Guides
Salesforce Connected App Changes - What to know for your Salesforce Integration
Saleforce's 2025 change to Connected Apps spells big changes on how to build Salesforce integrations. Read about everything you need to stay on top of these changes and keep your Salesforce integration running smoothly.
Jack Mu
,
Developer Advocate
5
mins to read
When Salesforce made their September 2025 announcement [1] on Connected App changes, our team sprung into action to make sure our customers building Salesforce integrations knew how to keep their integrations working.
This security-focused change by Salesforce forces migration to their new install flow and packaging standards. Maybe understated by Salesforce, failure to adapt to these standards means no new users will be able to use your Salesforce integration!
Sharing our learnings, here’s everything you need to know about building/maintaining a Salesforce integration according to the new changes:
The Salesforce Changes TL;DR
What to know for building a new Salesforce integration
What to know for migrating an existing Salesforce integration
What your users need to do
Salesforce Changes TL;DR
Salesforce has imposed tighter restrictions on 3rd-party applications integrating with their platform, not without reason. Referencing Salesforce Ben’s report [2], hackers and social engineering attacks prompted Salesforce to impose restrictions on “uninstalled apps” and requirements for Salesforce admins to carefully review connected OAuth applications.
Under these new September 2025 restrictions:
Only Installed Connected Apps can be used to build Salesforce integrations
For new users, Salesforce admins need to either install your Connected Apps for your Salesforce integration OR grant one of two user permissions: Approve Uninstalled Connected Apps or **Use Any API Client
Existing users to your Salesforce integration do not need to install packages and will be unaffected as long as they are not using OAuth 2.0 device flow
If you have an existing Salesforce integration, you may have encountered this error for some users and not others:
OAUTH_APPROVAL_ERROR_GENERIC
Because existing users are unaffected by these changes (point 3), they can authenticate into your Salesforce integration without a problem. New users, however, will encounter the OAUTH_APPROVAL_ERROR_GENERIC error. Your new users’ Salesforce admin needs to install your Connected App following Salesforce’s new standards (point 2).
Whether you’re building your first Salesforce integration or maintaining an existing one, both parties will need to take the outlined steps to allow new users to integrate their Salesforce accounts.
If you’re building your first integration, read the section on What to know for building a new Salesforce integration
If you’re maintaining an existing integration, skip to the section on What to know for migrating an existing Salesforce integration
Salesforce Glossary
Here’s a short glossary on Salesforce-specific terms for reference:
Term | Definition |
|---|---|
1st vs 2nd Generation Packages | 1st generation packaging has more restrictions with the package org responsible for ownership, versioning, and limited namespace options. 2nd generation packaging puts more control in the installed org, where DevHub owns the package and you have more flexibility on versioning (i.e. different users can have different versions of your app) [3]. |
Connected App | Salesforce’s 1st iteration of external apps that can connect to Salesforce data. Connected Apps do not have developer/user roles and use 1st generation packaging. There is however a workaround for 2nd generation packaging where the package references a 1st generation package [4]. |
External Client App (ECA) | Salesforce’s 2nd iteration of external apps, built with more robust security and packaging options. ECAs have distinct developer/user roles and uses 2nd generation packaging, which means your app can be deployed in other orgs with flexible version control [4]. |
Managed Package | ZIP archive with your Salesforce integration’s metadata, including Connected Apps, object definitions, and views. Your managed package can be distributed and installed in other Salesforce Orgs and listed on the AppExchange [5]. |
Production Org | The environment for finished packages and apps. Your sales and marketing team’s day-to-day driver. |
Developer Edition (DE) Org | With feature parity with many Enterprise Org features without the price tag, developers can develop Connected Apps, packages, and publish on AppExchange. The DE org does have less support for source tracking and limited data storage (200 MB) [6]. |
Installing (Managed Packages) | Your users’ Salesforce admin will install your managed package from an install link or the AppExchange to their Salesforce org. There are different packaging protocols for Connected Apps vs ECAs (1st vs 2nd generation packaging). This was not necessary pre-change. |
OAUTH_APPROVAL_ERROR_GENERIC | Generic error new users will encounter using the old Salesforce OAuth standards without the new install requirement. |
What to know for building a new Salesforce integration
If you’re building a Salesforce integration for the first time, the first step is to create a Connected App.
Sign up for the Developer Edition of Salesforce
Create a Connected App or ECA (depending on your developer preferences and packaging requirements - Salesforce has been pushing developers toward ECAs)
To create a Connected App
go to
Setup>External Client App Settings> Flip onAllow creation of connected apps
You can now click
New Connected App
To create an ECA
go to
Setup>App ManagerClick on
New External Client Appon the right
Configure your Connected App with OAuth connections
Check the
Enable Oauth SettingsSpecify your
Callback URLChoose your required OAuth Scopes (generally want the
apiscope
You now have a Connected App that your users can OAuth your integration with. Scroll down to the For unpackaged Connected Apps section to package your new Connected App for your users to install.
What to know for migrating an existing Salesforce integration
Salesforce has been around since 1999, meaning they have implemented many different standards for connecting with their platform throughout the years.
No matter what type of app and generation your current app is on, your team will want to start from a Developer Edition Salesforce Org. Connected Apps from Production Orgs are not currently compatible with the packaging requirement of the new Salesforce change.
If you’re already on a Developer Edition Org, skip to one of these sections depending on where you are:
For Unpackaged Connected Apps
For 2nd Generation Packaged Connected Apps
Note for Production Org developers
If your app is currently on a Production Org, unfortunately this does mean creating a new Connected App with new credentials. As mentioned in the TLDR section, your existing users can continue using your old app in your Production Org even under the new changes. However for new users, you would need a new connected app (or use a workaround we outlined below).
Scroll to our What to know for building a new Salesforce integration above for instructions on signing up for Developer Edition and creating a new Connected App.
For Unpackaged Connected Apps
If you have a Connected App, you will need to package it to allow your users to install the package to their Salesforce org.
Create a package for your Connected App
Go to
Setup>Package ManagerCreate a Namespace under
Namespace Settingswith your company nameUnder
First Generation Packages, clickNewUnder
ComponentsclickAddand selectConnected AppforComponent TypeAdd your newly created Connected App to the package
Navigate back to the
Package settingsand clickUploadIn the
Upload Packagesection, selectManaged -Releasedas theRelease Type
No need to configure
Requirements; Click onUploadSalesforce will email a confirmation with the Install URL
Your users can now use the install URL to install your package to their org!
For 2nd Generation Packaged Salesforce Connected Apps
If you are starting here, migrating to the new standards can be done with just a few clicks [7]!
Navigate to
Setup>App ManagerClick on your Connected App and click on
Migrate to External Client App
Confirm that your Connected App is local and does NOT use the
username-password flowClick
Migrateand a window should open with a link to the new ECA
ECAs use 2nd Generation packaging which means your users can now install your package to their Salesforce Org.
What Your Users Need To Do
Your team has worked to package your Connected App. Your users’ now need to install your package to their Salesforce Org before your app can integrate with their Salesforce.
After your users’ Salesforce admin receives your install link, they will be taken through the installation process.
In your communications to your users, you can relay:
they can
Install for Admins Onlyif desired; this will only affect visibility of your app, not functionalityCheck the
Non-Salesforce Applicationbefore clickingInstall
After successfully installing, your users can OAuth your integration in your main application!
Wrapping Up
That’s everything you need to know about building Salesforce integrations under the new changes! In summary,
Start with a Developer Edition Salesforce Org
Create a Connected App (if you don’t have an existing one)
Package your Connected App (or ECA)
Have your users’ Salesforce admin install your managed package
If you’re scaling the number of integrations your SaaS product offers - like Salesforce, Hubspot, and other CRMs - and you don’t want to manage user authentication, scaling, rate-limits, and other integration-related challenges, Paragon is the integration infrastructure that makes it easy to build integrations in days, not months.
See if Paragon can help you build your product integrations with our free trial or book a demo to talk to our team.
Appendix
Workarounds
As outlined in Salesforce’s article for admins, there are a few permissions workarounds that you can instruct your users’ admin to take to work around packaging your Connected App:
Approve Uninstalled Connected Apps
Use Any API Client (we will not be going over this method as it allows uninstalled and blocked apps alike)
These are temporary solutions, as packaging your Connected App and adhering to Salesforce’s changes are recommended for future integration development.
That being said, to use your Connected App without installing a package, your users’ admin can take the following steps.
Go to
Setup>Permission SetsCreate a new or edit an existing permission set
Enable uninstalled App Permision
Go to
System Permissions>EditSelect
Approve Uninstalled Connected Appsand clickSave
Assign the permission set to at least 1 user
Go to
Manage Assignments>Add AssignmentsSelect 1+ user(s) and
Assign
Now on your end, go to the Salesforce integration settings in your Connected App to connect the account that was added to the permission set.
Your users’ Salesforce admin should now visit
Setup>Apps>Connected Apps>Connected Apps Oauth Usage
Click
Installfor your app
Once installed, the permission set can be deleted
Sources & Acknowledgements
[1] Salesforce 2025 announcement on Connected App changes - https://help.salesforce.com/s/articleView?id=005132365&type=1
[2] Salesforce Ben’s report on Salesforce changes - https://www.salesforceben.com/salesforce-hardens-connected-apps-security-amid-social-engineering-attacks/
[3] 1st vs 2nd generation packages - https://developer.salesforce.com/docs/atlas.en-us.pkg2_dev.meta/pkg2_dev/sfdx_dev_dev2gp_comparison.htm
[4] Connected App vs ECA - https://help.salesforce.com/s/articleView?id=xcloud.connected_apps_and_external_client_apps_features.htm&type=5
[5] Salesforce Package definition - https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_manpkgs_dev.htm
[6] What is a DE Org - https://www.apexhours.com/salesforce-developer-edition-org/#h-what-is-a-developer-edition-org
[7] Migrating to ECA - https://help.salesforce.com/s/articleView?id=xcloud.migrate_connected_app_to_external_client_app.htm&type=5
[8] Changes to Connected Apps for admins - https://admin.salesforce.com/blog/2025/get-ready-for-changes-to-connected-app-usage-restrictions
