Skip to main content

Set up client credentials flow

Important

Atlan currently supports Salesforce Sales Cloud and Financial Services Cloud (FSC).

Atlan supports the Salesforce OAuth 2.0 client credentials flow for server-to-server integration. This flow enables Atlan to authenticate using a dedicated integration user and an external client app in Salesforce, providing secure, non-interactive access to Salesforce metadata and data for crawling.

Prerequisites

Before you begin, make sure you have:

  • Salesforce administrator access
  • Network connectivity between Atlan and your Salesforce instance

Create custom profile

Create a custom profile to manage permissions for the integration user:

  1. From Setup, enter profiles in the Quick Find box and select Profiles.
  2. Click New Profile.
  3. Select Standard User from the Existing Profile dropdown to clone.
  4. Enter a name, for example AtlanIntegrationProfile.
  5. Click Save.
  6. On the new profile page, click Edit.
  7. Under Connected App Access, check the External Client App you create.
  8. Under Administrative Permissions, uncheck all except:
    • API Enabled
    • View All Data
  9. Under Standard Object Permissions and Custom Object Permissions, select Read and View All for all items.
  10. Click Save.

Create integration user

Create a dedicated Salesforce user for the external client app:

  1. From Setup, expand AdministrationUsers and click Users.
  2. Click New User.
  3. Enter required details: First Name, Last Name, Username, Email, Nickname.
  4. Select Salesforce for User License.
  5. Assign the custom profile created in the previous step.
  6. Click Save.

Create external client app

Set up the external client app for client credentials flow:

  1. From Setup, enter external client app manager in Quick Find and select External Client App Manager.
  2. Click New External Client App.
  3. Enter:
    • External Client App Name: for example, AtlanIntegration
    • Contact Email: your email
    • Distribution State: Local
  4. Expand API (Enable OAuth Settings):
    • Check Enable OAuth
    • Set Callback URL: https://localhost (placeholder, unused)
    • Move the following scopes to Selected OAuth Scopes:
      • Manage user data via APIs (api)
      • Perform requests at any time (refresh_token, offline_access)
      • Access Lightning applications (lightning)
  5. Under Flow Enablement, check Enable Client Credentials Flow.
  6. Enable:
    • Require Secret for Web Server Flow
    • Require Secret for Refresh Token Flow
  7. Optional hardening:
    • Require Proof Key for Code Exchange (PKCE)
    • Enable Refresh Token Rotation
    • Issue JSON Web Token (JWT)-based access tokens
  8. Click Create.
  9. On the app details page, copy the Consumer Key (Client ID) and Consumer Secret from OAuth Settings.
  10. Store these credentials securely—they're required to configure the Atlan connection.

Configure policies

  1. From External Client App Manager, locate your app and click Edit.
  2. Open the Policies tab.
  3. Set Start Page to None.
  4. Move the integration custom profile to Selected Profiles.
  5. If using permission sets, move relevant sets to Selected Permission Sets.
  6. In OAuth Policies, set:
    • Permitted Users: Admin approved users are pre-authorized
    • OAuth Start URL: leave blank unless required
  7. In OAuth Flows and External Client App Enhancements:
    • Check Enable Client Credentials Flow
    • Run As (Username): enter the integration user username
    • Set additional policies as required (IP Relaxation, Session Timeout, Refresh Token Policy)
  8. Click Save.

Troubleshooting

If you encounter issues with Client Credentials authentication, see Troubleshooting Salesforce Connectivity.

Next steps