What Is Web Server Flow in Salesforce?


Angela Bailey

When working with Salesforce, understanding the flow of data between the web server and the client is essential. In this article, we will explore what web server flow entails and how it functions within the Salesforce ecosystem.

What is Web Server Flow?

In Salesforce, Web Server Flow is a type of authentication flow that allows an external application to authenticate and access Salesforce resources on behalf of a user. It involves a series of interactions between the user, the external application, and Salesforce’s web server.

How Does Web Server Flow Work?

The process begins when a user initiates an action in the external application that requires access to their Salesforce data. The application redirects the user to Salesforce’s authorization endpoint with specific parameters indicating the desired access scope.

Upon receiving the request, Salesforce prompts the user to log in (if not already logged in) and verifies their credentials. Once authenticated, Salesforce displays an authorization prompt requesting permission for the external application to access specified resources on behalf of the user.

If the user grants permission, Salesforce generates an authorization code and sends it back to the external application’s callback URL via a redirect URI. The callback URL is specified by the application during registration with Salesforce.

The external application then makes a token request to Salesforce’s token endpoint using its client ID, client secret, callback URL, and authorization code. This token request includes additional parameters such as grant type and refresh token (if applicable).

If all parameters are valid and authentication is successful, Salesforce responds with an access token and optionally provides a refresh token for future use. The access token represents proof of authentication and allows the external application to make authorized API requests on behalf of the user.

Utilizing Web Server Flow in Development

To implement Web Server Flow in your own application, you need to register a connected app in Salesforce. This involves providing necessary details such as the application name, callback URL, and selected OAuth scopes. Once registered, Salesforce generates a client ID and client secret unique to your application.

In your application’s code, you will need to handle the redirect from Salesforce’s authorization endpoint and retrieve the authorization code. You can then exchange this code for an access token by making a token request to Salesforce’s token endpoint using the appropriate parameters.

With the obtained access token, you can include it in subsequent API requests as an Authorization header or query parameter to authenticate and authorize actions on behalf of the user.


Understanding Web Server Flow is crucial for developers working with Salesforce integration. It enables seamless authentication and secure access to Salesforce resources from external applications. By following the outlined process and utilizing proper API requests, developers can leverage this flow to enhance their applications’ capabilities.

Discord Server - Web Server - Private Server - DNS Server - Object-Oriented Programming - Scripting - Data Types - Data Structures

Privacy Policy