# Salesforce Managed MCP Server > For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [agentic-data-plane-full.txt](https://docs.redpanda.com/agentic-data-plane-full.txt) --- title: Salesforce Managed MCP Server latest-operator-version: v26.1.5 latest-console-tag: v3.7.4 latest-connect-version: 4.96.1 latest-redpanda-tag: v26.1.10 docname: managed/salesforce page-component-name: agentic-data-plane page-version: master page-component-version: master page-component-title: Agentic Data Plane page-relative-src-path: managed/salesforce.adoc page-edit-url: https://github.com/redpanda-data/adp-docs/edit/main/modules/connect/pages/managed/salesforce.adoc description: Query, create, update, and delete Salesforce CRM records with SOQL and the REST API, and run saved reports, from an LLM agent. Choose a shared service-account identity or per-user OAuth. page-topic-type: how-to personas: agent_builder, platform_engineer learning-objective-1: Choose between service-account OAuth and per-user OAuth for the Salesforce managed MCP server learning-objective-2: Configure the Salesforce managed MCP server against your org learning-objective-3: Query, modify, and report on Salesforce records from an agent page-git-created-date: "2026-06-10" page-git-modified-date: "2026-06-10" --- The **Salesforce** managed MCP server lets agents work with [Salesforce](https://www.salesforce.com/) CRM data: running SOQL queries and SOSL searches, reading and writing records, inspecting object metadata, and running saved Salesforce reports through the REST and Analytics APIs. After reading this page, you will be able to: - Choose between service-account OAuth and per-user OAuth for the Salesforce managed MCP server - Configure the Salesforce managed MCP server against your org - Query, modify, and report on Salesforce records from an agent ## [](#what-this-mcp-server-does)What this MCP server does The Salesforce MCP exposes the following tools: | Tool | What it does | | --- | --- | | query | Execute a SOQL query. | | query_more | Fetch the next page of a large query result, using the nextRecordsUrl returned by query. | | search | Execute a SOSL full-text search. | | list_objects | List all available sObject types in the org. | | describe_object | Get field and schema metadata for an sObject. | | get_record | Fetch a record by ID, with optional field selection. | | create_record | Create a new record. | | update_record | Update an existing record (PATCH). | | delete_record | Delete a record. | | describe_report | Get a report’s metadata: columns, groupings, and filters. | | run_report | Run a saved report synchronously and return its results. | `run_report` executes a saved Salesforce report through the Analytics REST API, applying the report’s built-in groupings, aggregates, and filters that raw SOQL cannot reproduce. Use `describe_report` first to discover a report’s columns and filters. To list reports, use `query` with `SELECT Id, Name, DeveloperName FROM Report`. ## [](#choose-an-authentication-mode)Choose an authentication mode The Salesforce MCP supports two authentication modes. Set exactly one in the managed config: | Mode | When to use | | --- | --- | | Service-account OAuth (serviceAccountOauth) | OAuth 2.0 client-credentials grant through a Connected App. Service-to-service: no browser, no redirect. Every caller shares one Salesforce identity. Use this when a single shared identity is acceptable. | | Per-user OAuth (userOauth) | Each caller’s Salesforce OAuth token is resolved from the token vault on every request, so tool calls respect Salesforce row-level security for the calling user. Requires a Salesforce OAuth Provider. Use this when each user must act as themselves. | ## [](#prerequisites)Prerequisites Before you create the server, make sure you have: - A Salesforce org where you can create a Connected App. A free Developer Edition org or a Sandbox works. - Your Salesforce instance URL (your **My Domain** URL), such as `https://mycompany.my.salesforce.com`. Use the full `https://` base domain with no path. - For **service-account OAuth**: a Connected App configured for the client-credentials flow, and its consumer key and consumer secret. - For **per-user OAuth**: a Salesforce [OAuth Provider](https://docs.redpanda.com/agentic-data-plane/reference/glossary/#oauth-provider) configured in Redpanda ADP. See [Configure an OAuth Provider](https://docs.redpanda.com/agentic-data-plane/connect/oauth-providers/) and [User-delegated OAuth](https://docs.redpanda.com/agentic-data-plane/connect/user-delegated-oauth/). ## [](#create-a-connected-app-for-service-account-oauth)Create a Connected App for service-account OAuth Skip this section if you are using per-user OAuth. The client-credentials flow is a service-to-service flow: `client_id` + `client_secret` exchange for an `access_token`, with no browser interaction. 1. In Salesforce **Setup**, search for **App Manager** and click **New Connected App**. 2. Enter a Connected App Name and Contact Email. 3. Under **API (Enable OAuth Settings)**: - Check **Enable OAuth Settings**. - Set a Callback URL (required by the form, unused for client credentials). - Add the Manage user data via APIs (api) and Perform requests at any time (refresh\_token, offline\_access) OAuth scopes. - Check **Enable Client Credentials Flow**. 4. Click **Save**, then **Continue**. 5. Open the app from **App Manager**, click **Manage Consumer Details**, and copy the Consumer Key (your `client_id`) and Consumer Secret (your `client_secret`). 6. Set a Run As user: in **App Manager**, open the app, click **Manage > Edit Policies**, and under Client Credentials Flow set Run As to a Salesforce user with API access. Click **Save**. Store the consumer secret in the Redpanda ADP secret store under an `UPPER_SNAKE_CASE` key, such as `SALESFORCE_CLIENT_SECRET`. ## [](#configure)Configure Create a new Salesforce MCP server in ADP: 1. Open **MCP Servers > Create Server**. 2. Pick `Salesforce` from the marketplace picker. 3. Fill in identity fields (`name`, `description`). 4. In the Salesforce configuration form, set the Salesforce instance URL (`orgUrl`) and pick an Auth Method: service-account OAuth or per-user OAuth. For per-user OAuth, select the Salesforce OAuth Provider. 5. Optionally pin a Salesforce REST API version. The default is `v65.0`. 6. Click **Create**. ### [](#configure-from-the-cli)Configure from the CLI Use [`rpk ai`](https://docs.redpanda.com/agentic-data-plane/reference/rpk/rpk-ai/rpk-ai/) to create the server with a managed config. Set exactly one auth variant. For service-account OAuth, supply the Connected App’s `clientId`, a secret-store reference for the consumer secret (`clientSecretRef`), and the token URL: ```bash rpk ai mcp create --name my-salesforce --managed-config '{ "@type": "type.googleapis.com/redpanda.mcps.salesforce.v1.SalesforceMCPConfig", "orgUrl": "https://mycompany.my.salesforce.com", "serviceAccountOauth": { "clientId": "3MVG9...", "clientSecretRef": "SALESFORCE_CLIENT_SECRET", "tokenUrl": "https://mycompany.my.salesforce.com/services/oauth2/token" } }' ``` For per-user OAuth, reference the Salesforce OAuth Provider by name. The per-user token is resolved from the token vault on each call: ```bash rpk ai mcp create --name my-salesforce --managed-config '{ "@type": "type.googleapis.com/redpanda.mcps.salesforce.v1.SalesforceMCPConfig", "orgUrl": "https://mycompany.my.salesforce.com", "userOauth": { "providerName": "salesforce" } }' ``` To pin a specific API version, add `"apiVersion": "v62.0"` to the config. The default is `v65.0`. ## [](#tool-examples)Tool examples Run a SOQL query: ```bash curl -s https://aigw..clusters.rdpa.co/mcp/v1/my-salesforce \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "jsonrpc": "2.0", "id": 1, "method": "tools/call", "params": { "name": "query", "arguments": { "soql": "SELECT Id, Name, Industry, AnnualRevenue FROM Account ORDER BY AnnualRevenue DESC LIMIT 10" } } }' ``` Fetch a record by ID, restricting the returned fields: ```bash curl -s https://aigw..clusters.rdpa.co/mcp/v1/my-salesforce \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{ "jsonrpc": "2.0", "id": 2, "method": "tools/call", "params": { "name": "get_record", "arguments": { "sobject": "Account", "record_id": "001xx000003GYkZAAW", "fields": "Id,Name,Industry,AnnualRevenue,BillingCity" } } }' ``` ## [](#troubleshooting)Troubleshooting | Symptom | What to check | | --- | --- | | invalid_client_credentials from OAuth (service-account mode) | Confirm the Connected App has a Run As user set and the api scope, and that you are using the Consumer Key (not the app name) as clientId. | | OAuthConnectionRequired (per-user mode) | First call from a user with no stored token. The user completes Salesforce’s OAuth consent flow, the token lands in the vault, and subsequent calls reuse it. | | INSUFFICIENT_ACCESS errors | The acting identity (the Run As user for service-account mode, or the calling user for per-user mode) lacks permission on that object or record. Grant the appropriate profile or permission set. | | INVALID_FIELD in a SOQL query | The field does not exist or field-level security hides it from the acting identity. Use describe_object to see which fields are visible. | | nextRecordsUrl rejected by query_more | The URL must start with /services/data/. Pass the exact value returned by the query response. | ## [](#next-steps)Next steps - [Configure an OAuth Provider](https://docs.redpanda.com/agentic-data-plane/connect/oauth-providers/) - [User-delegated OAuth](https://docs.redpanda.com/agentic-data-plane/connect/user-delegated-oauth/) - [Create an MCP Server](https://docs.redpanda.com/agentic-data-plane/connect/create-server/) - [Test MCP tools](https://docs.redpanda.com/agentic-data-plane/connect/test-tools/)