Does it support PKCE for mobile and public clients?

Yes, enabling PKCE (Proof Key for Code Exchange) is a core part of its security validation and configuration templates for public clients.

How does the 120-point scoring system work?

It evaluates apps across Security, OAuth Configuration, Metadata Compliance, Best Practices, Scopes, and Documentation to ensure your configurations meet production-grade quality.

Can this skill deploy apps directly to Salesforce?

Yes, it is designed to integrate with deployment tools like sf-devops-architect to handle dry-runs and deployments to target Salesforce environments.

Which OAuth flows are supported by this skill?

It supports a wide range of flows including Web Server (Authorization Code), User-Agent, JWT Bearer, Device Authorization, and Refresh Token rotation.

What is the difference between Connected Apps and External Client Apps?

Connected Apps are the traditional integration model, while External Client Apps (ECAs) offer modern security, better metadata compliance, and native packaging support (2GP) for ISVs.

Salesforce Connected Apps & Security Architect

Name: Salesforce Connected Apps & Security Architect
Author: Jaganpro

byJaganpro

•

Security & Testing

Automates the creation, management, and security validation of Salesforce Connected Apps and External Client Apps with specialized OAuth configurations.

About

This skill provides a specialized framework for Salesforce developers to architect secure integrations using Connected Apps and the modern External Client App (ECA) model. It handles complex OAuth 2.0 configurations—including JWT bearer and PKCE—while enforcing high security standards through a proprietary 120-point scoring system. Whether migrating legacy apps or setting up new CI/CD pipelines, it ensures metadata compliance and follows Salesforce's latest security best practices for API access management.

Key Features

Intelligent decision matrix for selecting between Connected Apps and ECAs
8 GitHub stars
Security validation with a 120-point scoring system across six critical categories
Automated generation of Connected Apps and External Client Apps (ECA) metadata
Advanced OAuth 2.0 configuration for JWT, Web Server, and Refresh Token flows
Migration guidance for moving legacy configurations to the modern ECA model

Use Cases

Auditing existing Salesforce app configurations for security risks like wildcard callbacks or over-privileged scopes
Migrating legacy Connected Apps to External Client Apps for improved packaging and secret management
Configuring secure JWT Bearer authentication for CI/CD pipelines and server-to-server integrations

About

Key Features

Intelligent decision matrix for selecting between Connected Apps and ECAs
8 GitHub stars
Security validation with a 120-point scoring system across six critical categories
Automated generation of Connected Apps and External Client Apps (ECA) metadata
Advanced OAuth 2.0 configuration for JWT, Web Server, and Refresh Token flows
Migration guidance for moving legacy configurations to the modern ECA model

Use Cases

Auditing existing Salesforce app configurations for security risks like wildcard callbacks or over-privileged scopes
Migrating legacy Connected Apps to External Client Apps for improved packaging and secret management
Configuring secure JWT Bearer authentication for CI/CD pipelines and server-to-server integrations