Skip to main content

Set up the Salesforce MCP server

The MintMCP Salesforce MCP server gives AI agents access to Salesforce data — querying, creating, and modifying records across standard and custom objects. This guide covers creating an External Client App in Salesforce and connecting it to the MintMCP-hosted Salesforce server.

Prerequisites

  • A MintMCP admin account
  • A Salesforce org (Developer Edition, sandbox, or production) with Administrator access
  • The "Customize Application" permission in Salesforce

Create an External Client App

Salesforce requires an External Client App for OAuth authentication — do not use a Connected App.

  1. In Salesforce, open Setup.

  2. In the Quick Find box, type external client and select External Client App Manager.

  3. Click New External Client App.

  4. Fill in the Basic Information section with an app name (for example, "MintMCP").

  5. Expand API (Enable OAuth Settings) and check Enable OAuth.

  6. In the Callback URL field, enter:

    https://app.mintmcp.com/oauth/callback

  7. Under Selected OAuth Scopes, add the three required scopes:

    ScopeDescription
    apiManage user data via APIs
    sfap_apiAccess the Salesforce API Platform
    refresh_token, offline_accessPerform requests at any time

  8. Under security settings:

    • Select Issue JSON Web Token (JWT)-based access tokens for named users
    • Select Require Proof Key for Code Exchange (PKCE) extension
    • Deselect all other options

  9. Click Create.

Allow up to 30 minutes for the External Client App to become active before proceeding.

Copy the Consumer Key and Secret

  1. In External Client App Manager, open the app you just created.
  2. Go to Settings > Consumer Key and Secret.
  3. Copy the Consumer Key — this is your Client ID.
  4. Copy the Consumer Secret — this is your Client Secret.

Set up Salesforce in MintMCP

Contact MintMCP support to have the Salesforce MCP server deployed to your account — MintMCP will install it as a Hosted Connector.

Once deployed, configure the OAuth credentials:

  1. In MintMCP, go to MCP store > Your registry.
  2. Click on the Salesforce MCP server.
  3. Click Hosted Connector.
  4. Click Edit.
  5. Scroll down to Hosted OAuth config.
Hosted Connector OAuth configuration showing Client ID and Client Secret fields
  1. Enter:
    • Client ID: paste the Consumer Key from the previous step
    • Client Secret: paste the Consumer Secret from the previous step

For standard Salesforce orgs, the authorization and token URLs are set automatically. If your org uses a custom domain or routes authentication through an SSO provider, update the URLs:

SetupAuthorization URLToken URL
Standardhttps://login.salesforce.com/services/oauth2/authorizehttps://login.salesforce.com/services/oauth2/token
My Domainhttps://{your-domain}.my.salesforce.com/services/oauth2/authorizehttps://{your-domain}.my.salesforce.com/services/oauth2/token
Okta as IdPhttps://{your-company}.okta.com/oauth2/default/v1/authorizehttps://{your-company}.okta.com/oauth2/default/v1/token

When using Okta as an identity provider, the Client ID and Client Secret come from an Okta OAuth application, not the Salesforce External Client App. Salesforce trusts Okta as an IdP and accepts the tokens it issues.

  1. Click Save.

Security considerations

  • Each user authenticates individually through OAuth, so tool calls are attributed to their Salesforce identity and limited by their existing Salesforce permissions.
  • Store the Consumer Key and Consumer Secret securely — both are required to authenticate as your Salesforce app.
  • API calls through the MCP server count against your org's API quota. Monitor usage in Salesforce Setup under API Usage.

Next steps