Skip to main content
Salesforce holds the structured pipeline and account data your agents can act on directly — opportunities, contacts, leads, tasks, and any custom object in your org. Once connected, agents can run SOQL queries, create and update records, and search across objects, all scoped to the authorizing user’s permissions. Scout supports both Production and Sandbox environments. If your team also uses HubSpot, connect it independently from the HubSpot integration page — an agent can use tools from both CRMs in the same workflow.

Choosing a Connection Method

Salesforce supports three ways to connect. Pick the one that matches your security requirements.
MethodBest for
Quick ConnectTesting and teams without Salesforce admin access — the fastest path
Custom OAuth AppEnterprise deployments that require their own Connected App and security controls
JWT Bearer FlowServer-to-server automation where the agent acts on behalf of a specific user with no interactive login
Quick Connect uses Scout’s managed OAuth app, so there’s nothing to configure in Salesforce.
1

Open the Integrations page

Go to studio.scoutos.com/integrations and click the Salesforce card.
2

Connect with OAuth

Click Connect with OAuth and choose your environment — Production (login.salesforce.com) or Sandbox (test.salesforce.com).
3

Authorize in Salesforce

Sign in to Salesforce, review the requested permissions, and click Allow. You’ll be redirected back to Scout.
4

Verify the connection

Your workspace should show a green status indicator, the environment type, and the connection date.

Custom OAuth App

Use a custom Connected App when your security team requires Scout to authenticate through credentials you own and control.
Prerequisites: Available across Group through Developer editions, in both Classic and Lightning. You need either Customize Application + Modify All Data, or Customize Application + Manage Connected Apps.
1

Enable connected app creation

In Salesforce, go to Setup → External Client App Settings and turn on the option to allow creation of connected apps. This is a one-time setting per org.
2

Create a Connected App

Click the gear icon → Setup → App Manager → New Connected App.
3

Configure basic information

Enter a connected app name, contact email, and (optionally) a logo URL, info URL, and description (256 characters max). The API name fills in automatically.
4

Enable OAuth settings

Turn on OAuth and configure:
  • Callback URL: https://studio.scoutos.com/oauth/salesforce/success
  • Scopes: Full access (full), Access the identity URL service, Manage user data via APIs (api), Manage user data via Web browsers (web), and Perform requests at any time (refresh_token, offline_access)
  • Enable Client Credentials Flow and Authorization Code and Credentials Flow
  • Require a secret for the Web Server Flow and Refresh Token Flow
5

Copy your credentials

Copy the Consumer Key (Client ID), then reveal and copy the Consumer Secret (Client Secret).
6

Connect to Scout

On the Salesforce card, click Add Workspace, check Use custom Salesforce Connected App credentials, select your environment, enter your Client ID and Client Secret, and click Connect with OAuth.
Salesforce can take a few minutes to activate a newly created Connected App. If authorization fails immediately after setup, wait a few minutes and try again.

JWT Bearer Flow (User-Scoped)

JWT Bearer Flow uses certificate-based authentication so Scout can act as a specific user without an interactive login. It’s ideal for scheduled and background jobs. Why use it:
  • No user interaction required — authentication happens automatically
  • Access is scoped to a specific user
  • Uses cryptographic signing instead of stored passwords
  • Well suited to scheduled agents and server-to-server automation
1

Create a private key and certificate

Use OpenSSL to generate an RSA private key, a certificate signing request, and a self-signed certificate valid for 365 days:
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Keep server.key secure — anyone with it can authenticate as the connected user.
2

Create an External Client App with digital signatures

Go to App Manager → New External Client App and fill in the basics (set Distribution State to Local). Enable OAuth, set the callback URL to any HTTPS URL, and add the scopes api and refresh_token, offline_access. Enable JWT Bearer Flow and upload your server.crt.
3

Pre-authorize users

Open External Client App Manager → Policies → Edit. Set Permitted Users to “Admin approved users are pre-authorized” and IP Relaxation to “Relax IP restrictions”, then add the profiles or permission sets that should be allowed. Only pre-authorized users can authenticate.
4

Get the Consumer Key

Open the app, go to the OAuth Settings tab, and copy the Consumer Key.
5

Connect in Scout

On the Salesforce (User Scoped) card, click Add Workspace and complete the checklist. Paste your Consumer Key and the full PEM private key (including its headers), select your environment, and click Create Connection. Confirm the workspace shows a green status.

JWT Troubleshooting

IssueSolution
Invalid JWT tokenVerify the key matches the uploaded certificate and is in PEM format with the correct headers
User not pre-authorizedAdd the user’s profile or permission set to the approved list
Certificate expiredGenerate a new certificate and key, upload to Salesforce, and update the key in Scout
Invalid client identifierVerify the correct Consumer Key and ensure the app is active

JWT Security Best Practices

  • Protect your private key and never commit it to source control
  • Rotate certificates regularly (typically yearly)
  • Grant the minimum permissions the agent needs
  • Use separate apps for Production and Sandbox
  • Monitor usage logs for unexpected activity

Verify the Connection

Open an agent, go to the Tools tab, and toggle Salesforce on. Then test with a prompt:
  • “List the last 5 accounts from Salesforce.”
  • “Find the contact with email jane@example.com.”
  • “Get opportunity by ID and summarize its stage and next steps.”
  • “How many open opportunities do we have this quarter?”
The authorizing user’s Salesforce permissions apply. If a user can’t read a field or object in Salesforce, the agent can’t either. Check field-level security in Salesforce Setup if the agent returns incomplete records.

Available Capabilities

Once connected and enabled, your agent can:
CategoryCapabilities
Data queryingSOQL queries, SOSL search, list objects, get field metadata
Record managementGet a record by ID, create, update, and delete records
Advanced operationsDirect REST API calls, bulk operations, and relationship queries

Instruction Guardrails

CRM writes are consequential. A bad update can corrupt a record, create a duplicate, or overwrite data another rep entered. Add this block to your agent’s Instructions before enabling any write tools:
For CRM tasks:

1. Look up the record before writing.
2. Match by stable identifier (record ID, email, domain) before updates.
3. Return the CRM object ID, fields changed, and reason after each write.
4. Ask before creating duplicates when confidence is low.

Troubleshooting

IssueSolution
No permission to create Connected AppsContact your admin or use a free Developer Edition org
Invalid client credentialsVerify the Consumer Key and Secret were copied correctly
Redirect URI mismatchThe callback URL must be exactly https://studio.scoutos.com/oauth/salesforce/success
User hasn’t approved the appSign in as an authorized user and check app approval for the profile
Authentication failureVerify you’re using the correct environment (Production vs. Sandbox)
Token expiredOpen the Salesforce integration in Scout and click Reconnect
Insufficient privilegesEnsure proper permissions and object/field-level security
API limit exceededMonitor usage in System Overview and optimize your queries

Next Steps

HubSpot

Connect HubSpot too — agents can use Salesforce and HubSpot tools in the same workflow.

Slack

Route pipeline summaries and deal alerts from Salesforce to team channels.

Gmail

Add email context to Salesforce-driven outreach workflows.

Integrations Overview

See the full integration stack and recommended connection order.