Register: The AI-Native Funnel →

    Connect Salesforce to Rig

    Sync your Salesforce accounts, contacts, leads, opportunities, cases and users into Rig, so your AI tools can answer pipeline and revenue questions against live CRM data. Salesforce connects server-to-server using the OAuth 2.0 Client Credentials flow, so it keeps working without per-user logins or staff turnover breaking it.

    Before you start

    • You need Salesforce admin access to create the app.
    • Ideally use a dedicated integration user, preferably one with the API Only User permission, with read access to the objects you want Rig to see. The integration runs as that user, so its permissions are exactly what Rig can read.
    • By the end you'll have three values to paste into Rig: an Instance URL, a Consumer Key and a Consumer Secret.

    Step 1: Create an app with the Client Credentials flow

    Connected Apps vs External Client Apps
    Salesforce restricted creating new Connected Apps in Spring '26. New orgs create an External Client App instead. The end result is identical: a Consumer Key and Secret you paste into Rig. Use whichever path your org offers.

    External Client App (recommended)

    1. In Salesforce, go to Setup, type External in Quick Find, and open External Client App Manager. Click New External Client App.
    2. Enter a name (e.g. "Rig"), an API name, and a contact email.
    3. Under API (Enable OAuth Settings), select Enable OAuth.
    4. Callback URL: the Client Credentials flow never uses a redirect, but the field is required. Enter any valid HTTPS URL, e.g. https://login.salesforce.com/services/oauth2/callback.
    5. For OAuth Scopes, add Manage user data via APIs (api).
    6. Under Flow Enablement, enable the Client Credentials Flow and accept the security warning.
    7. Click Create.
    8. Back in External Client App Manager, open the app's actions menu and choose Edit Policies. Under Client Credentials Flow, set Run As to your integration user, then Save. The field wants the user's Salesforce username, not their email — they often differ. If you get "Enter a valid execution user", copy the exact value from the Username column in SetupUsers.
    9. From the app's actions menu choose Edit Settings, open OAuth Settings, and copy the Consumer Key and Consumer Secret.

    Connected App (legacy / existing apps)

    1. SetupApp ManagerNew Connected App.
    2. Enable OAuth settings, add the Manage user data via APIs (api) scope, tick Enable Client Credentials Flow, and save.
    3. On the app, click ManageEdit Policies, and under Client Credentials Flow set the Run As user.
    4. Back on the app, open Manage Consumer Details and copy the Consumer Key and Consumer Secret.

    Step 2: Grant the integration user object access

    The integration runs as the Run As user, so Rig can only read the objects and fields that user is allowed to see. This step is easy to miss and is the most common reason a connection authenticates but returns nothing.

    ⚠️ Integration users start with no object access
    A user on a Salesforce Integration license (and most minimal profiles) has no access to standard objects by default. If the Run As user can't read an object, Rig shows "Object not accessible to the integration user" and Salesforce returns sObject type 'Account' is not supported (INVALID_TYPE). The fix is always to grant that object via a permission set below.

    1. In Setup, type Permission Sets in Quick Find and open it. Click New to create one (e.g. "Rig Read Access"). The License dropdown matters and can't be changed after creation:
      • Run As user on a regular Salesforce license → leave it at --None--.
      • Run As user on the free Salesforce Integration license (the usual choice for a dedicated integration user) → pick Salesforce API Integration. Careful: the dropdown also contains Salesforce Integration — a different entry, one word apart. Only the one with API in the middle unlocks CRM objects.
    2. If the integration user's profile doesn't already include API access (minimal profiles like Minimum Access - Salesforce don't), open System Permissions in the permission set, click Edit, and tick API Enabled. Without it, every call fails with API_CURRENTLY_DISABLED ("API is disabled for this User") before object permissions are even checked.
    3. Go to Object Settings (or type the object name into the Find Settings... box at the top of the permission set), and for each object you want to sync — Account, Contact, Lead, Opportunity, Case, User — click Edit and enable Read (and View All if you want every record, not just the user's own). Access is granted per object: any object you skip keeps failing with INVALID_TYPE even while the others work. Two traps here: if Accounts, Contacts etc. don't appear in the list at all, the permission set was created with the wrong license — Salesforce hides objects the license can't grant; recreate it with the right one (previous step). And grant the plain standard objects, not similarly-named custom ones — an API name ending in __c (e.g. "Account Products" / Account_Product__c) is a custom object, not the Accounts Rig reads.
    4. While you're in each object's settings, make sure the fields you care about have Read Access — field-level security can hide individual columns even when the object is granted. A missing field fails the whole query with INVALID_FIELD and shows in Rig as "Field not accessible to the integration user" (on the User object, ProfileId is a common culprit).
    5. Go to Manage AssignmentsAdd Assignment, tick your Run As integration user, keep No expiration date, and click Assign. The permission set does nothing until this step.

    Permission changes take effect on the next token, so you can re-run Test in Rig immediately — no need to touch the app or rotate credentials.

    Salesforce Integration license users: the two-part unlock
    On the free Salesforce Integration license, CRM object access needs two things, and both must be in place before any grant takes effect: (1) the Salesforce API Integration permission set license assigned to the user (user's detail page → Permission Set License AssignmentsEdit Assignments), and (2) the permission set itself created with License = Salesforce API Integration. A permission set on --None-- or the Salesforce Integration user license either refuses assignment ("user license doesn't match") or silently hides the CRM objects from Object Settings. Once both are right, grants apply on the next token — no app changes needed.

    Step 3: Find your instance URL

    In Setup, open My Domain and copy your My Domain URL, for example https://acme.my.salesforce.com. Sandboxes look like https://acme--sandbox.sandbox.my.salesforce.com.

    Step 4: Connect it in Rig

    1. In Rig, open Connections in the left sidebar and go to the Sources step.
    2. Search for Salesforce (it's under CRM, marked OAuth) and click its card.
    3. Instance URL: paste your My Domain URL.
    4. Connected App Consumer Key: paste the Consumer Key.
    5. Connected App Consumer Secret: paste the Consumer Secret.
    6. Click Continue, then Test to pull a small sample, then Sync to run the full pipeline.

    What Rig pulls in

    Salesforce lands in its own salesforce schema, with the standard fields for each object:

    • Accounts, Contacts and Leads
    • Opportunities: stage, amount, close date, forecast category
    • Cases
    • Users

    Good to know

    • Rig reads only what the Run As user can see. Give that user least-privilege, read-only access to the objects you want to sync.
    • Anyone with the Consumer Key and Secret can mint access tokens. Rotate the secret periodically, and immediately if it leaks.
    • Make sure you copy the production My Domain URL (or the matching sandbox URL) for the org whose data you want.
    • You can disconnect Salesforce at any time from ConnectionsSources.

    Was this guide helpful?