If you are trying to test Salesforce APIs , wrestling with OAuth 2.0 protocols can initially feel like a massive roadblock. However, understanding how to manually generate access tokens securely is a foundational, non-negotiable skill for any modern Salesforce Developer, Integration Specialist, or Architect.
In this tutorial, we are going to break down the most critical OAuth flow used for Salesforce API integrations when a physical user needs to log in. We will show you exactly how to execute the raw HTTP requests flawlessly in Postman so you can start testing your endpoints immediately.
Why Use the Authorization Code Flow in Salesforce?
When integrating Salesforce with external systems, there are multiple OAuth 2.0 flows available. You should use the Authorization Code and Credentials Flow when a specific user needs to explicitly grant an external application (like Postman, or a custom web app) access to their Salesforce data.
Unlike automated server-to-server integrations, this flow ensures that actions taken via the API are strictly bound to the logged-in user’s profile, respecting their specific Object-Level Security (CRUD) and Field-Level Security (FLS) settings.
We are going to execute this integration flow exactly how an external web server would: by manually requesting a temporary code and securely exchanging it for a permanent access token.
Step-by-Step: Executing the The Authorization Code and Credentials Flows
Step 1: Configure the External Client App in Salesforce
First, we need to configure your Salesforce org to trust our upcoming Postman API requests.
Navigate to Setup –> OAuth and OpenID Connect Settings –> Enable Allow Authorization Code and Credentials Flows
Navigate to Setup → External Client App Manager → New External Client App.
Fill out the basic identity details (Name, Contact Email, etc.).
Check the Enable OAuth Settings box and configure the following parameters:
- Callback URL: “https://login.salesforce.com/services/oauth2/success”
- Selected OAuth Scopes: Add Access and manage your data (api) and Perform requests at any time (refresh_token, offline_access)
- Enable Enable Authorization Code and Credentials Flow
- Security: Enable Require secret for Web Server & Flow Require secret for Refresh Token Flow
Save the External Client App configuration.
Step 2: Open the Authorization URL in Your Browser
To start the OAuth process, we need to ask Salesforce for an Authorization Code. You do not initiate this step in Postman/other client , you must do it in a standard web browser to render the Salesforce login UI.
Construct the following URL to get the Authorization Code . Here the Authorization link that will be created and we will paste this generated URL in the browser .
https://ddl00000bdkwxua1-dev-ed.develop.my.salesforce.com/services/oauth2/authorize?response_type=code&client_id=3MVG9GCMQoQ6rpzQhmQwSxbjoQQc_zkS78zbnvdajIwkx_5k5a3yyGW.zZhi2vP3NVyTo3zihhFz.2mXUz8hb&redirect_uri=https://login.salesforce.com/services/oauth2/success
Lets breakdown the components of this created link
Your Salesforce org domain : https://ddl00000bdkwxua1-dev-ed.develop.my.salesforce.com
Salesforce OAuth authorization endpoint : /services/oauth2/authorize
response_type=code
Consumer key : client_id=3MVG9GCM...
redirect_uri=https://login.salesforce.com/services/oauth2/success
Step 3: Login and Capture the Authorization Code
Once We will paste the above generated URL in the browser . Your browser will load the standard Salesforce login screen. Log into your org using your credentials.
Salesforce will prompt you with an “Allow Access” screen for the External Client App. Click Allow.
You will immediately be redirected to a blank screen or a simple success page.
Look closely at the URL in your browser’s address bar. It will look similar to this:
https://login.salesforce.com/services/oauth2/success?code=aPrxp.7fR25AS7OUCn1UI1rnYw4LNtwERXa.bIPQy_Z8YFz.BIezsvRJTIJ0EQydQ4jUUxHSiQfNuBj2uVSq4dBhkWCuc_w%3D
Carefully copy the exact value that comes immediately after code=. This long, alphanumeric string is your temporary Authorization Code.
⚠️ Developer Alert: This is the exact step where many developers fail on their first integration attempt!
The code you receive in the URL is URL-encoded. Frequently, it will end with characters like %3D
If you want to decode this then remove %3D from the code and then you can use it as a param in postman.
Step 4: Exchange the Code for an Access Token in Postman
Now, we transition over to Postman. We are going to trade that temporary authorization code for a usable Salesforce Access Token.
- Create a brand new Request in Postman.
- Method: Set to
POST - URL: Construct the endpoint URL with your parameters directly embedded:
https://ddl00000bdkwxua1-dev-ed.develop.my.salesforce.com/services/oauth2/token?grant_type=authorization_code&client_id=3MVG9GCMQoQ6rpzQhmQwSxbjoQQc_zkS78zbnvdajIwkx_5k5a3yyGW.zZhi2vP3NVyTo3zihhFz.2mXUz8hb&client_secret=2D5BAEA39D95D82932253F634D0AB2FBB9FBAC364C0DAA3AD118EFD4D83513CE&redirect_uri=https://login.salesforce.com/services/oauth2/success&code=aPrxp.7fR25AS7OUCn1UI1rnYw4LNtwERXa.bIPQy_Z8YFz.BIezsvRJTIJ0EQydQ4jUUxHSiQfNuBj2uVSq4dBhkWCuc_w=
Here is the breakdown of above Request that we can use in postman to get access token .
Domain : https://ddl00000bdkwxua1-dev-ed.develop.my.salesforce.com
OAuth Token Endpoint :/services/oauth2/token
grant_type=authorization_code
client_id
client_secret
redirect_uri
code
Hit Send. Salesforce will validate the code and respond with your secure token payload:
Here we got the access token , Now we can use this access token to post or fetch data .
Common OAuth API Errors & Troubleshooting
Salesforce OAuth setups rarely execute perfectly on the very first try. If you hit an authentication roadblock, here are the most common Salesforce API errors and exactly how to resolve them:
Error: error=redirect_uri_mismatch
- What it means: The Callback URL you entered in your Postman request does not perfectly match the Callback URL configured in your Salesforce External Client App.
- The Fix: Ensure both locations use exactly
https://login.salesforce.com/services/oauth2/success. Check for accidental trailing slashes, spaces, or protocol typos (like HTTP vs HTTPS).
Error : invalid_grant (Authentication Failure)
- What it means: Salesforce outright rejected your credentials.
- The Fix:
First, verify that you didn’t accidentally copy a blank space when pasting your Client ID or Secret.
Second (and most commonly), you didn’t wait long enough.External Client App configuration changes take 5-10 minutes to sync across Salesforce’s infrastructure. Give it 10 minutes and fire the request again.
Error: invalid_grant (Authorization Code Expired)
- What it means: The authorization code you copied from your browser in Step 3 has a very short lifespan (typically just a few minutes) and can only be consumed once.
- The Fix: Repeat Step 2 to generate a brand new temporary code in your browser, copy it, and immediately execute the POST request in Postman.
Error: 401 Unauthorized / Session expired or invalid (On the API Call)
- What it means: You successfully generated the token, but Salesforce rejected your actual REST API call.
- The Fix: Validate your Header formatting. The key must strictly be
Authorizationand the value must include the word Bearer with a single space before the token itself:Bearer 00Dxx....
Summary
Mastering the Authorization Code flow gives you absolute control over your Salesforce API testing environment.
Drop a comment below or share this tutorial with a fellow Salesforce developer who is stuck on API authentication!
Author
Discover more from Trigger Hours
Subscribe to get the latest posts sent to your email.