Connect in UiPath Orchestrator
- In Orchestrator, go to your folder > Connections > Add connection > Salesforce.
- Select the environment (Production or Sandbox).
- Select Bring Your Own OAuth 2.0 App as the authentication method.
- Enter the Client ID and Client Secret from Step B.
- Select Connect.
- Complete the Salesforce login and authorize the app.
For more details, refer to the Salesforce documentation: Configure the External Client App OAuth Settings and Enable OAuth Settings for API Integration.
Token expiration and refresh
OAuth tokens may expire after a set amount of time depending on your Salesforce configuration. To prevent unexpected disconnections in production workflows:
- Set the Refresh Token Policy to "Refresh token is valid until revoked" in your Salesforce Connected App or External Client App settings.
- Ensure the "Perform requests at any time" scope is granted. This scope enables offline refresh and is not included in the "full access" scope — it must be configured independently.
Refer to the Salesforce guides: Manage OAuth Access Policies for a Connected App and OAuth Tokens and Scopes for detailed configuration steps.
Sandbox setup
For setting up a Sandbox account, follow the steps described in the Salesforce official documentation: Sandbox Setup Considerations.
Salesforce sandboxes are isolated from your production organization. Operations performed in a sandbox do not affect production data, and vice versa. Sandboxes are nearly identical to production, but some differences exist — refer to the Salesforce documentation for details.
When first starting to use UiPath with Salesforce, we recommend testing on a sandbox account or with non-essential data. This prevents any loss of crucial data, especially since actions performed through automations may not be easily undone.
Permissions
Salesforce connections in UiPath inherit the permissions of the account used for authentication. Below is a comprehensive guide to the permissions required.
Required OAuth scopes (public UiPath app)
When creating a connection through the public UiPath application, the connector requests the following permissions:
| Permission / Scope | Purpose |
|---|---|
| Access the identity URL service | Retrieve user identity information |
| Manage user data via APIs | Read and write Salesforce records via API |
| Manage user data via Web browsers | Browser-based data access |
| Access Connect REST API resources | Chatter and Connect API access |
| Access Visualforce applications | Interact with Visualforce pages |
| Access unique user identifiers | Unique user ID access for mapping |
| Access custom permissions | Read custom permission assignments |
| Access Analytics REST API resources | Reports and dashboards via API |
| Access Analytics REST API Charts Geodata resources | Geo-data in analytics |
| Manage hub connections | Hub connection management |
| Manage Pardot services | Pardot marketing automation access |
| Access Lightning applications | Lightning Experience access |
| Access content resources | Content library access |
| Manage Salesforce CDP Ingestion API data | CDP data ingestion |
| Manage Salesforce CDP profile data | CDP profile management |
| Perform ANSI SQL queries on Salesforce CDP data | CDP data querying |
| Access chatbot services | Einstein Bot services |
| Perform requests at any time | Offline refresh token access |
| Perform segmentation on Salesforce CDP data | CDP segmentation |
API enabled permission
You must have the API Enabled permission in Salesforce. To configure: go to Setup > Administration > Users > Profiles, select the relevant profile, and ensure API Enabled is checked under Administrative Permissions.
Standard and custom object permissions
We recommend that the connected user's account has permissions to read, write, edit, delete, view all, and modify all for the standard or custom objects your automations interact with. To configure:
- Go to Setup > Administration > Users > Profiles (or Permission Sets).
- Locate the relevant standard or custom objects and assign the required permissions.
- Object-level security is the broadest way to control data access. It configures a user's ability to view, create, edit, or delete records of a specific object type (e.g., Leads, Opportunities). If an object is hidden from the integration user, it will not appear in UiPath.
If expected Salesforce objects are not appearing in UiPath, check with your Salesforce admin to confirm that the integration user has access to all required objects.
Field-level security
Field-level security controls the visibility of individual fields within objects, including in related lists, list views, reports, and search results. It also determines whether users can view or edit field values. This allows you to protect sensitive data without hiding entire objects.
Configure field-level security via profiles or permission sets in Salesforce. If expected fields are not appearing in UiPath, check with your Salesforce admin to confirm the integration user has access to the required fields.
Profiles and permission sets
User permissions and access settings control what users can do in your Salesforce organization:
- Profiles: Define the baseline permissions for a group of users. Each user is assigned one profile. Use profiles to assign the minimum required permissions.
- Permission Sets: Add additional permissions on top of a profile. A user can have multiple permission sets. Use these to layer extra access as needed for integrations.
Troubleshooting
| Error / Symptom | Resolution |
|---|---|
| OAUTH_APPROVAL_ERROR_GENERIC | Salesforce is blocking the UiPath app because it is not installed. This applies to the public UiPath Connected App only (not BYOA External Client Apps, which are secure-by-default and exempt from this restriction). To resolve:
|
| invalid_client_id / "client identifier invalid" | The Consumer Key (Client ID) is not recognized. Common causes:
|
| missing required code challenge | PKCE (Proof Key for Code Exchange) is enforced. Disable it in two places:
The org-level setting overrides the app-level setting — both must be off. After disabling, wait a few minutes and clear your browser cache before retrying. |
| Failed to exchange OAuth code for token | The authorization code was issued but the token exchange failed. Common causes for External Client Apps:
|
| Connection disconnects unexpectedly | The refresh token may have expired. Set the Refresh Token Policy to "Refresh token is valid until revoked" and ensure the "Perform requests at any time" scope is granted. See the Token expiration and refresh section. |
| Objects or fields missing in UiPath | Object-level or field-level security settings are preventing visibility. Check with your Salesforce admin to confirm the integration user's profile has read/write access to the required objects and fields. |
| API Enabled error / insufficient privileges | The connected user's profile does not have the API Enabled permission. Go to Setup > Profiles, select the profile, and enable it under Administrative Permissions. |
| MFA prompt during connection | Your org requires multi-factor authentication. Use an authenticator app to complete the verification step. For automated (unattended) scenarios, consider using JWT bearer authentication which does not require interactive MFA. |
| Custom domain not recognized | Click "Use Custom Domain" on the Salesforce login screen, enter the full custom domain URL (e.g., yourcompany.my.salesforce.com), and click Continue before entering credentials. |
Best practices
- Use a dedicated integration user. Create a dedicated Salesforce user for UiPath integrations rather than using personal accounts. This ensures consistent permissions, simplifies auditing, and avoids disruption when individual users change roles.
- Test in a sandbox first. Always test new connections and automations in a Salesforce sandbox environment before deploying to production. Actions performed through UiPath cannot always be undone.
- Apply least-privilege permissions. Grant only the object and field access your automations actually need. Use profiles for baseline access and permission sets for additional scopes.
- Configure token refresh policies. Set the refresh token policy to "valid until revoked" and grant the "Perform requests at any time" scope to avoid unexpected disconnections.
- Use meaningful connection names. When creating connections in Orchestrator, use descriptive names that indicate the environment and purpose (e.g., "Salesforce-Production-OrderSync") to make management easier.
- Plan for Salesforce's External Client App migration. Salesforce has deprecated the legacy Connected App model. All new apps should be created as External Client Apps. Plan to migrate existing Connected Apps per Salesforce's guidance.
- Supported editions
- Prerequisites
- Authentication methods
- OAuth 2.0 Authorization code
- OAuth 2.0 Password (legacy)
- JWT Bearer authentication (PAT)
- Bring your own app (BYOA) (recommended)
- Token expiration and refresh
- Sandbox setup
- Permissions
- Required OAuth scopes (public UiPath app)
- API enabled permission
- Standard and custom object permissions
- Field-level security
- Profiles and permission sets
- Troubleshooting
- Best practices