Salesforce Connector
The Salesforce connector enables the indexing of Salesforce objects, such as Accounts and Opportunities, using the Salesforce REST API by creating an External Client App in your Salesforce instance.
Note: Salesforce’s External Client Apps (ECA) are the successor to the legacy Connected Apps and follow a least-privilege model with explicit permission grants.
Setup External Client App
Note: The setup assumes that you are using the lightning experience of Salesforce.
As a best practice, we recommend creating a new user account or identifying an existing user account to be used for integrations. This user will be granted access to the External Client App in a later step.
- As an administrator, navigate to Setup.
- In the Quick Find box, search for “External Client App Manager” and open it.
- Click “New External Client App”.
- Choose an
External Client App NameandAPI Name, e.g. Atolio. - Choose an email for
Contact Email. - (Optional) For
Logo Image URLand/orIcon URL, you can use the Atolio logo here.
- Under “API (Enable OAuth Settings)”, select
Enable OAuth.
- For
Callback URL, enter a valid URL (e.g. https:/) — Atolio does not use this login flow for authentication. - For
Selected OAuth Scopes, add only the “Manage user data via APIs (api)” scope. Do not add the “Full access (full)” scope — Salesforce now rejects token requests for External Client Apps configured with overly broad scopes. - Under “Flow Enablement”, check
Enable Client Credentials Flowand acknowledge the security prompt.
- Click “Create” to save the External Client App.
Next, configure the app’s policies:
- From the External Client App Manager, open your new app and go to the “Policies” tab, then click “Edit”.
- Under “OAuth Policies”:
- Set
Permitted Usersto “Admin approved users are pre-authorized”. - Under “Client Credentials Flow”, set
Run Asto the integration user identified above.
- Save the policy changes.
Finally, grant the integration user access to the External Client App. Unlike Connected Apps, ECAs require explicit assignment via a permission set (profile-based access is not supported):
- From Setup, navigate to “Permission Sets” and click “New”.
- Give the permission set a name (e.g.
Atolio External Client App Access) and save. - Open the new permission set and go to “External Client App Access Settings” (or “Assigned External Client Apps”, depending on your org).
- Enable your Atolio External Client App.
- Assign this permission set to the integration user identified above.
Provide Configuration
To obtain the necessary client credentials:
- From the External Client App Manager, open your Atolio app and go to the “Settings” tab.
- Under “OAuth Settings”, click “Consumer Key and Secret” → “Manage Consumer Details”.
- Copy the “Consumer Key” and “Consumer Secret” to be shared with your Deployment Engineer.
Provide the following values to your Deployment Engineer for them to configure in Atolio:
base_urlis the URL of your Salesforce tenant, e.g. https://yourcompany.my.salesforce.com.client_idis the “Consumer Key” of the External Client App you created.client_secretis the “Consumer Secret” of the External Client App you created.
Streaming Configuration
To periodically sync updates in Salesforce to the Atolio index, we need to set the cron-spec. The recommended value is (*/10 * * * *). This would fetch updates from Salesforce every 10 minutes. We also need to set complete_backfill_frequency. This, alongside the cron-spec, controls how often the connector performs a complete backfill of the data (to capture ACL changes). For example, setting a value of 24 would mean that every 24th call to backfill would be a complete fill. This combined with a cron-spec of every 10 minutes, a complete backfill would happen every 4 hours. The recommended value is 48 so a complete backfill happens every 8 hours. This value can be tweaked to reduce the number of API calls. Generally, we want to use a higher value for larger datasets so the connector performs a complete backfill less frequently.