Choosing a Connection Method
Salesforce supports three ways to connect. Pick the one that matches your security requirements.| Method | Best for |
|---|---|
| Quick Connect | Testing and teams without Salesforce admin access — the fastest path |
| Custom OAuth App | Enterprise deployments that require their own Connected App and security controls |
| JWT Bearer Flow | Server-to-server automation where the agent acts on behalf of a specific user with no interactive login |
Quick Connect (Recommended)
Quick Connect uses Scout’s managed OAuth app, so there’s nothing to configure in Salesforce.Open the Integrations page
Go to studio.scoutos.com/integrations and click the Salesforce card.
Connect with OAuth
Click Connect with OAuth and choose your environment — Production (login.salesforce.com) or Sandbox (test.salesforce.com).
Authorize in Salesforce
Sign in to Salesforce, review the requested permissions, and click Allow. You’ll be redirected back to Scout.
Custom OAuth App
Use a custom Connected App when your security team requires Scout to authenticate through credentials you own and control.Prerequisites: Available across Group through Developer editions, in both Classic and Lightning. You need either
Customize Application + Modify All Data, or Customize Application + Manage Connected Apps.Enable connected app creation
In Salesforce, go to Setup → External Client App Settings and turn on the option to allow creation of connected apps. This is a one-time setting per org.
Configure basic information
Enter a connected app name, contact email, and (optionally) a logo URL, info URL, and description (256 characters max). The API name fills in automatically.
Enable OAuth settings
Turn on OAuth and configure:
- Callback URL:
https://studio.scoutos.com/oauth/salesforce/success - Scopes: Full access (
full), Access the identity URL service, Manage user data via APIs (api), Manage user data via Web browsers (web), and Perform requests at any time (refresh_token,offline_access) - Enable Client Credentials Flow and Authorization Code and Credentials Flow
- Require a secret for the Web Server Flow and Refresh Token Flow
Copy your credentials
Copy the Consumer Key (Client ID), then reveal and copy the Consumer Secret (Client Secret).
Salesforce can take a few minutes to activate a newly created Connected App. If authorization fails immediately after setup, wait a few minutes and try again.
JWT Bearer Flow (User-Scoped)
JWT Bearer Flow uses certificate-based authentication so Scout can act as a specific user without an interactive login. It’s ideal for scheduled and background jobs. Why use it:- No user interaction required — authentication happens automatically
- Access is scoped to a specific user
- Uses cryptographic signing instead of stored passwords
- Well suited to scheduled agents and server-to-server automation
Create a private key and certificate
Use OpenSSL to generate an RSA private key, a certificate signing request, and a self-signed certificate valid for 365 days:Keep
server.key secure — anyone with it can authenticate as the connected user.Create an External Client App with digital signatures
Go to App Manager → New External Client App and fill in the basics (set Distribution State to Local). Enable OAuth, set the callback URL to any HTTPS URL, and add the scopes
api and refresh_token, offline_access. Enable JWT Bearer Flow and upload your server.crt.Pre-authorize users
Open External Client App Manager → Policies → Edit. Set Permitted Users to “Admin approved users are pre-authorized” and IP Relaxation to “Relax IP restrictions”, then add the profiles or permission sets that should be allowed. Only pre-authorized users can authenticate.
JWT Troubleshooting
| Issue | Solution |
|---|---|
| Invalid JWT token | Verify the key matches the uploaded certificate and is in PEM format with the correct headers |
| User not pre-authorized | Add the user’s profile or permission set to the approved list |
| Certificate expired | Generate a new certificate and key, upload to Salesforce, and update the key in Scout |
| Invalid client identifier | Verify the correct Consumer Key and ensure the app is active |
JWT Security Best Practices
- Protect your private key and never commit it to source control
- Rotate certificates regularly (typically yearly)
- Grant the minimum permissions the agent needs
- Use separate apps for Production and Sandbox
- Monitor usage logs for unexpected activity
Verify the Connection
Open an agent, go to the Tools tab, and toggle Salesforce on. Then test with a prompt:- “List the last 5 accounts from Salesforce.”
- “Find the contact with email jane@example.com.”
- “Get opportunity by ID and summarize its stage and next steps.”
- “How many open opportunities do we have this quarter?”
The authorizing user’s Salesforce permissions apply. If a user can’t read a field or object in Salesforce, the agent can’t either. Check field-level security in Salesforce Setup if the agent returns incomplete records.
Available Capabilities
Once connected and enabled, your agent can:| Category | Capabilities |
|---|---|
| Data querying | SOQL queries, SOSL search, list objects, get field metadata |
| Record management | Get a record by ID, create, update, and delete records |
| Advanced operations | Direct REST API calls, bulk operations, and relationship queries |
Instruction Guardrails
CRM writes are consequential. A bad update can corrupt a record, create a duplicate, or overwrite data another rep entered. Add this block to your agent’s Instructions before enabling any write tools:Troubleshooting
| Issue | Solution |
|---|---|
| No permission to create Connected Apps | Contact your admin or use a free Developer Edition org |
| Invalid client credentials | Verify the Consumer Key and Secret were copied correctly |
| Redirect URI mismatch | The callback URL must be exactly https://studio.scoutos.com/oauth/salesforce/success |
| User hasn’t approved the app | Sign in as an authorized user and check app approval for the profile |
| Authentication failure | Verify you’re using the correct environment (Production vs. Sandbox) |
| Token expired | Open the Salesforce integration in Scout and click Reconnect |
| Insufficient privileges | Ensure proper permissions and object/field-level security |
| API limit exceeded | Monitor usage in System Overview and optimize your queries |
Next Steps
HubSpot
Connect HubSpot too — agents can use Salesforce and HubSpot tools in the same workflow.
Slack
Route pipeline summaries and deal alerts from Salesforce to team channels.
Gmail
Add email context to Salesforce-driven outreach workflows.
Integrations Overview
See the full integration stack and recommended connection order.