Salesforce MCP Server
Create a powerful Model Context Protocol (MCP) server for Salesforce APIs in minutes with our AI Gateway. This guide walks you through setting up seamless CRM integration with enterprise authentication including OAuth 2.0 and JWT Bearer Flow.
About Salesforce APIs
Salesforce provides a comprehensive suite of REST and SOAP APIs that enable access to all Salesforce functionality, from core CRM operations to advanced platform features. The APIs support multiple authentication methods and offer extensive customization capabilities.
Key Capabilities
- CRM Operations: Complete customer relationship management
- Sales Cloud: Lead and opportunity management
- Service Cloud: Case and knowledge management
- Marketing Cloud: Campaign and email automation
- Platform APIs: Custom objects and workflows
- Analytics: Reports and dashboards
- AppExchange: Third-party integrations
- Lightning Platform: Custom app development
API Features
- REST API: JSON-based modern API
- SOAP API: Enterprise-grade XML API
- Bulk API: High-volume data operations
- Streaming API: Real-time event notifications
- Metadata API: Configuration and deployment
- Tooling API: Development and debugging
- Connect API: Social collaboration features
- Analytics API: Report and dashboard data
OAuth 2.0 Scopes Reference
Salesforce OAuth 2.0 uses scopes to define the level of access granted to your application. Understanding these scopes is crucial for proper API integration.
Core API Scopes
api
- Description: Allows access to the current, logged-in user's account using APIs
- Access: REST API, Bulk API 2.0, SOAP API
- Use Cases: Standard API operations, data retrieval and manipulation
- Security: User-level access only
refresh_token
- Description: Allows a refresh token to be returned when the requesting client is eligible
- Access: Token refresh capabilities
- Use Cases: Long-running applications, server-to-server authentication
- Security: Enables persistent authentication
id
- Description: Allows access to the identity URL service
- Access: User identity information, profile data
- Use Cases: User profile retrieval, identity verification
- Security: Personal information access
Advanced Scopes
custom_permissions
- Description: Allows access to custom permissions in an org associated with the connected app
- Access: Organization-specific custom permissions
- Use Cases: Enterprise applications with custom security models
- Security: Org-level permission validation
chatter_api
- Description: Allows access to Connect REST API resources on behalf of the user
- Access: Chatter feeds, groups, messages, files
- Use Cases: Social collaboration features, activity streams
- Security: Social network data access
visualforce
- Description: Allows access to customer-created Visualforce pages only
- Access: Custom Visualforce page content
- Use Cases: Custom UI components, embedded applications
- Security: Limited to Visualforce pages
web
- Description: Allows use of the access_token on the web
- Access: Web-based authentication flows
- Use Cases: Browser-based applications, hybrid mobile apps
- Security: Web session management
full
- Description: Allows access to all data accessible by the logged-in user
- Access: Complete user permissions, all scopes combined
- Use Cases: Administrative applications, data migration tools
- Security: Maximum access level - use with caution
Specialized Scopes
offline_access
- Description: Allows long-lived refresh tokens
- Access: Extended authentication sessions
- Use Cases: Background services, scheduled operations
- Security: Persistent access without user interaction
openid
- Description: OpenID Connect compliance
- Access: Standard identity claims
- Use Cases: SSO integration, identity federation
- Security: Standards-based identity
JWT Bearer Flow Authentication
The JWT Bearer Flow enables server-to-server authentication without user interaction, ideal for integration scenarios.
Prerequisites
- Salesforce Connected App
- Digital certificate (self-signed or CA-signed)
- Private key for JWT signing
- User account with API access
What You Can Do with Salesforce MCP Server
The MCP server transforms Salesforce APIs into a natural language interface, enabling AI agents to:
CRM Operations
-
Lead Management
- "Create new lead from contact form"
- "Convert qualified leads to opportunities"
- "Update lead status and assign to sales rep"
- "Find leads by criteria and score"
-
Account Management
- "Create enterprise account with hierarchy"
- "Update account information and relationships"
- "Find accounts by industry and size"
- "Merge duplicate account records"
-
Contact Management
- "Add contact to existing account"
- "Update contact preferences and roles"
- "Find contacts by title and company"
- "Track contact interaction history"
Sales Operations
-
Opportunity Management
- "Create opportunity from qualified lead"
- "Update opportunity stage and probability"
- "Add products to opportunity with pricing"
- "Generate opportunity forecast report"
-
Quote and Product Management
- "Create quote from opportunity"
- "Add products with custom pricing"
- "Generate PDF quote document"
- "Track quote approval workflow"
-
Activity Tracking
- "Log sales call with next steps"
- "Schedule follow-up meeting"
- "Track email engagement metrics"
- "Create task reminders for team"
Service Operations
-
Case Management
- "Create support case from email"
- "Escalate case to next tier"
- "Update case status and resolution"
- "Link cases to knowledge articles"
-
Knowledge Management
- "Create knowledge article from case"
- "Update article with latest solutions"
- "Find articles by category and keywords"
- "Track article usage analytics"
Data Operations
-
Bulk Operations
- "Import 10,000 contacts from CSV"
- "Update account territories in batch"
- "Delete duplicate records"
- "Export opportunity data for analysis"
-
Data Quality
- "Find and merge duplicate records"
- "Validate email addresses and phones"
- "Standardize address formatting"
- "Update data based on external sources"
Prerequisites
- Access to Cequence AI Gateway
- Salesforce Developer/Production Org
- System Administrator permissions
- Connected App creation rights
Step 1: Configure Salesforce Connected App
Prerequisites
- Salesforce Developer Account (free at developer.salesforce.com)
- System Administrator or equivalent permissions in your Salesforce org
1.1 Access Salesforce Setup
- Log into your Salesforce org
- Navigate to Setup:
- Click the gear icon (⚙️) in the top-right corner
- Select Setup from the dropdown menu
1.2 Navigate to App Manager
In Setup, use Quick Find:
- Type "App Manager" in the Quick Find box (left sidebar)
- Click App Manager under Platform Tools
Alternative navigation:
- Platform Tools → Apps → App Manager
1.3 Create a Connected App
- Click "New Connected App" button (top-right)
- Fill out Basic Information:
- Connected App Name: Your app name (e.g., "AI Gateway Salesforce Integration")
- API Name: Auto-populated from the app name
- Contact Email: Your email address
- Description: Optional description of your app (e.g., "MCP server integration for AI Gateway")
1.4 Configure API (Enable OAuth Settings)
-
Check "Enable OAuth Settings" checkbox
-
Set Callback URL:
https://auth.aigateway.cequence.ai/v1/outbound/oauth/callback -
Select OAuth Scopes (minimum required):
- ✅ Access your basic information (
id, profile, email, address, phone) - ✅ Manage user data via APIs (
api) - ✅ Perform requests on your behalf at any time (
refresh_token,offline_access)
- ✅ Access your basic information (
-
Additional recommended scopes:
- ✅ Access and manage your data (
full) - ✅ Provide access to your data via the Web (
web) - ✅ Access Connect REST API resources (
chatter_api) - ✅ Access custom permissions (
custom_permissions) - ✅ Access your Visualforce pages (
visualforce)
- ✅ Access and manage your data (
1.5 Configure Additional Settings
OAuth Policies (recommended settings):
- Permitted Users: Admin approved users are pre-authorized
- IP Relaxation: Relax IP restrictions (for development)
- Refresh Token Policy: Immediately expire refresh token
Click "Save"
1.6 Retrieve Your Credentials
After saving, you'll be redirected to the Connected App detail page:
-
Consumer Key = Client ID
- Copy this value for your OAuth configuration
- This is your public identifier
-
Consumer Secret = Client Secret
- Click "Click to reveal" to show the secret
- Copy this value (keep it secure!)
- This is your private key
1.7 Configure User Access (Important!)
-
Manage Connected Apps:
- From the Connected App detail page, click Manage
- Or navigate to: Setup → Connected Apps → Manage Connected Apps
-
Edit Policies:
- Permitted Users: Select appropriate option:
- "Admin approved users are pre-authorized" (recommended for testing)
- "All users may self-authorize"
- IP Relaxation: Set to "Relax IP restrictions" for development
- Permitted Users: Select appropriate option:
1.8 Configure Digital Signatures (for JWT Bearer Flow)
If using JWT Bearer Flow for server-to-server authentication:
- Check "Use digital signatures"
- Upload your certificate file (.crt)
- Save the Connected App
1.9 OAuth Configuration for AI Gateway
Authorization URL:
https://login.salesforce.com/services/oauth2/authorize
Token URL:
https://login.salesforce.com/services/oauth2/token
Required OAuth Parameters:
- Client ID: Your Consumer Key from the Connected App
- Client Secret: Your Consumer Secret from the Connected App
- Redirect URI:
https://auth.aigateway.cequence.ai/v1/outbound/oauth/callback - Scopes:
api refresh_token id
Common Issues & Solutions
| Issue | Solution |
|---|---|
| "Invalid Client ID" | Ensure you're using the Consumer Key, not the Consumer Secret |
| "Redirect URI Mismatch" | Callback URL in your request must exactly match the one in your Connected App |
| "User hasn't approved this consumer" | Check the Permitted Users setting in your Connected App policies |
| "Invalid Grant" | Authorization code may have expired (they are short-lived) |
Security Best Practices
- ✅ Keep your Consumer Secret secure - never expose it in client-side code
- ✅ Use HTTPS for all callback URLs in production
- ✅ Implement proper token refresh logic in your application
- ✅ Use appropriate OAuth scopes - only request what you need
- ✅ Set up IP restrictions in production environments
Step 2: Access AI Gateway
- Navigate to AI Gateway Console
- Sign in with your account credentials
- Select your organization workspace
Step 3: Find Salesforce API
- Click "Create New Integration"
- Search for "Salesforce" in the API catalog
- Select "Salesforce REST API"
- Click "Create MCP Server"
Step 4: Create MCP Server
- Choose your integration template
- Configure server settings
- Set up authentication parameters
Step 5: Configure API Endpoints
- Base URL: Enter your Salesforce instance URL
https://yourcompany.my.salesforce.com (or similar) - API Version: Select
v58.0(latest) - Select required endpoints for your integration
- Click Next
Step 6: MCP Server Configuration
- Server Name: "Salesforce CRM Integration"
- Description: "AI Gateway integration for Salesforce APIs"
- Environment: Select Production
- Click Next
Step 7: Configure OAuth Authentication
- Authentication Type: OAuth 2.0
- Authorization URL:
https://login.salesforce.com/services/oauth2/authorize - Token URL:
https://login.salesforce.com/services/oauth2/token - Client ID: Enter your Consumer Key from Connected App
- Client Secret: Enter your Consumer Secret from Connected App
- Scopes: Select required OAuth scopes:
api- Access and manage your datarefresh_token- Perform requests on your behalf at any timeid- Access your basic informationcustom_permissions- Access custom permissions in your orgchatter_api- Access Connect REST API resources (Chatter feeds, groups, messages)visualforce- Access your Visualforce pagesweb- Access the web (allows use of access token on the web)full- Access all data accessible by the logged-in user (includes all other scopes)
Available Salesforce API Operations
Based on the Salesforce Platform API specification (v63.0), your AI Gateway MCP server provides access to comprehensive Salesforce functionality:
Core Resource Operations
- API Version Discovery
listApiVersions- Get available REST API versionslistResources- Discover available resources for API version
Schema & Metadata Operations
- Object Discovery
listAllObjects- Get all available objects in your organizationdescribeObject- Retrieve metadata for specific object types- Object field definitions, picklist values, and relationships
Sales Cloud Operations
-
Account Management
describeAccount- Account object metadata and field definitions- Create, read, update, delete Account records
- Account hierarchy and relationship management
-
Lead Management
describeLead- Lead object metadata and field definitions- Lead creation, qualification, and conversion workflows
- Lead assignment and routing capabilities
-
Opportunity Management
describeOpportunity- Opportunity object metadata and field definitions- Sales pipeline management and forecasting
- Opportunity stage progression and probability tracking
Service Cloud Operations
-
Case Management
describeCase- Case object metadata and field definitions- Customer support case creation and resolution
- Case escalation and assignment workflows
-
Solution Management
describeSolution- Solution object metadata and field definitions- Knowledge base article management
- Solution linking and categorization
CRUD Operations (All Objects)
- Record Management
createRecord- Create new records for any object typegetRecord- Retrieve records by ID with field selectionupdateRecord- Update existing records with partial datadeleteRecord- Delete records by ID
Query & Search Operations
-
SOQL Queries
executeQuery- Run SOQL queries with relationships and filtering- Support for SELECT statements, WHERE clauses, ORDER BY, LIMIT
- Aggregate functions (COUNT, SUM, AVG, MIN, MAX)
- Date functions and grouping operations
-
SOQL Query All
executeQueryAll- Include deleted and archived records in results- Historical data analysis and audit trail queries
-
SOSL Search
executeSearch- Full-text search across multiple objects- Cross-object search with RETURNING clauses
- Field-specific search targeting
Bulk Operations
-
Composite Requests
executeComposite- Execute multiple operations in single request- Dependent operations with reference IDs
- All-or-none transaction handling
-
Batch Processing
executeBatch- Execute multiple independent operations- Up to 25 operations per batch request
- Parallel processing for improved performance
-
Bulk API 2.0
createBulkJob- Create jobs for large-scale data operations- Support for INSERT, UPDATE, UPSERT, DELETE operations
- CSV data processing with configurable delimiters
- Asynchronous job monitoring and status tracking
Analytics Cloud Operations
- Report Management
listReports- Get available reports with search capabilitiesgetReport- Execute reports and retrieve data with metadata- Report filtering and parameter customization
Organization Management
- Limits & Monitoring
getOrganizationLimits- Monitor API usage and org limits- Daily API request tracking
- Storage limit monitoring (Data and File storage)
- Bulk API and Streaming API usage tracking
Authentication & Security
-
OAuth 2.0 Flows
- Authorization Code flow for web applications
- Client Credentials flow for machine-to-machine
- JWT Bearer flow for server-to-server integration
- Username-Password flow for trusted applications
-
Session Management
- Session ID authentication for SOAP API compatibility
- Token refresh and renewal capabilities
Error Handling & Validation
- Comprehensive Error Responses
- Field validation errors with specific field identification
- Permission and access control error handling
- Required field validation and data type checking
- Record not found and resource limit exceeded handling
Advanced Features
-
Record Type Support
- Multiple record type handling for objects
- Record type availability and permission checking
-
Relationship Navigation
- Parent-child relationship queries
- Lookup and master-detail relationship traversal
- Cross-object reference field handling
-
Field-Level Security
- Respect user permissions and field-level access
- Create, read, update permissions per field
- Custom permission validation
Custom Development Support
- Custom Object Operations
- Full CRUD operations on custom objects (suffix
__c) - Custom field management and validation
- Custom metadata type support
- Full CRUD operations on custom objects (suffix
Step 8: Security Configuration
- Access Control: Configure user permissions
- Rate Limiting: Set API call limits
- Monitoring: Enable request logging
- Click Next
Step 9: Review & Deploy
- Review all configuration settings
- Test the OAuth connection
- Deploy Server: Click "Deploy MCP Server"
Step 10: Verification
- Confirm server deployment status
- Test API connectivity with Salesforce
- Verify OAuth token refresh functionality
Using Your Salesforce MCP Server
With Claude Desktop
{
"servers": {
"salesforce-crm": {
"url": "https://your-server.aigateway.cequence.ai",
"auth": {
"type": "oauth2"
}
}
}
}
Example Queries
- "Show me all open opportunities over $50K"
- "Create a new account for Acme Corporation"
- "Update lead status to qualified and assign to John"
- "Find all contacts at technology companies in California"
- "Generate a report of cases created this week"
Common Use Cases
Sales Automation
- Lead qualification and routing
- Opportunity pipeline management
- Quote and proposal generation
- Sales forecasting and analytics
Customer Service
- Case management and escalation
- Knowledge base integration
- Service level agreement tracking
- Customer satisfaction surveys
Marketing Operations
- Campaign management and tracking
- Lead scoring and nurturing
- Email marketing integration
- ROI analysis and reporting
Data Integration
- ERP system synchronization
- Marketing automation platform connection
- Customer support tool integration
- Business intelligence and analytics
Best Practices
-
Authentication Security:
- Use JWT Bearer Flow for server-to-server
- Implement proper token refresh logic
- Store credentials securely
- Monitor API usage and limits
-
API Optimization:
- Use bulk operations for large datasets
- Implement efficient SOQL queries
- Cache frequently accessed data
- Handle rate limits gracefully
-
Error Handling:
- Implement retry logic for transient errors
- Handle Salesforce maintenance windows
- Log API errors for debugging
- Provide meaningful error messages
-
Data Governance:
- Respect field-level security
- Implement proper data validation
- Handle sensitive data appropriately
- Maintain audit trails
Troubleshooting
Common Issues
-
Authentication Failures
- Check Connected App configuration
- Verify user permissions and profiles
- Validate OAuth scopes
- Check IP restrictions
-
API Limits
- Monitor daily API call limits
- Implement request queuing
- Use bulk operations where possible
- Cache data to reduce calls
-
Query Performance
- Optimize SOQL queries
- Use selective filters
- Avoid querying large data sets
- Implement proper indexing
Getting Help
- Documentation: AI Gateway Docs
- Support: support@cequence.ai
- Salesforce Docs: developer.salesforce.com
- Trailhead: trailhead.salesforce.com
Copyright © 2025 Cequence Security.