PluginBench
Skill
Pass
Audit score 90

configuring-connected-apps

forcedotcom/sf-skills

How to install configuring-connected-apps

npx skills add https://github.com/forcedotcom/sf-skills --skill configuring-connected-apps
Claude Code
Cursor
Windsurf
Cline
Full instructions (SKILL.md)

Source of truth, from forcedotcom/sf-skills.


name: configuring-connected-apps description: "Salesforce Connected Apps and External Client Apps OAuth configuration with 120-point scoring. Use this skill to configure OAuth flows, JWT bearer auth, Connected Apps, and External Client Apps in Salesforce. TRIGGER when: user configures OAuth flows, JWT bearer auth, Connected Apps, ECAs, or touches .connectedApp-meta.xml / .eca-meta.xml files. DO NOT TRIGGER when: configuring Named Credentials for callouts (use building-sf-integrations), reviewing permission policies (use deploying-metadata), or writing Apex token-handling code (use generating-apex)." allowed-tools: Bash Read Write Edit Glob Grep WebFetch AskUserQuestion TodoWrite metadata: version: "1.1"

configuring-connected-apps: Salesforce Connected Apps & External Client Apps

Use this skill when the user needs OAuth app configuration in Salesforce: Connected Apps, External Client Apps (ECAs), JWT bearer setup, PKCE decisions, scope design, or migration from older Connected App patterns to newer ECA patterns.

Scope

In scope:

  • .connectedApp-meta.xml or .eca-meta.xml files
  • OAuth flow selection and callback / scope setup
  • JWT bearer auth, device flow, client credentials, or auth-code decisions
  • Connected App vs External Client App architecture choices
  • Consumer key / secret / certificate handling strategy

Out of scope — delegate elsewhere:


First Decision: Connected App or External Client App

If the need is...Prefer
simple single-org OAuth appConnected App
new development with better secret handlingExternal Client App
multi-org / packaging / stronger operational controlsExternal Client App
straightforward legacy compatibilityConnected App

Default guidance:

  • Choose ECA for new regulated, packageable, or automation-heavy solutions.
  • Choose Connected App when simplicity and legacy compatibility matter more.
  • Spring '26 note: creation of new Connected Apps is disabled by default in orgs. For new integrations, prefer External Client Apps unless Connected App compatibility is explicitly required.

Required Inputs

Ask for or infer:

  • App type: Connected App or ECA
  • OAuth flow: auth code, PKCE, JWT bearer, device, client credentials
  • Client type: confidential vs public
  • Callback URLs / redirect surfaces
  • Required scopes
  • Distribution model: local org only vs packageable / multi-org
  • Whether certificates or secret rotation are required

Workflow

1. Choose the app model

Decide whether a Connected App or ECA is the better long-term fit using the decision table above.

2. Choose the OAuth flow

Use caseDefault flow
backend web appAuthorization Code
SPA / mobile / public clientAuthorization Code + PKCE
server-to-server / CI/CDJWT Bearer
device / CLI authDevice Flow
service account style appClient Credentials (typically ECA)

3. Start from the right template

Read the appropriate template before generating — do not build from scratch:

TemplateUse case
assets/connected-app-basic.xmlSimple API integration, minimal OAuth
assets/connected-app-oauth.xmlWeb app with full OAuth 2.0 configuration
assets/connected-app-jwt.xmlJWT bearer / server-to-server
assets/connected-app-canvas.xmlEmbedding external apps in Salesforce UI (Canvas)
assets/external-client-app.xmlECA header file — all new ECA builds start here
assets/eca-global-oauth.xmlECA global OAuth settings (scopes, PKCE, rotation)
assets/eca-oauth-settings.xmlECA per-app OAuth settings
assets/eca-policies.xmlECA configurable policies

If you need source-controlled ECA OAuth security metadata, retrieve it from an org first and treat the retrieved file as the schema source of truth:

sf project retrieve start --metadata ExtlClntAppOauthSecuritySettings:<AppName> --target-org <alias>

4. Apply security hardening

Read references/security-checklist.md for the full 120-point security checklist. Favor:

  • Least-privilege scopes
  • Explicit callback URLs
  • PKCE for public clients
  • Certificate-based auth where appropriate
  • Rotation-ready secret / key handling
  • IP restrictions when realistic and maintainable

5. Validate deployment readiness

Read references/testing-validation-guide.md before handoff. Confirm:

  • Metadata file naming is correct (see Gotchas below)
  • Scopes are justified
  • Callback and auth model match the real client type
  • Secrets are not embedded in source

6. Handle errors

If deployment fails, check the error output for:

  • DUPLICATE_VALUE — a Connected App or ECA with this name already exists; rename or retrieve-then-update instead
  • INVALID_CROSS_REFERENCE_KEY — the externalClientApplication name in an ECA settings file doesn't match the .eca-meta.xml filename exactly
  • INSUFFICIENT_ACCESS_OR_READONLY — user lacks the "Manage Connected Apps" permission
  • If any step fails, do not proceed to the next step — surface the error to the user with the specific message above

Rules / Constraints

RuleRationale
Never commit consumer secrets to source controlCredential exposure risk
Never use Full scope by defaultUnnecessary privilege; request only what the app needs
Always use PKCE for public clients (mobile, SPA)Prevents auth code interception
Never use wildcard or overly broad callback URLsToken interception risk
ECA OAuth security settings must be retrieved from org before editingFile schema is not fully documented; retrieve-first ensures accuracy
Use <alias> placeholders in CLI commands, never hardcoded org URLsOrg URLs vary per environment
Detect actual packageDirectory from sfdx-project.json before writing filesProjects may not use the default force-app/main/default/ layout

Metadata Notes That Matter

Connected App

Default source location (verify via sfdx-project.json → packageDirectories):

  • <packageDir>/connectedApps/

External Client App

ECA metadata spans multiple top-level source directories. Default locations (verify via sfdx-project.json):

DirectoryMetadata typeFile suffix
<packageDir>/externalClientApps/ExternalClientApplication.eca-meta.xml
<packageDir>/extlClntAppGlobalOauthSets/ExtlClntAppGlobalOauthSettings.ecaGlblOauth-meta.xml
<packageDir>/extlClntAppOauthSettings/ExtlClntAppOauthSettings.ecaOauth-meta.xml
<packageDir>/extlClntAppOauthSecuritySettings/ExtlClntAppOauthSecuritySettings.ecaOauthSecurity-meta.xml
<packageDir>/extlClntAppOauthPolicies/ExtlClntAppOauthConfigurablePolicies.ecaOauthPlcy-meta.xml
<packageDir>/extlClntAppPolicies/ExtlClntAppConfigurablePolicies.ecaPlcy-meta.xml

Gotchas

GotchaDetail
.ecaGlblOauth not .ecaGlobalOauthThe global OAuth suffix is abbreviated — using the long form will break deployment
.ecaPlcy not .ecaPolicySame abbreviation pattern — the general policy suffix is short form
.ecaOauthSecurity for security settingsUse .ecaOauthSecurity, not .ecaSecurity
ECA OAuth security settings are retrieve-onlyCannot be created from scratch in source — always retrieve from org first
Spring '26: new Connected Apps disabled by defaultNew orgs block Connected App creation; use ECA unless explicitly required
Consumer key is generated post-deployYou cannot set the consumer key in metadata — retrieve it after first deployment

Output Expectations

When finishing, confirm and report in this order:

  1. App type chosen — Connected App or External Client App
  2. OAuth flow chosen
  3. Files created or updated — list each metadata file path
  4. Security decisions — scopes, PKCE, certs, secrets, IP policy
  5. Next deployment / testing step

Suggested output shape:

App: <name>
Type: Connected App | External Client App
Flow: <oauth flow>
Files: <paths>
Security: <scopes, PKCE, certs, secrets, IP policy>
Next step: <deploy, retrieve consumer key, or test auth flow>
Score: <x>/120

Cross-Skill Integration

NeedDelegate toReason
Named Credential / callout runtime configbuilding-sf-integrationsruntime integration setup
Deploy app metadatadeploying-metadataorg validation and deployment
Apex token or refresh handlinggenerating-apeximplementation logic

Score Guide

ScoreMeaning
80+production-ready OAuth app config
54–79workable but needs hardening review
< 54block deployment until fixed

Reference File Index

FileWhen to read
assets/connected-app-basic.xmlStep 3 — template for simple Connected App with minimal OAuth
assets/connected-app-oauth.xmlStep 3 — template for full OAuth 2.0 Connected App
assets/connected-app-jwt.xmlStep 3 — template for JWT bearer / server-to-server Connected App
assets/connected-app-canvas.xmlStep 3 — template for Canvas app embedding in Salesforce UI
assets/external-client-app.xmlStep 3 — ECA header file template
assets/eca-global-oauth.xmlStep 3 — ECA global OAuth settings template (PKCE, rotation, callbacks)
assets/eca-oauth-settings.xmlStep 3 — ECA per-app OAuth settings template
assets/eca-policies.xmlStep 3 — ECA configurable policies template
references/oauth-flows-reference.mdStep 2 — detailed OAuth flow comparison and decision guide
references/security-checklist.mdStep 4 — full 120-point security scoring checklist
references/testing-validation-guide.mdStep 5 — pre-deployment validation and testing guide
references/migration-guide.mdWhen migrating from Connected App to ECA patterns
references/example-usage.mdFull end-to-end examples for common OAuth scenarios

Related skills

More from forcedotcom/sf-skills and the wider catalog.

GE

generating-apex

forcedotcom/sf-skills

Primary Apex authoring skill for class generation, refactoring, and review. ALWAYS ACTIVATE when the user mentions Apex, .cls, triggers, or asks to create/refactor a class (service, selector, domain, batch, queueable, schedulable, invocable, DTO, utility, interface, abstract, exception, REST resource). Use this skill for requests involving SObject CRUD, mapping collections, fetching related records, scheduled jobs, batch jobs, trigger design, @AuraEnabled controllers, @RestResource endpoints, custom REST APIs, or code review of existing Apex.

2.6k installsAudited
GE

generating-apex-test

forcedotcom/sf-skills

Generate and validate Apex test classes with TestDataFactory patterns, bulk testing (251+ records), mocking strategies, assertion best practices, and disciplined test-fix loops. Use this skill when creating new Apex test classes, improving test coverage, debugging and fixing failing Apex tests, running test execution and coverage analysis, or implementing testing patterns for triggers, services, controllers, batch jobs, queueables, and integrations. Triggers on *Test.cls, *_Test.cls files, sf apex run test workflows, coverage reports, test-fix loops. Do NOT trigger for production Apex code (use generating-apex) or Jest/LWC tests.

2.6k installsAudited
GE

generating-lwc-components

forcedotcom/sf-skills

Lightning Web Components with PICKLES methodology and 165-point scoring. Use this skill when the user creates or edits LWC components, builds wire service patterns, or writes Jest tests for LWC. TRIGGER when: user creates/edits LWC components, touches lwc/**/*.js, .html, .css, .js-meta.xml files, or asks about wire service, SLDS, or Jest LWC tests. DO NOT TRIGGER when: Apex classes (use generating-apex), Aura components, or Visualforce.

2.6k installsAudited
GE

generating-flow

forcedotcom/sf-skills

Generate Salesforce Flows using the MCP tool execute_metadata_action. Use when the user asks to create, build, or generate a flow — including Screen, Autolaunched, Record-Triggered (before/after-save), Scheduled. Also trigger for flow-like requests such as \"when a record is created\", \"trigger daily at\", \"send an email when\", \"update the field when\", \"automate\", \"workflow\", or \"flow XML/metadata\". This is the only skill for Salesforce Flow generation.

2.5k installsAudited
QU

querying-soql

forcedotcom/sf-skills

SOQL query generation, optimization, and analysis with 100-point scoring. Use this skill when the user needs SOQL/SOSL authoring or optimization: natural-language-to-query generation, relationship queries, aggregates, query-plan analysis, and performance or safety improvements for Salesforce queries. TRIGGER when: user writes, optimizes, or debugs SOQL/SOSL queries, touches .soql files, or asks about relationship queries, aggregates, or query performance. DO NOT TRIGGER when: bulk data operations (use handling-sf-data), Apex DML logic (use generating-apex), or report/dashboard queries.

2.5k installsAudited
GE

generating-custom-object

forcedotcom/sf-skills

Use this skill when users need to create, generate, or validate Salesforce Custom Object metadata. Trigger when users mention custom objects, creating objects, object metadata, .object files, sharing models, name fields, or validation rules on objects. Also use when users say things like \"create a custom object\", \"generate object metadata\", \"set up an object for...\", or when they're troubleshooting object deployment errors especially around sharing models and Master-Detail relationships. Always use this skill for any custom object metadata work.

2.5k installsAudited