Skill

sf-connected-apps

Configures Salesforce Connected Apps and External Client Apps for OAuth flows, JWT bearer auth, PKCE, scopes, and callback setups. Activates on .connectedApp-meta.xml or .eca-meta.xml files.

Oauth

JWT

authentication

security

npx claudepluginhub jaganpro/sf-skills

Tool Access

This skill is limited to using the following tools:

Bash Read Write Edit Glob Grep WebFetch AskUserQuestion TodoWrite

Preview

Use this skill when the user needs **OAuth app configuration** in Salesforce: Connected Apps, External Client Apps (ECAs), JWT bearer setup, PKCE decisions, scope design, or migration from older Connected App patterns to newer ECA patterns.

Supporting Assets

CREDITS.mdLICENSEREADME.mdassets/connected-app-basic.xmlassets/connected-app-canvas.xmlassets/connected-app-jwt.xmlassets/connected-app-oauth.xmlassets/eca-global-oauth.xmlassets/eca-oauth-settings.xmlassets/eca-policies.xmlassets/external-client-app.xmlreferences/example-usage.mdreferences/migration-guide.mdreferences/oauth-flows-reference.mdreferences/security-checklist.mdreferences/testing-validation-guide.md

SKILL.md

Similar Skills

salesforce-security-basics

1.9k

Guides Salesforce security for Connected Apps, OAuth scopes, integration users, credential storage, and field-level security. Use when securing API access or auditing configurations.

3 tools

salesforce-pack

sf-integration

388

Provides Salesforce integration architecture and scoring checklists for Named Credentials, External Services, REST/SOAP callouts, Platform Events, and CDC.

20 files

jaganpro-sf-skills-7

salesforce-development

36.4k

Provides expert patterns for Salesforce development: LWC with wire service and reactive data, bulkified Apex triggers and classes, REST/Bulk APIs, Connected Apps, Salesforce DX scratch orgs and 2GP.

antigravity-awesome-skills

Stats

Stars388

Forks88

Last CommitApr 8, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

sf-connected-apps: Salesforce Connected Apps & External Client Apps

Use this skill when the user needs OAuth app configuration in Salesforce: Connected Apps, External Client Apps (ECAs), JWT bearer setup, PKCE decisions, scope design, or migration from older Connected App patterns to newer ECA patterns.

When This Skill Owns the Task

Use sf-connected-apps when the work involves:

.connectedApp-meta.xml or .eca-meta.xml files
OAuth flow selection and callback / scope setup
JWT bearer auth, device flow, client credentials, or auth-code decisions
Connected App vs External Client App architecture choices
consumer-key / secret / certificate handling strategy

Delegate elsewhere when the user is:

configuring Named Credentials or runtime callouts → sf-integration
analyzing access / permission policy assignments → sf-permissions
writing Apex token-handling code → sf-apex
deploying metadata to orgs → sf-deploy

First Decision: Connected App or External Client App

If the need is...	Prefer
simple single-org OAuth app	Connected App
new development with better secret handling	External Client App
multi-org / packaging / stronger operational controls	External Client App
straightforward legacy compatibility	Connected App

Default guidance:

choose ECA for new regulated, packageable, or automation-heavy solutions
choose Connected App when simplicity and legacy compatibility matter more
Spring ’26 note: creation of new Connected Apps is disabled by default in orgs. For new integrations, prefer External Client Apps unless Connected App compatibility is explicitly required.

Required Context to Gather First

Ask for or infer:

app type: Connected App or ECA
OAuth flow: auth code, PKCE, JWT bearer, device, client credentials
client type: confidential vs public
callback URLs / redirect surfaces
required scopes
distribution model: local org only vs packageable / multi-org
whether certificates or secret rotation are required

Recommended Workflow

1. Choose the app model

Decide whether a Connected App or ECA is the better long-term fit.

2. Choose the OAuth flow

Use case	Default flow
backend web app	Authorization Code
SPA / mobile / public client	Authorization Code + PKCE
server-to-server / CI/CD	JWT Bearer
device / CLI auth	Device Flow
service account style app	Client Credentials (typically ECA)

3. Start from the right template

Use the provided assets instead of building from scratch:

assets/connected-app-basic.xml
assets/connected-app-oauth.xml
assets/connected-app-jwt.xml
assets/external-client-app.xml
assets/eca-global-oauth.xml
assets/eca-oauth-settings.xml
assets/eca-policies.xml

If you need source-controlled ECA OAuth security metadata, retrieve it from an org first and treat the retrieved file as the schema source of truth:

sf project retrieve start --metadata ExtlClntAppOauthSecuritySettings:<AppName> --target-org <alias>

4. Apply security hardening

Favor:

least-privilege scopes
explicit callback URLs
PKCE for public clients
certificate-based auth where appropriate
rotation-ready secret / key handling
IP restrictions when realistic and maintainable

5. Validate deployment readiness

Before handoff, confirm:

metadata file naming is correct
scopes are justified
callback and auth model match the real client type
secrets are not embedded in source

High-Signal Security Rules

Avoid these anti-patterns:

Anti-pattern	Why it fails
wildcard / overly broad callback URLs	token interception risk
`Full` scope by default	unnecessary privilege
PKCE disabled for public clients	code interception risk
consumer secret committed to source	credential exposure
no rotation / cert strategy for automation	brittle long-term ops

Default fix direction:

narrow scopes
constrain callbacks
enable PKCE for public clients
keep secrets outside version control
use JWT certificates or controlled secret storage where appropriate

Metadata Notes That Matter

Connected App

Usually lives under:

force-app/main/default/connectedApps/

External Client App

Current source-supported ECA metadata uses multiple top-level source directories, not a single externalClientApps/ folder:

force-app/main/default/externalClientApps/ → ExternalClientApplication (.eca-meta.xml)
force-app/main/default/extlClntAppGlobalOauthSets/ → ExtlClntAppGlobalOauthSettings (.ecaGlblOauth-meta.xml)
force-app/main/default/extlClntAppOauthSettings/ → ExtlClntAppOauthSettings (.ecaOauth-meta.xml)
force-app/main/default/extlClntAppOauthSecuritySettings/ → ExtlClntAppOauthSecuritySettings (.ecaOauthSecurity-meta.xml)
force-app/main/default/extlClntAppOauthPolicies/ → ExtlClntAppOauthConfigurablePolicies (.ecaOauthPlcy-meta.xml)
force-app/main/default/extlClntAppPolicies/ → ExtlClntAppConfigurablePolicies (.ecaPlcy-meta.xml)

Important file-name gotchas:

the global OAuth suffix is .ecaGlblOauth, not .ecaGlobalOauth
the general policy suffix is .ecaPlcy, not .ecaPolicy
use .ecaOauthSecurity for ExtlClntAppOauthSecuritySettings

Output Format

When finishing, report in this order:

App type chosen
OAuth flow chosen
Files created or updated
Security decisions
Next deployment / testing step

Suggested shape:

App: <name>
Type: Connected App | External Client App
Flow: <oauth flow>
Files: <paths>
Security: <scopes, PKCE, certs, secrets, IP policy>
Next step: <deploy, retrieve consumer key, or test auth flow>

Cross-Skill Integration

Need	Delegate to	Reason
Named Credential / callout runtime config	sf-integration	runtime integration setup
deploy app metadata	sf-deploy	org validation and deployment
Apex token or refresh handling	sf-apex	implementation logic
permission review after deployment	sf-permissions	access governance

Reference Map

Start here

Migration / examples

Score Guide

Score	Meaning
80+	production-ready OAuth app config
54–79	workable but needs hardening review
< 54	block deployment until fixed