Integration Flows

Learn All About the Types of Integration Flows | Salesforce Integration

Types of flows (Integration)  

1. Oauth 2.0:

 Defines how to securely delegate user authentication to grant authorization. 

Enables the third-party applications to get a temporarily limited authorization to access a protected resource on a behalf of the user. 

2. Resource Owner:

One who owns the credentials and approves the authorization. 

a) In a web app, it is the user. 

b) In a machine-to-machine application, it is the server. 

3. Resource Server:

Server hosting the protected resources. 

Client: Application making the protected resource requests on behalf of the resource owner. 

Public Client: Applications executing inside the browser like SPA, Mobile Apps. 

Confidential clients: Web Applications using Nodejs, spring boot, and Machine-to-Machine Application server. 

dont miss out iconDon't forget to check out: Explore Record Triggered Flow | Learn Salesforce Lightning Flows | Flow Builder Videos

4. Grant Flows:

Grant Flows are ways of retrieving an access token. 

Varies depends on the application types: 

  • Web apps 
  • Single Page app 
  • Native app 
  • Machine To Machine App
    Example - Authorization Code Grant flow, Authorization Code Grant flow with PKCE etc. 

5. JWT Bearer Token Flow:

This flow uses a certificate to sign the JWT request and doesn’t require user interaction. 

Certificate -To authenticate  

Do not have a concept of the refresh token  

An only access token is present  

It has three components: 

a) Header: {“alg”:RS256} 

b) Playload: (“Iss,aud,sub,exp”) 

c) Signature: It is the certificate that we will generate. 

In order to authorize server-to-server integration, you can use the OAuth 2.0 JSON Web Token (JWT) bearer flow. This flow must be approved by the client. 

  1. The report service begins its nightly batch report. 
  2. The connected app sends the JWT, which enables the sharing of identity and security information to be shared across security domains, to the Salesforce token endpoint. 
  3. Salesforce validates the JWTs based on a signature using a previously configured certificate and additional parameters. 
  4. Assuming that the JWT is valid and that the connected app has prior approval, Salesforce issues an access token. Prior approval happens in one of these ways. 
    • If your connected app policy is set to “Admin-approved users are pre-authorized,” you can use profiles and permission sets. 
    • If your connected app policy is set to “All users may self-authorize,” you can use end-user approval and issuance of a refresh token. However, the client doesn’t need a current or stored refresh token. The client also doesn’t need to pass a client secret to the token endpoint. 
  5. The connected app uses the access token to access the protected data on the Salesforce server. 
  6. The report service pulls the authorized data into its nightly report. 

6. Client-Credential:

Client credential grant type focuses on authorizing an application to act on its own behalf. 

This grant type is better suited for Machine to Machine communication because it does not require human intervention  

No additional authorization request is needed. 

dont miss out iconCheck out another amazing blog by Navdita here: Best Practices to Avoid Excessive SOAP and REST API DML | Salesforce Developer Guide

7. User Agent Flow:

You can build mobile applications as connected apps using Salesforce Mobile SDK, though it is not necessary. These apps can access Salesforce Oauth services and call Salesforce REST APIs. 

Currently used for Salesforce Mobile SDK and Mobile Publisher. 


  1. Access tokens in URLs are easily leaked:
    • In browser referrals
    • From browser history  
  2. 2 Multiple security vulnerabilities possible.

8. Web App Integration (OAuth 2.0 Web Server Flow):

The OAuth 2.0 web server flow, enables external web applications to integrate with Salesforce APIs. The server hosting the web app must be able to protect the connected app’s identity, defined by the client ID and client secret. 

For example, the order status data is stored securely in your Salesforce CRM platform, so to enable Help Desk users to view a customer’s order status, you develop an Order Status app and configure it. 



Popular Salesforce Blogs