Collectors

ForceHound has two collection backends that can run independently or together.

API Collector (`--collector api`)

Uses simple_salesforce to execute SOQL queries via the Salesforce REST API. Requires admin-level credentials (username/password or session ID with API access).

Collects: Users, Profiles, PermissionSets, PermissionSetGroups, Roles, Groups, GroupMembers, Organization (OWD), EntityDefinitions, ObjectPermissions, FieldPermissions, Connected Applications, Share objects.

forcehound --collector api \
  --instance-url https://myorg.my.salesforce.com \
  --username admin@myorg.com \
  --password 'MyPass' \
  --security-token ABCDEF123 \
  -o output.json

Skip flags

Flag	Removes	Use case
`--skip-object-permissions`	SF_Object nodes, all CanRead/CanCreate/CanEdit/CanDelete/CanViewAll/CanModifyAll/CanViewAllFields edges	When you only need identity graph, not CRUD edges
`--skip-field-permissions`	SF_Field nodes, CanReadField/CanEditField/FieldOf edges	When field-level security is not needed
`--skip-entity-definitions`	InternalSharingModel/ExternalSharingModel/KeyPrefix enrichment on SF_Object nodes	When sharing model analysis is not needed
`--skip-shares`	SF_Record nodes, Owns/ExplicitAccess/InheritsAccess edges	When record-level sharing paths are not needed

Aura Collector (`--collector aura`)

Uses aiohttp to call Salesforce Lightning/Aura endpoints. Works with low-privilege browser session tokens — no admin access required.

Collects: Users, Profiles, Roles, Groups, GroupMembers, Organization, NamespacedObjects. Optionally: CRUD probing.

forcehound --collector aura \
  --instance-url https://myorg.lightning.force.com \
  --session-id '00DgL...!AQEAQ...' \
  --aura-context '{"mode":"PROD",...}' \
  --aura-token 'eyJ...' \
  -o output.json

Getting Aura credentials: Open your Salesforce org in a browser, open DevTools (F12) > Network tab, find any request to /aura, and extract:

Host header → --instance-url
sid cookie → --session-id
aura.context form field → --aura-context
aura.token form field → --aura-token

Both Collector (`--collector both`)

Runs Aura first (identity graph), then supplements with API queries that Aura cannot cover (ObjectPermissions, FieldPermissions, EntityDefinitions, Shares, ConnectedApps, PermissionSetGroups).

forcehound --collector both \
  --instance-url https://myorg.lightning.force.com \
  --session-id '00DgL...!AQEAQ...' \
  --aura-context '{"mode":"PROD",...}' \
  --aura-token 'eyJ...' \
  --api-instance-url https://myorg.my.salesforce.com \
  --username admin@myorg.com \
  --password 'MyPass' \
  --security-token ABCDEF123 \
  -o output.json

The graph is merged by node ID — no duplicates. Aura-sourced and API-sourced edges coexist.

ForceHound Wiki

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Collectors

Collectors

API Collector (`--collector api`)

Skip flags

Aura Collector (`--collector aura`)

Both Collector (`--collector both`)

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally

Collectors

Collectors

API Collector (--collector api)

Skip flags

Aura Collector (--collector aura)

Both Collector (--collector both)

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally

API Collector (`--collector api`)

Aura Collector (`--collector aura`)

Both Collector (`--collector both`)