Connect Salesforce
Connect Salesforce to Claude Tag so it can read and update CRM records. Covers Connected App setup and the OAuth JWT bearer flow Salesforce requires.
Claude Tag is in public beta. Features and behavior described here may change before general availability.
Note: Connections are added inside an Access bundle. At claude.ai/admin-settings/claude-tag, open Access bundles in the left navigation, click into a bundle (or Create one), and go to its Credentials tab.
Connecting Salesforce lets Claude read accounts, contacts, opportunities, and cases (and write, if you grant it) from any channel under the bundle's scope. Add it as a custom credential with Connect another app, using the OAuth 2.0 JWT bearer flow; Salesforce has no preset button in the picker.
Create the credential in Salesforce
Create a Connected App configured for the JWT bearer flow, with a dedicated integration user assigned to it. Salesforce's guide is at help.salesforce.com.
You'll need from Salesforce:
- The Connected App's Consumer Key (client ID)
- The private key from the certificate you uploaded to the Connected App
- The integration user's username (the JWT subject)
- Your org's login URL (
https://login.salesforce.comfor production,https://test.salesforce.comfor sandboxes, or your My Domain)
Assign the integration user a Permission Set scoped to the objects and fields Claude should reach. Read-only is the recommended starting point.
Add the connection to a bundle
In the bundle, click Connect another app at the bottom of the Credentials tab and choose the credential type below.
| Field | Value |
|---|---|
| Credential type | OAuth 2.0 JWT bearer |
| Issuer (iss) | The Connected App's Consumer Key |
| Subject (sub, optional) | The integration user's username |
| Private key (PEM) | The private key (PEM) from your certificate |
| Token URL | https://login.salesforce.com/services/oauth2/token (or your My Domain /services/oauth2/token) |
| Allowed websites | Your Salesforce instance host (for example yourorg.my.salesforce.com) |
The Agent Proxy injects the credential at the network boundary; the model and the sandbox are not given the key. See how Agent Proxy works.
Verify the connection
In a channel under the bundle's scope, in a new thread:
@Claude list the five most recently modified Opportunities in Salesforce.
Check the integration user's login history in Salesforce Setup to confirm the call landed under that user.
Related resources
- Pull deal and account state: what this connection adds
654cfddcca07f917 · verify