DEV Community: Conor The latest articles on DEV Community by Conor (@conor_61d358cde152bb5800a). https://dev.to/conor_61d358cde152bb5800a https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3890612%2Fc2dd7522-9d3a-410f-b432-35c12fcd89ec.png DEV Community: Conor https://dev.to/conor_61d358cde152bb5800a en Salesforce Headless! All agents, all access. Conor Tue, 21 Apr 2026 22:30:34 +0000 https://dev.to/conor_61d358cde152bb5800a/salesforce-headless-all-agents-all-access-19ka https://dev.to/conor_61d358cde152bb5800a/salesforce-headless-all-agents-all-access-19ka <p>Salesforce just flipped a switch at TDX 2026 that matters more than most announcements in recent memory: your Salesforce org is now an MCP server. Every Developer Edition org ships with Salesforce Hosted MCP Servers at no cost, and any MCP-compatible AI agent — Claude, Claude Code, Cursor, Codex, Windsurf — can now read data, trigger flows, run SOQL, and invoke Apex directly, with no browser involved.</p> <p>This post walks through exactly how to wire that up: OAuth config, MCP connection, and what you can actually do once you're in.</p> <h2> What Headless 360 Actually Changes </h2> <p>Before Headless 360, connecting an external agent to Salesforce meant either writing your own connected app + REST adapter or cobbling together a third-party library. The platform wasn't designed to be consumed by agents; it was designed for humans clicking through tabs.</p> <p>Headless 360 reframes the whole stack. Salesforce now exposes 60+ MCP tools covering:</p> <ul> <li> <strong>Data operations</strong>: query records, create, update, upsert, delete (any standard or custom object)</li> <li> <strong>Automation</strong>: invoke named Flows, trigger Process Builder actions, run Apex methods via REST</li> <li> <strong>Reporting</strong>: execute saved reports and return structured data</li> <li> <strong>Agentforce</strong>: start and resume Agentforce sessions, pass context, read session traces</li> <li> <strong>Metadata</strong>: describe objects, list picklist values, read field metadata</li> </ul> <p>The underlying transport is <a href="https://spec.modelcontextprotocol.io/specification/" rel="noopener noreferrer">Model Context Protocol</a> — JSON-RPC 2.0 over SSE or HTTP.<sup id="fnref1">1</sup> Your agent calls a tool (<code>salesforce_query</code>, <code>salesforce_run_flow</code>, etc.) and Salesforce executes it under the user's OAuth token.</p> <h2> Step 1: Create an External Client App in Salesforce Setup </h2> <p>Navigate to <strong>Setup → External Client Apps → New</strong>.<sup id="fnref2">2</sup> You're creating an OAuth 2.0 client that your AI agent will use (claude for example).</p> <p>Key settings:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>App Name</td> <td> <code>MCP Agent</code> (or whatever labels your use case)</td> </tr> <tr> <td>API Name</td> <td><code>MCP_Agent</code></td> </tr> <tr> <td>OAuth Flow</td> <td>Authorization Code and Credentials</td> </tr> <tr> <td>Callback URL</td> <td> <code>https://claude.ai/oauth/callback</code> (for Claude Desktop) or <code>http://localhost:7878/callback</code> (for Claude Code / local agents)</td> </tr> <tr> <td>Selected OAuth Scopes</td> <td> <code>api</code>, <code>refresh_token</code>, <code>sfap_api</code>, <code>einstein_gpt_api</code> </td> </tr> </tbody> </table></div> <p>The <code>sfap_api</code> scope unlocks Salesforce API Platform — required for Agentforce features.<sup id="fnref3">3</sup> Without it, the hosted MCP server returns 403s on agent-related tools. The <code>einstein_gpt_api</code> scope is needed if you're routing through Einstein or hitting Prompt Builder endpoints.</p> <p>Save and copy the <strong>Consumer Key</strong>. You'll need it in the next step.</p> <h2> Step 2: Locate Your Org's MCP Server URL </h2> <p>Every org's hosted MCP server endpoint follows this pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://&lt;my-domain&gt;.my.salesforce.com/mcp/v1 </code></pre> </div> <p>Where <code>&lt;my-domain&gt;</code> is your org's My Domain name.<sup id="fnref4">4</sup> You can confirm it under <strong>Setup → My Domain</strong>.</p> <p>For a scratch org or Developer Edition org, it looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://myorgname-dev-ed.develop.my.salesforce.com/mcp/v1 </code></pre> </div> <h2> Step 3: Configure Your AI Client </h2> <h3> Claude Desktop </h3> <p>Add this block to <code>~/Library/Application Support/Claude/claude_desktop_config.json</code> (macOS) or <code>%APPDATA%\Claude\claude_desktop_config.json</code> (Windows):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"salesforce"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"oauth"</span><span class="p">,</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://myorgname-dev-ed.develop.my.salesforce.com/mcp/v1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"oauth"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"clientId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_CONSUMER_KEY_HERE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"authorizationUrl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://login.salesforce.com/services/oauth2/authorize"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tokenUrl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://login.salesforce.com/services/oauth2/token"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scopes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"api"</span><span class="p">,</span><span class="w"> </span><span class="s2">"refresh_token"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sfap_api"</span><span class="p">,</span><span class="w"> </span><span class="s2">"einstein_gpt_api"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Restart Claude Desktop, click the plug icon, and you'll be prompted to authorize against your org. After that, the <code>salesforce</code> server appears in the tools panel.</p> <h3> Claude Code (CLI) </h3> <p>In your project root, create or update <code>.mcp.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"salesforce"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"oauth"</span><span class="p">,</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://myorgname-dev-ed.develop.my.salesforce.com/mcp/v1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"oauth"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"clientId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"YOUR_CONSUMER_KEY_HERE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"authorizationUrl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://login.salesforce.com/services/oauth2/authorize"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tokenUrl"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://login.salesforce.com/services/oauth2/token"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scopes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"api"</span><span class="p">,</span><span class="w"> </span><span class="s2">"refresh_token"</span><span class="p">,</span><span class="w"> </span><span class="s2">"sfap_api"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Then run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>claude mcp auth salesforce </code></pre> </div> <p>Claude Code opens a browser tab, you authenticate, and the token is stored locally. Subsequent runs reuse the refresh token.</p> <h3> Cursor / Windsurf / Other MCP Clients </h3> <p>These clients follow the same JSON format — they read a config file (usually <code>mcp.json</code> or similar) and handle the OAuth flow on first connect. Consult your client's docs for the exact config file location.</p> <h2> Step 4: What You Can Do With It </h2> <p>Once connected, here's a taste of what's now available to your agent without writing any integration code:</p> <h3> SOQL Query </h3> <p>The agent can call <code>salesforce_query</code> with a SOQL string:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">Id</span><span class="p">,</span> <span class="n">Name</span><span class="p">,</span> <span class="n">StageName</span><span class="p">,</span> <span class="n">Amount</span><span class="p">,</span> <span class="n">CloseDate</span> <span class="k">FROM</span> <span class="n">Opportunity</span> <span class="k">WHERE</span> <span class="n">StageName</span> <span class="o">=</span> <span class="s1">'Negotiation/Review'</span> <span class="k">AND</span> <span class="n">CloseDate</span> <span class="o">=</span> <span class="n">THIS_QUARTER</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">Amount</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">20</span> </code></pre> </div> <p>Results come back as structured JSON. Your agent can reason over them, generate follow-up queries, or feed them into another tool.</p> <h3> Trigger a Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"tool"</span><span class="p">:</span><span class="w"> </span><span class="s2">"salesforce_run_flow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"parameters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"flowApiName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Case_Escalation_Auto_Assign"</span><span class="p">,</span><span class="w"> </span><span class="nl">"inputs"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"caseId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"5001R00000EXAMPLE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"escalationReason"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SLA breach detected by monitoring agent"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The MCP server runs the Flow in the context of the authenticated user and returns output variables.<sup id="fnref5">5</sup></p> <h3> Invoke Apex via REST </h3> <p>If you've exposed an Apex class as a REST resource, the agent can call it directly:<sup id="fnref6">6</sup><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight apex"><code><span class="nd">@RestResource(</span><span class="n">urlMapping</span><span class="o">=</span><span class="s1">'</span><span class="s2">/agent/summarize-account/*'</span><span class="p">)</span> <span class="kd">global</span> <span class="kd">class</span> <span class="nc">AccountSummaryResource</span> <span class="p">{</span> <span class="nd">@HttpGet</span> <span class="kd">global</span> <span class="kd">static</span> <span class="n">Map</span><span class="o">&lt;</span><span class="n">String</span><span class="p">,</span> <span class="n">Object</span><span class="o">&gt;</span> <span class="nf">summarize</span><span class="p">()</span> <span class="p">{</span> <span class="n">String</span> <span class="n">accountId</span> <span class="o">=</span> <span class="n">RestContext</span><span class="o">.</span><span class="py">request</span><span class="o">.</span><span class="py">requestURI</span><span class="o">.</span><span class="nf">substringAfterLast</span><span class="p">(</span><span class="s1">'</span><span class="s2">/'</span><span class="p">);</span> <span class="n">Account</span> <span class="n">acct</span> <span class="o">=</span> <span class="p">[</span><span class="k">SELECT</span> <span class="n">Id</span><span class="p">,</span> <span class="n">Name</span><span class="p">,</span> <span class="n">Industry</span><span class="p">,</span> <span class="n">AnnualRevenue</span><span class="p">,</span> <span class="p">(</span><span class="k">SELECT</span> <span class="n">Id</span><span class="p">,</span> <span class="n">Name</span><span class="p">,</span> <span class="n">Status</span> <span class="k">FROM</span> <span class="n">Cases</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">CreatedDate</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">5</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">Account</span> <span class="k">WHERE</span> <span class="n">Id</span> <span class="o">=</span> <span class="p">:</span><span class="n">accountId</span> <span class="k">LIMIT</span> <span class="mi">1</span><span class="p">];</span> <span class="k">return</span> <span class="k">new</span> <span class="n">Map</span><span class="o">&lt;</span><span class="n">String</span><span class="p">,</span> <span class="n">Object</span><span class="o">&gt;</span><span class="p">{</span> <span class="s1">'</span><span class="s2">accountName'</span> <span class="o">=&gt;</span> <span class="n">acct</span><span class="o">.</span><span class="py">Name</span><span class="p">,</span> <span class="s1">'</span><span class="s2">industry'</span> <span class="o">=&gt;</span> <span class="n">acct</span><span class="o">.</span><span class="py">Industry</span><span class="p">,</span> <span class="s1">'</span><span class="s2">annualRevenue'</span> <span class="o">=&gt;</span> <span class="n">acct</span><span class="o">.</span><span class="py">AnnualRevenue</span><span class="p">,</span> <span class="s1">'</span><span class="s2">recentCases'</span> <span class="o">=&gt;</span> <span class="n">acct</span><span class="o">.</span><span class="py">Cases</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The agent calls this via <code>salesforce_apexRest</code> with the endpoint path and method. Your Apex runs server-side with full platform access.</p> <h2> Scope Gotchas and Common Issues </h2> <p><strong><code>sfap_api</code> scope isn't showing in your External Client App?</strong> It's only available if Agentforce is provisioned in your org.<sup id="fnref3">3</sup> Developer Edition orgs now include this by default post-TDX; sandbox orgs tied to Enterprise Edition may need Agentforce licensing enabled first.</p> <p><strong>Token expiry</strong>: Salesforce access tokens expire after the session timeout configured in your org (default 2 hours).<sup id="fnref7">7</sup> The <code>refresh_token</code> scope handles silent renewal, but if you've set a stricter session policy, agents will hit 401s mid-session. Check <strong>Setup → Session Settings → Force relogin after</strong> and set it to <code>None</code> for agent-facing External Client Apps.</p> <p><strong>IP restrictions</strong>: If your org uses Login IP Ranges on the profile, agent requests coming from cloud-hosted AI services will fail. Either relax IP restrictions on the profile assigned to the External Client App, or use a dedicated Integration profile with no IP range restrictions.</p> <p><strong>Read-only vs. read-write</strong>: You control what the MCP server can do by scoping the connected user's profile and permission sets. Run agents as a dedicated integration user with only the object-level permissions they need.</p> <h2> Where to Start </h2> <ol> <li> <strong>Spin up a Developer Edition org</strong> — post-TDX, every new DE org comes with Hosted MCP Servers pre-enabled at no cost.</li> <li> <strong>Create your External Client App</strong> with the scopes above and wire it to Claude Desktop or Claude Code using the config shown here.[2]</li> <li> <strong>Start with read-only queries</strong> — verify the connection works by asking your agent to pull 10 open Opportunities.</li> <li> <strong>Layer in Flow invocation</strong> — pick a simple, well-tested Flow and let the agent trigger it from a natural language request.<sup id="fnref5">5</sup> </li> <li> <strong>Add custom Apex REST endpoints</strong> for anything the 60+ built-in MCP tools don't cover — your business logic, your custom objects, your integration patterns.<sup id="fnref6">6</sup> </li> </ol> <p>Headless 360 is the most architecturally significant thing Salesforce has shipped for developers in years. The platform is finally designed to be consumed by code — and agents — and not just browsers.</p> <ol> <li id="fn1"> <p><a href="https://spec.modelcontextprotocol.io/specification/" rel="noopener noreferrer">Model Context Protocol specification</a> — Official MCP spec. ↩</p> </li> <li id="fn2"> <p><a href="https://help.salesforce.com/s/articleView?id=sf.external_client_apps_overview.htm&amp;type=5" rel="noopener noreferrer">External Client Apps overview</a> — Salesforce Help. ↩</p> </li> <li id="fn3"> <p><a href="https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_scopes.htm&amp;type=5" rel="noopener noreferrer">OAuth scopes reference</a> — Salesforce Help. ↩</p> </li> <li id="fn4"> <p><a href="https://help.salesforce.com/s/articleView?id=sf.domain_name_overview.htm&amp;type=5" rel="noopener noreferrer">My Domain overview</a> — Salesforce Help. ↩</p> </li> <li id="fn5"> <p><a href="https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/resources_process_rules.htm" rel="noopener noreferrer">Invoke a Flow via REST</a> — Salesforce REST API Dev Guide. ↩</p> </li> <li id="fn6"> <p><a href="https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_rest.htm" rel="noopener noreferrer">Apex REST web services</a> — Salesforce Apex Dev Guide. ↩</p> </li> <li id="fn7"> <p><a href="https://help.salesforce.com/s/articleView?id=sf.security_networkaccess.htm&amp;type=5" rel="noopener noreferrer">Session security settings</a> - Salesforce Help. ↩</p> </li> </ol> salesforce agentforce ai mcp