These instructions were created with a production Salesforce instance. Where they differ from a sandbox instance will be called out specifically.
Unlike Microsoft 365 or Google Workspace, Caddi does not provide a pre-registered “standard” Salesforce connector. Every organization must configure its own custom OAuth app in Salesforce. This approach gives your IT team full control over scopes, security policies, and lifecycle management of the app.
This guide walks you through the steps to create and configure the required app in Salesforce, then connect it to Caddi.
The setup must be performed by an admin with App Manager permissions.
All instructions were validated against a production Salesforce instance; where sandbox configuration differs, the guide explicitly calls it out.
Terminology note: when a checkbox setting is mentioned, “enabled” means checked and “disabled” means unchecked.
Once complete, Caddi will use your custom OAuth app to securely access Salesforce data within the limits of the permissions you define.
Oauth App Setup In Salesforce
This process requires having App Manager permissions in Salesforce. Several admin-level permissions profiles/permission sets provide this by default, such as System Administrator.
When an instruction relates to a checkbox, the wording enabled and disabled will be used to reflect the checked and unchecked states respectively.
Create The Application
Login to your Salesforce instance
In the upper right, click the gear icon (⚙️) and then
Setup
In the setup page’s left sidebar, expand
Appsand then click onApp Manager
4. On the App Manager page, click the New External Client App button in the upper right.
Configure the application settings
Basic Information
Caddi recommends the following configuration for the Basic Information section:
External Client App Name:
Caddi AuthAPI Name:
Caddi_Auth(Salesforce will auto-generate this for you)Contact Email: The email address of your IT department, admin, or equivalent.
Contact Phone: Optional, recommended to use the number related to the Contact Email used
Distribution State:
LocalInfo URL:
https://trycaddi.comLogo Image URL and Icon URL: Optional, recommended to Caddi's logo for both
https://assets.www.trycaddi.com/logo/CaddiLogo.pngDescription:
OAuth application for trycaddi.com
API (Enable OAuth Settings)
Ensure the `Enable OAuth` checkbox is ticked.
App Settings
Callback URL:
https://app.trycaddi.com/oauth-callbackOAuth Scopes: select the desired scopes in the left
Available OAuth Scopesbox and use the ▶️ button to move them to theSelected OAuth ScopesboxThese scopes are required in order for users to properly sign in to the application:
Access the identity URL service (id, profile, email, address, phone)Access unique user identifiers (openid)Perform requests at any time (refresh_token, offline_access)
For Salesforce platform interaction permissions, Caddi recommends using the
Full access (full)scope.If you do not wish to use the
fullscope, select at least the following scopes and use the ▶️ button to move them into the Selected OAuth Scopes columnAccess custom permissions (custom_permissions)Access the Salesforce API Platform (sfap_api)Manage user data via APIs (api)
Introspect all Tokens and Configure ID token: leave disabled
Flow Enablement
No options should be enabled here.
Security
Require secret for Web Server Flow: enabled
Require secret for Refresh Token Flow: enabled
Require proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows: enabled
Other Settings
No other settings (SAML, mobile app, notifications, etc) on this page need enabled.
Finalize App Creation
Click the Create button at the bottom of the page to create the Caddi OAuth application. You will be brought to a new page with App Policies and OAuth Policies for the app.
Click the Edit button in the upper right of the Policies tab.
App Policies
No changes in this section.
OAuth Policies
Two settings in this section need changed to prevent unexpected user deauthorizations.
Refresh Token Policy: Refresh token is valid until revoked
IP Relaxation: Relax IP restrictions
Org-level settings
This process takes place from the Session page. If you are not on the correct page, navigate to Setup and locate the "Security" section. Open that section, and locate the "Session Settings".
Navigate to
Session Settingsfrom the Setup viewUnder the
Session Settingsheader, disableLock sessions to the domain in which they were first used
3. Click Save at the bottom of the page
Generating client ID and client secret
These values are sensitive - NEVER send them to anyone via email or instant messenger. Use a password manager or other secret management tool to share these values securely if needed.
Now that the app is setup, there is some information that needs collected to configure the OAuth application itself in the Caddi website.
To do this, navigate to the Settings tab of the application.
Scroll down to OAuth Settings and click on the Consumer Key and Secret button. Note that Salesforce will likely require you to re-authenticate at this point, as this is revealing sensitive data.
On this new page, copy the Consumer Key and Consumer Secret - these are the Client ID and Client Secret you will enter in the Caddi website.
These values will be used in the next step. You do not need to save them anywhere for this, and should not paste them into notes, documentation, or other areas. These values are sensitive and should be treated like admin passwords - if you do wish to save or share them, use a password manager or other secure method to do so.
If there are no values or you have accidentally shared these in an insecure way, use the Generate button to create new values. Note that if you apply new generated values, you will have to re-configure your application in Caddi with them.
Application Setup in Caddi
Now that the app is configured in Salesforce, it can be added to Caddi.
This step must be completed by an organization owner or admin.
Navigate to https://trycaddi.com and log in
On the left, select the
Integrationsoption
3. Click on the Integrations Setup tab at the top of the page.
* This option only appears for admins and owners.
4. Scroll down to the Salesforce integration and click the Configure button to expand the options.
5. Enter in the information for your Salesforce application
Client ID- this is theConsumer Keyvalue outlined in the Generating client ID and client secret section aboveClient Secret- this is theConsumer Secretvalue outlined in the Generating client ID and client secret section abocveScopes- varies depending on your scope selection during app setupIf you used the recommended
fullscope, leave this box empty.
If you used the alternative scopes outlined above, enter
openid id refresh_token offline_access custom_permissions sfap_api api
If you used a different set of scopes that is outlined in this documentation, you will need to enter all of their names here. You must include
openid id refresh_token offline_accessregardless of other scopes.
Sandbox Environment- (Optional) if the app is configured in your Salesforce Sandbox environment, enable this toggleIf this is enabled, a new
Instance URLinput will become visible. For this input use the URL you use to login to your sandbox environment, e.g.https://mysalesforceorg--dev2025.sandbox.my.salesforce.com/
6. Click the Save Configuration button
7. You should now see your newly-created connection at the top of the page in the Configured Enterprise Connectors section:
8. Go back to the My Connections tab at the top of the page, and on the connections page locate the Salesforce integration then click the Connect + button.
9. You will be directed to a Salesforce login page. Enter your information and login.
10. (First time authorizing only) After clicking login you will be directed to a page confirming the access the Caddi Auth app is requesting. Click Allow
11. You will be directed back to the Caddi app and should see a green popup indicating the connection was successful, and the Salesforce integration will appear in the top Connected Applications section.
You are now ready to automate Salesforce!