> For the complete documentation index, see [llms.txt](https://docs.euno.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.euno.ai/sources/business-intelligence/salesforce-integration.md). # Salesforce Salesforce CRM is a cloud platform for sales, service, and marketing. The underlying metadata (objects, fields, folders, reports, dashboards, and flows) is what teams build analytics and integrations on—so observing that structure helps you understand impact, ownership, and relationships across the org. Euno integrates with Salesforce by **inventorying metadata and lineage**, not by running data-quality monitors against table rows (such as freshness or volume anomaly detection on queried data). This page describes **what Euno captures** and how to **connect using OAuth 2.0 client credentials** via Salesforce’s **External Client App** model (consumer key, consumer secret, and My Domain). Euno's Salesforce integration supports auto-discovery of: * Salesforce Organization (`salesforce_org`) * **`user`** resources (when **Observe users & groups** is enabled) * **`user_group`** resources (when **Observe users & groups** is enabled) * Salesforce Folders (reports and dashboards) * Salesforce Objects (standard and custom, subject to your patterns) * Salesforce Fields (standard, custom, formula, relationships) * Salesforce Reports * Salesforce Dashboards * Salesforce Flows (when **Include flows** is enabled) ## Capability overview Euno’s Salesforce source emphasizes **discovery and graph relationships**, not running monitors against live Salesforce records: | Area | What Euno does today | | ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | | **Metadata** | Discovers organizations, folders, objects, fields, reports, dashboards, and flows | | **Lineage-style relationships** | Links dashboards → reports; reports and Flows → objects/fields; folders → contents; objects → fields; optional users/groups → ownership | | **Data monitors** | Not applicable—Euno does not run freshness/volume/count monitors on Salesforce data by default | {% hint style="info" %} For **sandbox** vs **production**, use the **My Domain URL** that Salesforce shows for that org (sandbox hostnames typically differ from prod). Paste the full host or the prefix described below; Euno normalizes common formats. {% endhint %} ## Prerequisites / Requirements You need: 1. **An External Client App** in Salesforce with **OAuth 2.0 client credentials flow** enabled and an **execution user** (Salesforce acts on behalf of that user). 2. **Consumer key**, **consumer secret**, and **My Domain** hostname (see setup below). 3. For the execution user profile/permission sets: rights sufficient to describe metadata and read report/dashboard structure over the REST and Analytics APIs, and (**if you enable Flow discovery**) to query **Flow** metadata over the **Tooling API**. ### Recommended permissions on the execution user Grant the Salesforce user designated as **execution user** (or equivalent profile) at least: * **API Enabled** — required for REST access * **View Setup and Configuration** — metadata for objects/setup * **Run Reports** — report metadata/analytics endpoints as needed by your org * **View All Data** *(recommended)* — consistent visibility across objects in large orgs; tighten only if policy requires a scoped integration account * **Tooling API** — for Flow definition reads; omit if **Include flows (Tooling API)** is turned off in Euno. {% hint style="info" %} Many teams create a dedicated **integration / service** user whose only job is powering API clients, assign it the External Client App’s **client credentials execution user**, and grant the minimum workable permissions. {% endhint %} ## Stage 1: Configure Salesforce for API access For many Salesforce orgs, long-lived integrations should use machine-to-machine access instead of **username**, **password**, and **security token** against the legacy login APIs. **Euno uses OAuth client credentials** with an External Client App, as Salesforce documents for secured API access patterns. Consult [Salesforce Help](https://help.salesforce.com/) for your edition’s latest steps (“External Client App,” “OAuth,” “client credentials,” “execution user”)—menu names vary by release. ### Step 1: Create an External Client App Adapt these steps to your Salesforce UI wording (menus change between releases): 1. In Salesforce Setup, open **Apps** → **External Client Apps** (or equivalent) → **External Client App Manager**. 2. **New External Client App** and fill basic information (name, API name, distribution state appropriate for internal use). ### Step 2: Enable OAuth and select scopes Under the app’s **API / OAuth** settings: 1. Enable **OAuth**. 2. Under **Selected OAuth Scopes**, add **Manage user data via APIs (`api`)** (move it from Available to Selected—Available alone is not enough). Do **not** use **Full access (`full`)**—it is too broad for Euno. Scopes such as **`web`** and **`refresh_token`** are also not supported for client credentials (Winter ’26 and later). Euno does not send a `scope` parameter or use refresh tokens—Salesforce uses whatever is in **Selected OAuth Scopes**. If only unsupported scopes are selected, **Test & Save** fails with `invalid_grant: no valid scopes defined`. 3. Under **Flow enablement**, turn on **Client credentials flow**. 4. Salesforce may still require registering a **callback URL** for the Connected / External Client App—even when you only use client credentials—use an HTTPS URL permitted by your org’s policy if prompted. Euno does **not** rely on an interactive browser redirect after client credentials are configured. ### Step 3: Set the execution user (Run As) The client credentials flow has no interactive login, but Salesforce still requires a **Run As** user whose permissions apply to every API call Euno makes. 1. In **Setup → App Manager** (or **External Client App Manager**), open your app and click **Manage** (not the main **Edit** screen). 2. Click **Edit Policies**. 3. Under **Client Credentials Flow**, use the **Run As** lookup (labeled **Client Credentials Flow** / **Run As**—not a separate “Run As” field elsewhere on the page, such as under a custom handler). 4. Select your integration user (see [recommended permissions](#recommended-permissions-on-the-execution-user)). 5. Ensure **Enable Client Credentials Flow** is allowed under the app’s OAuth policies, then **Save**. {% hint style="warning" %} If **Run As** is left blank, **Test & Save** in Euno fails with `invalid_grant: no client credentials user enabled`. Enabling client credentials under OAuth settings alone is not enough—you must assign **Run As** under **Edit Policies**. {% endhint %} ### Step 4: Consumer key and consumer secret 1. On the app, open **Settings** (or the credentials pane). 2. **Consumer Key / Client ID** and **Consumer Secret** — copy both into Euno (treat the **secret like a password**). ### Step 5: My Domain (hostname) 1. Setup → **Company Settings** → **My Domain** (names vary). 2. Copy **Current My Domain URL**, e.g. `https://acme.my.salesforce.com`. In Euno you can paste either: * The **full URL**, or * The **prefix** used before `.salesforce.com` (example: `acme.my`) Euno strips `https://` and `.salesforce.com` automatically so tokens are requested against the correct host. {% hint style="warning" %} Do **not** use the legacy **`login`** / **`test`** “environment” shorthand as the sole domain string for OAuth client credentials; use the My Domain host Salesforce gives you (sandbox orgs still have their own My Domain URL). {% endhint %} ### Checklist: verify Salesforce configuration Before continuing to Euno, confirm the following on your External Client App: | Salesforce setting | Required value | | ----------------------- | -------------------------------------------------------------------- | | Client credentials flow | Enabled | | Selected OAuth Scopes | **Manage user data via APIs (`api`)** — not **Full access (`full`)** | | Run As user | Set under **Manage → Edit Policies → Client Credentials Flow** | | Consumer key / secret | Copied from this app | | My Domain | Your org’s My Domain host (not `login` / `test`) | ## Stage 2: Configure the Salesforce source in Euno ### Step 1: Access the Sources page In Euno, open **Sources**, choose **Add New Source**, and select **Salesforce**. ### Step 2: General configuration Asterisk (\*) means a mandatory field. | Configuration | Description | | --------------------- | ------------------------------------------------------- | | **Name**\* | Friendly name for this source | | **Consumer key**\* | External Client App OAuth **Consumer Key / Client ID** | | **Consumer secret**\* | External Client App **Consumer Secret** | | **My Domain host**\* | From My Domain (full URL or `your-org.my` style prefix) | ### Step 3: Schedule Enable **Schedule** and pick a cadence that fits how often your org’s metadata changes. **Daily** or every **12–24 hours** is often enough for metadata; increase frequency if your org changes structure often. {% hint style="info" %} **Recommended**: Schedule the Salesforce integration at least daily so folder, report, and dashboard metadata stays reasonably current. {% endhint %} ### Step 4: Resource cleanup Choose a **Resource cleanup** policy the same way as for other Euno sources (for example immediate cleanup vs retaining stale resources). See [Resource sponsorship and cleanup](/developer-reference/technical-concepts/resource-sponsorship-and-cleanup-in-euno.md). ### Step 5: Save Configuration Click **Test & Save** to complete the setup. Euno will: 1. Exchange OAuth client credentials against your My Domain host. 2. Verify REST API access to your Salesforce organization. 3. Save the configuration if validation passes. If the test fails, see [Troubleshooting](#troubleshooting) below. ## Troubleshooting When **Test & Save** fails, Euno surfaces the Salesforce OAuth error from the token endpoint. Common messages and fixes: | Error | Likely cause | Fix | | -------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `invalid_grant: no client credentials user enabled` | No **Run As** user under **Edit Policies → Client Credentials Flow** | Open **App Manager → Manage → Edit Policies**, set **Run As** to your integration user, and save. See [Step 3](#step-3-set-the-execution-user-run-as). | | `invalid_grant: no valid scopes defined` | App has no supported OAuth scopes for client credentials (often **Full access (`full`)**, `web`, or `refresh_token` selected instead of **`api`**) | In **Selected OAuth Scopes**, add **Manage user data via APIs (`api`)** and remove unsupported scopes such as **`full`**. See [Step 2](#step-2-enable-oauth-and-select-scopes). | | `invalid_grant: authentication failure` / invalid client credentials | Wrong consumer key or secret, or credentials from a different app or org | Copy **Consumer Key** and **Consumer Secret** from the same External Client App you configured. Sandbox and production each need their own app and credentials. | | Authentication succeeds but crawl is incomplete | Integration user lacks object, report, or Tooling API access | Grant [recommended permissions](#recommended-permissions-on-the-execution-user). Disable **Include flows** if Tooling access is not available. | Also verify: * **My Domain host** matches the org whose consumer key and secret you entered (not `login` or `test`). See [Step 5](#step-5-my-domain-hostname). * Sandbox and production are configured separately—credentials and app settings from one org do not work in the other. ## What Euno discovers The Salesforce source discovers: * Salesforce Organization (`salesforce_org`) * **`user`** resources (when **Observe users & groups** is enabled) * **`user_group`** resources (when **Observe users & groups** is enabled) * Salesforce Folders (reports and dashboards) * Salesforce Objects (standard and custom, subject to your patterns) * Salesforce Fields (standard, custom, formula, relationships) * Salesforce Reports * Salesforce Dashboards * Salesforce Flows (when **Include flows (Tooling API)** is enabled) Details of resource types, properties, and relationships: [Salesforce integration discovered resources](/sources/business-intelligence/salesforce-integration/salesforce-integration-discovered-resources.md). ## Advanced settings Open the **Advanced** section on the source form to configure optional filters and scopes. | Configuration | Description | | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **Object filter** | Allow/deny regexes matched against Salesforce **object API names** (e.g. `Account`, `Custom__c`) | | **Report filter** | Allow/deny regexes matched against the report’s **display Name** only (not Id or DeveloperName) | | **Dashboard filter** | Allow/deny regexes matched against the dashboard’s **Title** only (not Id or DeveloperName) | | **Only crawl custom objects** | Limits discovery to objects ending in `__c` | | **Include reports** | Discover reports (default: on); combined with report filter patterns | | **Include dashboards** | Discover dashboards (default: on); combined with dashboard filter patterns | | **Include flows (Tooling API)** | Discover Flow definitions and version metadata for lineage (default: on); requires Tooling/API permissions—disable if your connected app cannot read Flow metadata | | **Observe users & groups** | Emit users/groups for ownership linkage (default: on) | ## Filtering objects, reports, and dashboards You can narrow crawl scope using: * **Object filter** plus **Only crawl custom objects** — control which **sObjects** and their **fields** are observed. * **Report filter** — include or exclude reports by **Name** regex. * **Dashboard filter** — include or exclude dashboards by **Title** regex. Align those patterns with your governance policy; exclusions are governed by your configuration. Reports or dashboards excluded by regex **do not** appear as resources—downstream lineage that would have depended only on those assets will be absent for them. ## Lineage relationships Among other edges, Euno captures: * **Dashboard → Report** references (when describe metadata exposes them, including at crawl time from dashboard describe `components` when available) * **Report → Object / Field** dependencies derived from Analytics **report describe** columns (subject to discovered objects and fields; global processing enriches `table_dependencies` / `upstream_fields` where metadata allows) * **Flow → Object / Field** lineage derived from Flow **record create/update** and related metadata (subject to Flow discovery being enabled and successful Tooling reads) * **Object → Field** containment * **Folder → Report / Dashboard** containment when applicable Exact property names (`table_dependencies`, `upstream_fields`, `salesforce_flow_lineage`, etc.) are summarized in [discovered resources](/sources/business-intelligence/salesforce-integration/salesforce-integration-discovered-resources.md). ## Personal vs. shared folders {% hint style="info" %} **Personal folders**: Reports and dashboards under personal folders (or analogous “Unfiled” buckets) still appear where Salesforce exposes them via API metadata, typically **directly under the organization** rather than under a folder resource—only broadly shared folders show as **`salesforce_folder`** resources depending on Salesforce’s folder model for your tenant. {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.euno.ai/sources/business-intelligence/salesforce-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.