From d554f949d33c678345f8375d10fcf96a82d33073 Mon Sep 17 00:00:00 2001 From: Roberto Oliveros Date: Thu, 11 Jun 2026 09:23:35 -0600 Subject: [PATCH 1/4] docs(salesforce): add Connected App setup instructions Co-Authored-By: Claude Sonnet 4.6 --- packages/v1-ready/salesforce/README.md | 30 +++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/packages/v1-ready/salesforce/README.md b/packages/v1-ready/salesforce/README.md index 30a1f5b..045b40b 100644 --- a/packages/v1-ready/salesforce/README.md +++ b/packages/v1-ready/salesforce/README.md @@ -3,4 +3,32 @@ This is the API Module for salesforce that allows the [Frigg](https://friggframework.org) code to talk to the salesforce API. -Read more on the [Frigg documentation site](https://docs.friggframework.org/api-modules/list/salesforce \ No newline at end of file +Read more on the [Frigg documentation site](https://docs.friggframework.org/api-modules/list/salesforce + +## Salesforce Connected App Setup + +This module requires a Salesforce Connected App to authenticate via OAuth 2.0. + +### App type: use "New Connected App" (not "External Client App") + +Salesforce offers two app types — the choice matters for cross-org OAuth: + +- **New Connected App** (`Setup → Apps → External Client Apps → Settings → New Connected App`) — supports OAuth across **multiple Salesforce orgs**. This is what you need so that users from any org can authorize the integration. +- **External Client App** (created directly under `Setup → Apps → External Client Apps`) — only works **within the same org** it was created in. Do not use this type for a multi-tenant integration. + +### Required OAuth scopes + +When configuring the Connected App, add both of the following scopes: + +- **Full access (`full`)** +- **Perform requests at any time (`refresh_token, offline_access`)** + +### Refresh token expiry + +In the Connected App's OAuth policies, set **Refresh Token Policy** to **"Refresh token is valid until revoked"**. This prevents the refresh token from expiring on a schedule and breaking the integration unexpectedly. + +### Marketing User requirement + +The Salesforce user who authorizes the OAuth connection must be marked as a **Marketing User**. This grants the integration permission to create and manage Campaigns in Salesforce — without it, campaign creation will fail. + +To enable it: **Setup → Users → [user] → Edit → Advanced User Details → Marketing User ✓** \ No newline at end of file From 95c3772d8e7ec197f355a437c6cecfd097349b4b Mon Sep 17 00:00:00 2001 From: Roberto Oliveros Date: Thu, 11 Jun 2026 09:44:31 -0600 Subject: [PATCH 2/4] docs(salesforce): recommend dedicated API user, clarify Marketing User for dev Co-Authored-By: Claude Sonnet 4.6 --- packages/v1-ready/salesforce/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/v1-ready/salesforce/README.md b/packages/v1-ready/salesforce/README.md index 045b40b..b81f87b 100644 --- a/packages/v1-ready/salesforce/README.md +++ b/packages/v1-ready/salesforce/README.md @@ -31,4 +31,6 @@ In the Connected App's OAuth policies, set **Refresh Token Policy** to **"Refres The Salesforce user who authorizes the OAuth connection must be marked as a **Marketing User**. This grants the integration permission to create and manage Campaigns in Salesforce — without it, campaign creation will fail. -To enable it: **Setup → Users → [user] → Edit → Advanced User Details → Marketing User ✓** \ No newline at end of file +**For production / customer orgs:** create a dedicated API user for the integration and enable Marketing User on that account (**Setup → Users → [user] → Edit → Advanced User Details → Marketing User ✓**). Using a dedicated user isolates the integration's permissions and avoids the connection breaking if a real user's account is deactivated. + +**For development / testing:** enable Marketing User on your own Salesforce account before going through the OAuth flow. \ No newline at end of file From 9cbb16240b2cc4df1095ae296edd36ac6ce0904b Mon Sep 17 00:00:00 2001 From: Roberto Oliveros Date: Thu, 11 Jun 2026 10:38:52 -0600 Subject: [PATCH 3/4] =?UTF-8?q?docs(salesforce):=20rewrite=20permissions?= =?UTF-8?q?=20guidance=20=E2=80=94=20conditional=20by=20object,=20add=20in?= =?UTF-8?q?tegration=20user=20note?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 --- packages/v1-ready/salesforce/README.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/packages/v1-ready/salesforce/README.md b/packages/v1-ready/salesforce/README.md index b81f87b..98a20c2 100644 --- a/packages/v1-ready/salesforce/README.md +++ b/packages/v1-ready/salesforce/README.md @@ -27,10 +27,19 @@ When configuring the Connected App, add both of the following scopes: In the Connected App's OAuth policies, set **Refresh Token Policy** to **"Refresh token is valid until revoked"**. This prevents the refresh token from expiring on a schedule and breaking the integration unexpectedly. -### Marketing User requirement +### Integration user -The Salesforce user who authorizes the OAuth connection must be marked as a **Marketing User**. This grants the integration permission to create and manage Campaigns in Salesforce — without it, campaign creation will fail. +For production and customer orgs, create a **dedicated integration user** in Salesforce rather than authorizing as a real person. This isolates the integration's permissions and prevents the connection from breaking if an employee's account is deactivated. -**For production / customer orgs:** create a dedicated API user for the integration and enable Marketing User on that account (**Setup → Users → [user] → Edit → Advanced User Details → Marketing User ✓**). Using a dedicated user isolates the integration's permissions and avoids the connection breaking if a real user's account is deactivated. +For development and testing, you can authorize with your own Salesforce account. -**For development / testing:** enable Marketing User on your own Salesforce account before going through the OAuth flow. \ No newline at end of file +### Conditional permissions + +The integration user needs additional permissions depending on which Salesforce objects your integration touches. Grant only what applies: + +| Salesforce objects | Required permission | +| --- | --- | +| **Campaigns, CampaignMembers** | Enable the **Marketing User** checkbox on the user record (**Setup → Users → [user] → Edit → Advanced User Details → Marketing User ✓**). This is a feature gate separate from object-level CRUD — even a user with full Edit on Campaigns cannot insert a Campaign without it. | +| **Contacts, Accounts, Leads, Opportunities** | Standard API access is sufficient. No additional flags needed beyond the base integration user profile. | + +> **Open question — license compatibility:** The Marketing User flag historically consumes a Marketing User feature license. It is currently unconfirmed whether this flag can be assigned to a Salesforce Integration User license (which is stripped-down and cheaper). If your integration creates Campaigns and you plan to use an Integration license, verify this in a Developer org before advising customers — it may require a full Salesforce seat instead. \ No newline at end of file From 97cc10a81216e254729bb0de9de29c3953e31972 Mon Sep 17 00:00:00 2001 From: Roberto Oliveros Date: Thu, 11 Jun 2026 10:40:40 -0600 Subject: [PATCH 4/4] Apply suggestion from @graphite-app[bot] Co-authored-by: graphite-app[bot] <96075541+graphite-app[bot]@users.noreply.github.com> --- packages/v1-ready/salesforce/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/v1-ready/salesforce/README.md b/packages/v1-ready/salesforce/README.md index 98a20c2..0cc28d4 100644 --- a/packages/v1-ready/salesforce/README.md +++ b/packages/v1-ready/salesforce/README.md @@ -3,7 +3,8 @@ This is the API Module for salesforce that allows the [Frigg](https://friggframework.org) code to talk to the salesforce API. -Read more on the [Frigg documentation site](https://docs.friggframework.org/api-modules/list/salesforce +Read more on the [Frigg documentation site](https://docs.friggframework.org/api-modules/list/salesforce) + ## Salesforce Connected App Setup