External Client App is the new Connected App

As part of Summer 24 improvements, External Clients App, the “Connected App v2”, now has a frontend to create them and support more oAuth flows. They were designed to improve security and resolve the cumbersome packaging and distribution issues that affect connected apps. In Salesforce’s own words, External Client Apps are the new generation of connected apps. They allow for a better security model along with their ability to be packageable second-generation (2GP). External client apps provide single sign-on (SSO) and use OAuth protocols to authorize third-party apps. There is better separation between user roles such as developer and admins, and better configuration management between developers and subscribers of the app. Summer 24 release brings headless login, passwordless login, and guest user flows using the Authorization Code and Credentials Flow. You can also configure an external client app to issue JSON Web Token (JWT)-based access tokens. As you can see, external client apps framework, a new and improved generation of connected apps, is catching up to connected apps fast.


As of June 2024, here are the key differences between Connected Apps and External Client Apps:

Feature Connected Apps External Client Apps
2GP Packaging Restricted (1) Available
1GP Packaging Available Not available
Distribution state management Not available Available
Distinct developer and admin user roles Not available Available
Subscriber association and disassociation Not available Available
Salesforce Setup UI Available Available
Metadata API Restricted (2) Available
OAuth 2.0 Available Restricted (3)
SAML Available Not available
OpenID Connect Available Available
OAuth consumer key and consumer secret rotation Available Restricted (4)
API for OAuth consumer key and consumer secret rotation Not available Available
Trusted IP Range for OAuth Web Server Flow Available Available
Sandbox copy Available Available (5)
API access control Available Not needed (6)
Custom attribute creation Available Available
Audit support Available Available
Logging support Available Available
Start URL management Available Not available
OAuth access policy management Available Available
IP relaxation Available Available
Session policy management Available Available
Mobile policy management Available Not available
Custom handler management Available Not available
User provisioning Available Not available
OAuth usage management Available Restricted (7)
Profile management Available Not available
Permission set management Available Available
Data access management (OAuth) Available Not available
Canvas Available Not available
Notifications Available Not available



In order to enable External Client App capability, go to:

Setup->Apps->External Client Apps->Settings:

External Client App
External Client App


Once you do that, you can refresh the screen and should be able to see another option called “External Client App Manager” which is also shown in the screen shot above. Click “External Client App Manager” and select the button that says “New External Client App”.




If you open the API tree, you will see some similar settings to what you see in connected apps. Note the “Distribution State” drop dropdown above. External client apps can be local or packageable. Local apps are developed and used in a single Salesforce org. Packageable apps are packaged with second-generation (2GP) managed packaging and distributed to subscriber orgs.  Local external client apps aren’t copied to a new sandbox when you clone or refresh a sandbox. Only packaged external client apps are copied to the sandbox.

oAuth Settings


Upon creation of your External Client App, you would be taken to the following screen with a much better UI in my personal opinion. There are three tabs that clearly let you see a breakdown of the app in fewer clicks.



For the most part the setup and administration of these should be similar to the existing connected apps functionality. To see oAuth usage, you will need to call a REST end point as opposed to it being available on the UI for connected apps. Please see: External Client App OAuth Usage (salesforce.com).  My recommendation would be to take a look at External Client Apps if you are keen on improving security and your org is heavily invested in unlocked or second-generation (2GP) packaging. New capabilities are coming to External Client Apps however at present there not a parity between the two for example, there are a few features available for connected apps that aren’t ready for external client apps. The external client app OAuth features that are still in development include dynamic client registration.  So, pick an option that makes sense based on the feature set and your needs. Hoping this has been useful in your understanding of External Client Apps.






Leave a Comment