OAuth Scopes and Endpoints
Required Scopes and Endpoint Domains for Salesforce
When integrating with Salesforce, your application needs specific permissions to interact with the API.These permissions are defined by access scopes, which determine what data your application can access and what actions it can perform.
This topic provides information about the required access scopes and endpoint domains for the Salesforce provider.
Understanding Scopes
Scopes are a way to limit an application's access to a user's data. They define the specific actions that an application can perform on behalf of the user.
For example, a read-only scope might allow an application to view data, while a full access scope might allow it to modify data.
Required Scopes for Salesforce
| Scope | Description |
| full | Allows access to all data accessible by the logged-in user, and encompasses all other scopes. Required for write access. |
| api | Allows access to the current, logged-in user’s account using APIs, such as REST API and Bulk API 2.0. This scope also includes chatter_api, which allows access to Connect REST API resources. Required for read access. |
| chatter_api | Allows access to Connect REST API resources on behalf of the user. |
| refresh_token | Allows a refresh token to be returned when the requesting client is eligible to receive one. With a refresh token, the app can interact with the user’s data while the user is offline. This token is synonymous with requesting offline_access. Required for read access. |
| id | Allows access to the identity URL service. You can request profile, email, address, or phone individually to get the same result as using id because they’re synonymous. Required for read access. |
| visualforce | Allows access to customer-created Visualforce pages only. This scope doesn’t allow access to standard Salesforce UIs. |
| web | Allows use of the access_token on the web. This scope also includes visualforce, allowing access to customer-created Visualforce pages. Required for read access. |
Understanding Endpoint Domains
Endpoint domains are the specific URLs that the application needs to communicate with in order to authenticate, retrieve records, and perform other essential operations.
Allowlisting these domains ensures that the network traffic between your application and the API is not blocked by firewalls or security settings.
Note: Most users do not need to make any special configurations. Allowlisting is typically only necessary for environments with strict security measures, such as restricted outbound network traffic.
Required Endpoint Domains for Salesforce
| Domain | Always Required | Description |
| test.salesforce.com | FALSE | The subdomain used to access sandbox instances of Salesforce. |
| <Site>.my.salesforce.com | TRUE | The domain of your Salesforce site. |
| <LoginURL> | FALSE | The login URL specified in LoginURL. The default value is login.salesforce.com. |
| <SSOLoginURL> | FALSE | The login URL of your SSO provider. Required when AuthScheme is set to OKTA, PingFederate, or ADFS. |
| <Subdomain>.onelogin.com | FALSE | The subdomain of onelogin.com specified in SSOProperties. Required if AuthScheme is set to OKTA. |
| <SSOExchangeURL> | FALSE | Your SSO Exchange URL. Required when AuthScheme is set to OKTA, PingFederate, ADFS, OneLogin, or AzureAD. |
| <Resource> | FALSE | The Azure AD resource URL specified in SSOProperties. Required when AuthScheme is set to AzureAD. |
| <RelyingParty> | FALSE | The URI of your ADFS relying party, specified in SSOProperties. Required when AuthScheme is set to ADFS. |