How To Generate Salesforce API Credentials

I usually wouldn’t write about such a mundane subject, but given the past several soul sucking hours, I decided I would put in my humanitarian service for the week by telling others how to accomplish what should be a totally trivial task, that just isn’t for generating API credentials.

Given that I’m totally new to Salesforce integrations, I’m sure that someone will come find this post at some point and lambast me for my missteps and miscomprehension. That’s fine, because this post isn’t written for you. It’s written for the thousands of application developers out there who have customers who have unfortunately chosen to use this overpriced behemoth.

Also, big WARNING, it’s apparent from the many stack exchange questions and instruction links that Salesforce changes their shit all the time and doesn’t make any effort to clean up their documentation or ensure the old flow still works. So if you’re reading this around March 2015, then it should be good, otherwise, if the following instructions just don’t match what you see, it’s not you, it’s Salesforce.

For those of you who just need to generate a set of API credentials for their own data automation and synchronization needs:

Step 1:

Create an account. You can create a (free) developer account at

Step 2:

Ignore all the landing pages and getting started crap. It’s an endless marketing loop.

Step 3:

Click the “Setup” link

Step 4:

In the lefthand toolbar, under “Create”, click “Apps”

Step 5:

Under “Connected Apps” click “New”

Step 6:

Fill out the form. Important fields are marked below (you can leave the rest blank)

Step 7:

Be advised that Salesforce has crappy availability.

Step 8:

Press continue. You finally have your key (client id) and secret (client secret).

Step 9:

But wait! You’re not done yet.

Make sure IP restrictions are disabled as well, and make sure that Permitted Users is set to “All users may self-authorize.”

If you’re concerned about disabling security, don’t be for now, you just want to get this working for now so you can make API calls. Tighten permissions once you have everything working, one at a time, so you can figure out what setting is giving you authentication errors.

Step 10:

Celebrate! This curl call should succeed:

curl -v -d “grant_type=password” -d “client_id=YOUR_CLIENT_ID_FROM_STEP_8″ -d “client_secret=YOUR_CLIENT_SECRET_FROM_STEP_8″ -d “” -d “”


- You shouldn’t be doing password authorization if you’re building a multi-tenant app, where users need to authorize their own application. Use the Oauth2 workflow for that.

This entry was posted in Internet, Programming. Bookmark the permalink. Trackbacks are closed, but you can post a comment.


  1. anca
    Posted October 23, 2015 at 11:24 am | Permalink


    This post was just GREAT!
    The only thing I haven’t done was setting Permitted Users to All users may self-authorize …
    Thank you very much!

  2. Cate U
    Posted November 18, 2015 at 6:36 pm | Permalink

    Thanks, I found this very clear & helpful when troubleshooting my access token request! You might want to specify that disabling IP restrictions means setting them to “Relax IP Restrictions”, not the settings shown in the screenshot.

  3. Paul
    Posted November 20, 2015 at 5:31 am | Permalink

    You sir, are a saint. Thank you so much. I was missing the ‘permitted users’ setting.

  4. Gaz
    Posted December 11, 2015 at 4:31 pm | Permalink

    That last bit about the IP and resolved my 2 days of no progress but I also found I needed to ensure the user had access to the app in the user’s roll

  5. Posted December 27, 2015 at 8:31 pm | Permalink

    That was a lifesaver. Thanks for sharing.

  6. Yury
    Posted March 13, 2016 at 7:11 pm | Permalink

    THANK YOU SO MUCH! I wasted 4 hours on step 9. Man, I owe you a beer.

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>