jaganpro/sf-connected-apps
skills/sf-connected-apps/SKILL.md
Salesforce Connected Apps and OAuth configuration with 120-point scoring. TRIGGER when: user configures OAuth flows, JWT bearer auth, Connected Apps, or touches .connectedApp-meta.xml / .eca-meta.xml files. DO NOT TRIGGER when: Named Credentials for callouts (use sf-integration), permission policies (use sf-permissions), or API endpoint code (use sf-apex).
$ install --global
skillsauthnpx skillsauth add jaganpro/sf-skills sf-connected-appsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 8:00 PM34.8s8 files scanned
SKILL.md
- name:
- sf-connected-apps
- description:
- >
- TRIGGER when:
- user configures OAuth flows, JWT bearer auth, Connected Apps,
- DO NOT TRIGGER when:
- Named Credentials for callouts (use sf-integration),
- license:
- MIT
- allowed-tools:
- Bash Read Write Edit Glob Grep WebFetch AskUserQuestion TodoWrite
- version:
- 1.1.0
- author:
- Jag Valaiyapathy
- scoring:
- 120 points across 6 categories
sf-connected-apps: Salesforce Connected Apps & External Client Apps
Use this skill when the user needs OAuth app configuration in Salesforce: Connected Apps, External Client Apps (ECAs), JWT bearer setup, PKCE decisions, scope design, or migration from older Connected App patterns to newer ECA patterns.
When This Skill Owns the Task
Use sf-connected-apps when the work involves:
.connectedApp-meta.xmlor.eca-meta.xmlfiles- OAuth flow selection and callback / scope setup
- JWT bearer auth, device flow, client credentials, or auth-code decisions
- Connected App vs External Client App architecture choices
- consumer-key / secret / certificate handling strategy
Delegate elsewhere when the user is:
- configuring Named Credentials or runtime callouts → sf-integration
- analyzing access / permission policy assignments → sf-permissions
- writing Apex token-handling code → sf-apex
- deploying metadata to orgs → sf-deploy
First Decision: Connected App or External Client App
| If the need is... | Prefer | |---|---| | simple single-org OAuth app | Connected App | | new development with better secret handling | External Client App | | multi-org / packaging / stronger operational controls | External Client App | | straightforward legacy compatibility | Connected App |
Default guidance:
- choose ECA for new regulated, packageable, or automation-heavy solutions
- choose Connected App when simplicity and legacy compatibility matter more
- Spring ’26 note: creation of new Connected Apps is disabled by default in orgs. For new integrations, prefer External Client Apps unless Connected App compatibility is explicitly required.
Required Context to Gather First
Ask for or infer:
- app type: Connected App or ECA
- OAuth flow: auth code, PKCE, JWT bearer, device, client credentials
- client type: confidential vs public
- callback URLs / redirect surfaces
- required scopes
- distribution model: local org only vs packageable / multi-org
- whether certificates or secret rotation are required
Recommended Workflow
1. Choose the app model
Decide whether a Connected App or ECA is the better long-term fit.
2. Choose the OAuth flow
| Use case | Default flow | |---|---| | backend web app | Authorization Code | | SPA / mobile / public client | Authorization Code + PKCE | | server-to-server / CI/CD | JWT Bearer | | device / CLI auth | Device Flow | | service account style app | Client Credentials (typically ECA) |
3. Start from the right template
Use the provided assets instead of building from scratch:
assets/connected-app-basic.xmlassets/connected-app-oauth.xmlassets/connected-app-jwt.xmlassets/external-client-app.xmlassets/eca-global-oauth.xmlassets/eca-oauth-settings.xmlassets/eca-policies.xml
If you need source-controlled ECA OAuth security metadata, retrieve it from an org first and treat the retrieved file as the schema source of truth:
sf project retrieve start --metadata ExtlClntAppOauthSecuritySettings:<AppName> --target-org <alias>
4. Apply security hardening
Favor:
- least-privilege scopes
- explicit callback URLs
- PKCE for public clients
- certificate-based auth where appropriate
- rotation-ready secret / key handling
- IP restrictions when realistic and maintainable
5. Validate deployment readiness
Before handoff, confirm:
- metadata file naming is correct
- scopes are justified
- callback and auth model match the real client type
- secrets are not embedded in source
High-Signal Security Rules
Avoid these anti-patterns:
| Anti-pattern | Why it fails |
|---|---|
| wildcard / overly broad callback URLs | token interception risk |
| Full scope by default | unnecessary privilege |
| PKCE disabled for public clients | code interception risk |
| consumer secret committed to source | credential exposure |
| no rotation / cert strategy for automation | brittle long-term ops |
Default fix direction:
- narrow scopes
- constrain callbacks
- enable PKCE for public clients
- keep secrets outside version control
- use JWT certificates or controlled secret storage where appropriate
Metadata Notes That Matter
Connected App
Usually lives under:
force-app/main/default/connectedApps/
External Client App
Current source-supported ECA metadata uses multiple top-level source directories, not a single externalClientApps/ folder:
force-app/main/default/externalClientApps/→ExternalClientApplication(.eca-meta.xml)force-app/main/default/extlClntAppGlobalOauthSets/→ExtlClntAppGlobalOauthSettings(.ecaGlblOauth-meta.xml)force-app/main/default/extlClntAppOauthSettings/→ExtlClntAppOauthSettings(.ecaOauth-meta.xml)force-app/main/default/extlClntAppOauthSecuritySettings/→ExtlClntAppOauthSecuritySettings(.ecaOauthSecurity-meta.xml)force-app/main/default/extlClntAppOauthPolicies/→ExtlClntAppOauthConfigurablePolicies(.ecaOauthPlcy-meta.xml)force-app/main/default/extlClntAppPolicies/→ExtlClntAppConfigurablePolicies(.ecaPlcy-meta.xml)
Important file-name gotchas:
- the global OAuth suffix is
.ecaGlblOauth, not.ecaGlobalOauth - the general policy suffix is
.ecaPlcy, not.ecaPolicy - use
.ecaOauthSecurityforExtlClntAppOauthSecuritySettings
Output Format
When finishing, report in this order:
- App type chosen
- OAuth flow chosen
- Files created or updated
- Security decisions
- Next deployment / testing step
Suggested shape:
App: <name>
Type: Connected App | External Client App
Flow: <oauth flow>
Files: <paths>
Security: <scopes, PKCE, certs, secrets, IP policy>
Next step: <deploy, retrieve consumer key, or test auth flow>
Cross-Skill Integration
| Need | Delegate to | Reason | |---|---|---| | Named Credential / callout runtime config | sf-integration | runtime integration setup | | deploy app metadata | sf-deploy | org validation and deployment | | Apex token or refresh handling | sf-apex | implementation logic | | permission review after deployment | sf-permissions | access governance |
Reference Map
Start here
- references/oauth-flows-reference.md
- references/security-checklist.md
- references/testing-validation-guide.md
Migration / examples
- references/migration-guide.md
- references/example-usage.md
- assets/
Score Guide
| Score | Meaning | |---|---| | 80+ | production-ready OAuth app config | | 54–79 | workable but needs hardening review | | < 54 | block deployment until fixed |
Related Skills
jaganpro/sf-lwc
development
VerifiedTrustedCommunity
Lightning Web Components with PICKLES methodology and 165-point scoring. TRIGGER when: user creates/edits LWC components, touches lwc/**/*.js, .html, .css, .js-meta.xml files, or asks about wire service, SLDS, or Jest LWC tests. DO NOT TRIGGER when: Apex classes (use sf-apex), Aura components, or Visualforce.
394SKILL.mdUpdated Apr 5, 2026
jaganpro/sf-ai-agentforce-grid
tools
VerifiedTrustedCommunity
Use this skill whenever users want to build, inspect, debug, automate, or publish workflows in Agentforce Grid (AI Workbench) using Salesforce plus the Grid MCP or direct Grid REST calls. Trigger it for Grid workbook creation, worksheet setup, Object/Reference/AI/Agent/AgentTest/Evaluation/PromptTemplate/InvocableAction column design, prompt drafting inside Grid, worksheet execution troubleshooting, Grid YAML `apply_grid` specs, and Windows-specific Grid setup issues. Also use it when users mention AI Workbench, Grid Studio, workbook IDs, worksheet IDs, Grid Connect, or ask for recipes like "top opportunities with AI email drafts", "agent test suite in Grid", or "build this worksheet from YAML". Do not use it for generic Salesforce work unrelated to Agentforce Grid.
372SKILL.mdUpdated Apr 23, 2026
jaganpro/sf-flex-estimator
development
VerifiedTrustedCommunity
Salesforce Flex Credit estimation for Agentforce and Data Cloud workloads. TRIGGER when: user needs cost projections, scenario planning, budget sizing, or architecture tradeoff analysis for Agentforce prompts/actions, Data Cloud meters, or monthly Flex Credit usage. DO NOT TRIGGER when: user is building Agentforce metadata or .agent files themselves (use sf-ai-agentforce or sf-ai-agentscript), implementing Data Cloud assets (use sf-datacloud-*), or asking for contract-specific commercial approval that depends on non-public pricing terms.
366SKILL.mdUpdated Apr 22, 2026
jaganpro/sf-permissions
testing
VerifiedTrustedCommunity
Permission Set analysis, hierarchy viewer, and access auditing. TRIGGER when: user asks "who has access to X?", analyzes permission sets/groups, or touches .permissionset-meta.xml / .permissionsetgroup-meta.xml files. DO NOT TRIGGER when: creating new metadata (use sf-metadata), deploying permission sets (use sf-deploy), or Apex sharing logic (use sf-apex).
366SKILL.mdUpdated Apr 5, 2026