Skip to main content

Setting Up Salesforce Hosted MCP Servers with MCP Manager

MCP Manager
Updated

Intro

Salesforce offers a set of officially hosted MCP servers that expose Salesforce data and automation to AI assistants. Connecting them through MCP Manager gives your organization centralized auth, audit logging, tool provisioning, and policy enforcement on top of what Salesforce provides natively. Here's the blog announcing this functionality.

This guide walks through the full setup: confirming your Salesforce org is eligible, activating MCP servers in Setup, configuring an External Client App (ECA), and connecting everything through MCP Manager using Client Pre-Registration. By the end, you'll have a working Salesforce MCP connection routed through MCP Manager with every request logged and governed.

Why pre-registration? Salesforce does not support Dynamic Client Registration (DCR) for hosted MCP servers — administrators must explicitly create an External Client App in their org and provide its credentials. MCP Manager's Client Pre-Registration auth type is the matching pattern: you supply the OAuth Client ID and Client Secret from your ECA, and MCP Manager handles the rest of the auth flow on behalf of your users.

Before You Begin

Setting up Salesforce hosted MCP servers requires admin access to your Salesforce org. There are a few prerequisites that must be in place before MCP Manager can connect.

Confirm Your Org Is Eligible

Salesforce hosted MCP servers require Enterprise Edition or above. Developer Edition orgs are also supported. If your org is on a lower edition, this feature isn't available.

For eligible orgs, MCP capability is auto-enabled. If you have a sufficient license but the MCP service isn't showing up in Setup, contact Salesforce Support and ask them to enable the MCPService permission for your org.

Activate the MCP Servers You Need

By default, all Salesforce hosted MCP servers are disabled. This is intentional — exposing data to external AI systems should be a deliberate admin decision. You'll need to turn on each server you want to use.

  1. In Salesforce, navigate to Setup → API Catalog → MCP Servers.
  2. Toggle on the individual servers your team needs (for example, platform/sobject-all for full sObject CRUD access).
  3. Wait up to 2 minutes for activation to propagate. If MCP Manager can't connect immediately after activation, give it a moment and retry.

For the official walkthrough, see Salesforce's Activate MCP Servers guide.

Note on API quota: MCP tool calls count against your org's daily API request limit. For high-volume usage, monitor consumption in Setup → Company Information → API Requests, Last 24 Hours.

Step 1: Create an External Client App in Salesforce

External Client Apps (ECAs) are the modern replacement for Connected Apps and are the only authentication mechanism Salesforce supports for hosted MCP servers. Connected Apps are legacy and will not work — don't try to reuse one.

You'll create one ECA per MCP client. Since MCP Manager acts as the client to Salesforce on behalf of all your downstream AI tools, you'll create one ECA dedicated to MCP Manager.

Create the ECA

  1. In Salesforce, navigate to Setup → External Client App Manager.
  2. Click New External Client App.
  3. Give it a clear name like MCP Manager Gateway so it's easy to identify in audit logs and access reviews.
  4. Enable OAuth on the app.
  5. For the Callback URL, paste the redirect URL shown in MCP Manager when you select the Client Pre-Registration auth type (you'll see this in Step 3 below). Come back to this field once you have it.

Configure OAuth Scopes

Add the following two OAuth scopes to the ECA:

  • mcp_api — Access Salesforce hosted MCP servers
  • refresh_token — Perform requests at any time (allows MCP Manager to refresh access tokens automatically)

Migrating from the Salesforce MCP Beta? The beta used the scopes api, sfap_api, refresh_token, and einstein_gpt_api. These will not work with the GA service. Update both your ECA and your MCP Manager configuration to use mcp_api and refresh_token.

Configure Security Settings

Under the ECA's Security settings:

  • Enable Require Proof Key for Code Exchange (PKCE).
  • Enable Issue JWT-based access tokens for named users.
  • Deselect every other Flow Enablement option. Only the authorization code flow with PKCE should be active.

Save and Capture Your Credentials

Save the External Client App. From the app's detail page, copy the following values — you'll paste them into MCP Manager in the next step:

  • Consumer Key (this is your OAuth Client ID)
  • Consumer Secret (this is your OAuth Client Secret)

ECA propagation delay: After creating or modifying an External Client App, it can take up to 30 minutes to become operational worldwide. This is similar to DNS propagation. If MCP Manager fails to authenticate immediately after you save the ECA, wait and retry before troubleshooting further.

Step 2: Determine Your Salesforce MCP Server URL

Salesforce's hosted MCP servers use a structured URL pattern that encodes both the server name and your org's identity. You'll need the right URL for the org type you're connecting to.

Find Your My Domain Name

The recommended URL format includes your Salesforce My Domain name, which is required for orgs that have disabled login from login.salesforce.com or test.salesforce.com.

To find it, go to Setup → My Domain in Salesforce and copy the My Domain Name value.

Construct the URL

Use the pattern that matches your org type. Replace {mydomainname} with your My Domain value and {servername} with the activated server you want to use (for example, platform/sobject-all).

Simple URL:

https://api.salesforce.com/platform/mcp/v1/platform/sobject-all

Production org:

https://api.salesforce.com/platform/mcp/v1/d/{mydomainname}/{servername}

Developer Edition org:

https://api.salesforce.com/platform/mcp/v1/d/{mydomainname}/develop/{servername}

Sandbox org:

https://api.salesforce.com/platform/mcp/v1/d/{mydomainname}--{sandboxname}/sandbox/{servername}

For example, a production org with My Domain acme connecting to the platform/sobject-all server would use:

https://api.salesforce.com/platform/mcp/v1/d/acme/platform/sobject-all

For the complete URL reference including non-My-Domain variants and additional org types, see Salesforce's Connecting Your MCP Client wiki.

Step 3: Add the Server to MCP Manager

With your ECA configured and your server URL in hand, you can now add the Salesforce MCP server to MCP Manager.

  1. In MCP Manager, navigate to MCP Servers in the left sidebar.
  2. Click + Add.
  3. Select Remote as the server type.
  4. Enter the Salesforce MCP server URL you constructed in Step 2.
  5. For the authentication type, select Client Pre-Registration. This tells MCP Manager that you'll provide a Client ID and Client Secret rather than relying on dynamic registration (which Salesforce does not support).
  6. MCP Manager will display its redirect URL in a blue callout box. Copy this value.

Add the Redirect URL to Your ECA

Go back to your External Client App in Salesforce and update the Callback URL field with the redirect URL you just copied from MCP Manager. Save the ECA.

This step is required — without it, the OAuth handshake will fail with a redirect URI mismatch error when users try to connect.

Enter Your ECA Credentials in MCP Manager

Back in MCP Manager:

  1. Paste the Consumer Key from your ECA into the Client ID field.
  2. Paste the Consumer Secret from your ECA into the Client Secret field.
  3. Click Save.

MCP Manager will initiate the OAuth flow. You'll be redirected to Salesforce's login page to authenticate, and then back to MCP Manager once authorization is complete. If you've configured the ECA's Permitted Users policy to require a Permission Set, only users with that Permission Set will be able to complete the flow.

Once connected, MCP Manager will discover the server's tools, and you can assign the server to a gateway and start using it from your downstream AI clients.

How MCP Manager Fits with Salesforce's Auth Model

Salesforce's hosted MCP architecture is built around a few deliberate security choices that work hand-in-hand with MCP Manager:

  • Authorization code flow only. Every MCP transaction is tied to a named human user. MCP Manager preserves this by routing each user's OAuth flow through to Salesforce — the user authenticates with their own Salesforce credentials, and the resulting token reflects their personal field-level security, sharing rules, and CRUD permissions. The agent can only do what the user could do directly.
  • Client Pre-Registration over DCR. Salesforce explicitly does not support Dynamic Client Registration. Admins must approve each integration via an ECA. MCP Manager's Client Pre-Registration auth type is the matching pattern — you create the ECA, MCP Manager uses its credentials.
  • JWT access tokens. Salesforce issues self-contained JWT access tokens that carry the user's identity and permissions. MCP Manager passes these through to Salesforce on every tool call without needing to re-validate against Salesforce on each request.
  • The .well-known discovery flow. When MCP Manager first connects to a Salesforce MCP server URL, Salesforce returns a 401 response pointing to a .well-known metadata endpoint. That endpoint tells MCP Manager exactly which OAuth flows are supported, which endpoints to use, and what scopes are valid. This is automatic — MCP Manager handles it without any configuration on your side.

What MCP Manager adds on top: a single audit trail across all of your MCP traffic (Salesforce and otherwise), centralized tool provisioning so you can expose only the Salesforce tools your team actually needs, the ability to apply data-loss-prevention rules to tool inputs and outputs, and unified user management so you don't need to manage separate ECAs for every downstream AI client.

Troubleshooting

"Redirect URI mismatch" or "The request does not match the URL for the application"

The redirect URL in your Salesforce ECA's Callback URL field doesn't match what MCP Manager is sending. Compare the two values exactly — watch for trailing slashes, missing https://, or truncated copy-paste. Update the ECA, save, and try connecting again. Remember the up-to-30-minute ECA propagation delay after any change.

Authentication fails immediately after creating the ECA

External Client App changes can take up to 30 minutes to propagate worldwide. Wait and retry before assuming there's a configuration issue.

"invalid_scope" error during OAuth

Your ECA may still be configured with the old beta scopes. Confirm the ECA has exactly mcp_api and refresh_token — not api, sfap_api, or einstein_gpt_api.

Users can't authenticate even though everything else looks right

If you set Permitted Users to Admin approved users are pre-authorized, only users assigned the linked Permission Set will be able to complete the OAuth flow. Check that the affected users have the Permission Set assigned.

MCP Manager connects but no tools appear

The Salesforce MCP server you specified in the URL may not be activated. Go to Setup → API Catalog → MCP Servers in Salesforce and confirm the server is toggled on. Activation can take up to 2 minutes to take effect.

Working in a scratch org

External Client Apps cannot be created directly in scratch orgs through the Setup UI. The workaround is to create the ECA in a Dev Hub org, package it, and install the package into the target scratch org. See Salesforce's Known Limitations wiki for details.

Reference

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk