If you’re building an application that connects to Salesforce, one easy way to do that is to have a consumer key and secret for your API user. The app can then use the user id, password, consumer key, and consumer secret to connect without having to trigger a login / authorization flow.

The process of getting your key and secret, however, is a bit byzantine. Here’s how you go about doing this.

First, in Setup, find the App Manager and then click on New Connected App:

On the page that opens, fill in your application’s name, tab through the API Name, enter your email address, and then click Enable OAuth Settings:

When you click that box, a new section will open up in the UI. Scroll to bring the section into view:

Enter a Callback URL; if you don’t have one, no worries, just enter some URL here. It won’t be used.

Next, copy the necessary OAuth Scopes over to the selected box or, if you’re not sure, just copy over Full access. It’s best if you make a mad scientist laugh when you do that.

After that, turn off “Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows”.

Finally, down a bit, there’s a checkbox labels Enable Client Credential Flow. Check it. A scary pop-up will appear, click OK:

After you click OK, scroll to the top or bottom of the page and click “Save”. Click “Continue” on the next page:

Next, click on “Manage Consumer Details”:

You’ll come to a screen that looks like this:

And you’ll get an email like this:

Enter the code, and like Neo, you will be ejected from the Matrix and find yourself in …. Salesforce Classic:

And there they are, your key and secret. Copy them someplace safe.

There’s one last step, however. Go back to “Manage Apps” and drill into your app. Make sure “Permitted Users” is set to “All users may self-authorize”.

As of Summer ‘23, there is one more step:

Make sure “Allow OAuth User-Password Flows” is enabled in “OAuth and OpenID Connect Settings”.