A secure web app redirects users to Salesforce to log in, retrieves an authorization code, and exchanges it on a backend server for access and refresh tokens.
OAuth 2.0 Web Server Flow
A backend script must authenticate without user interaction using only a username, password, and security token.
OAuth 2.0 Username–Password Flow
Two servers need to communicate securely with no user involvement using signed certificates for authentication.
OAuth 2.0 JWT Bearer Flow
A smart TV or kiosk app needs users to authenticate on a separate browser or device because typing credentials directly on the device is impractical.
OAuth 2.0 Device Flow
Your company uses single sign-on with an enterprise identity provider. Salesforce is the service provider receiving authentication assertions.
SAML Assertion Flow
An integration requires long-term access without repeated logins. After the first login, the app can request new access tokens automatically.
OAuth 2.0 Refresh Token Flow
Salesforce must call an external API using stored credentials without writing custom authentication code.
Named Credentials
You need to control whether a user or integration has access to specific objects, fields, and records inside Salesforce.
Authorization (Profiles & Permission Sets)
An external system relies on Salesforce to authenticate users; Salesforce is acting as the Identity Provider.
Salesforce as Identity Provider (IdP)
An older integration uses a one-time token appended to the password for API authentication, which will eventually be deprecated.
Security Token (Legacy)
