Salesforce

The Fastest Way: HeraClaw Cloud ⚡

Skip the Salesforce Connected App setup, OAuth 2.0 configuration, and security token management. HeraClaw Cloud comes with Salesforce integration pre-configured and ready to use in 60 seconds.

Why HeraClaw Cloud for Salesforce?

✅ Ready in 60 seconds - No Connected App creation, no OAuth flows, no security token headaches ✅ Pre-configured authentication - Works immediately after Salesforce authorization ✅ Always updated - We handle Salesforce API changes and version updates automatically ✅ Professional support - If anything breaks, we fix it for you ✅ Secure by default - Enterprise-grade security, SOC 2 compliant infrastructure ✅ Zero maintenance - No sandbox testing, no API version migrations, no certificate renewals ✅ Multi-org support - Connect multiple Salesforce orgs (production, sandbox, developer) instantly

How it works:

1. Sign up at cloud.getopenclaw.ai (takes 60 seconds)
2. Go to Integrations → Salesforce
3. Click 'Connect to Salesforce'
4. Authorize our app for your Salesforce org
5. Done! Start querying your CRM data with AI

Get Started: Start with HeraClaw Cloud →

Complete Guide to OpenClaw + Salesforce

Salesforce is the world's #1 CRM platform, powering sales, service, and marketing teams at over 150,000 companies worldwide. From Fortune 500 enterprises to high-growth startups, Salesforce is where customer relationships live. OpenClaw's Salesforce integration brings powerful AI assistance directly into your CRM workflow, eliminating data silos and making customer intelligence available exactly when you need it.

Whether you're running Sales Cloud, Service Cloud, Marketing Cloud, or a custom Salesforce implementation, this integration transforms how your team accesses and acts on customer data. No more switching between tools, no SQL queries, no report building - just ask questions in natural language and get instant, intelligent answers.

Why Use Salesforce with OpenClaw?

Salesforce's robust API architecture and comprehensive data model make it one of the most powerful platforms for AI-powered workflows. Here's why the OpenClaw + Salesforce combination is transformative:

1. Natural Language CRM Queries

Salesforce's interface is powerful but complex. Reports, dashboards, and SOQL queries require training and time. OpenClaw eliminates this friction:

Traditional Salesforce:

• Build a report (5-10 minutes)
• Export to Excel for analysis
• Share with team via email
• Repeat when data changes

With OpenClaw:

Q: "Show me all opportunities closing this quarter over $50K"A: *Returns live data in seconds with deal details, owners, and close probability*Q: "Which accounts haven't been contacted in 30 days?"A: *Identifies at-risk accounts with last touch date and owner*Q: "What's our win rate by industry this year?"A: *Calculates and visualizes win rates across verticals*

No report builder. No formulas. Just natural questions and instant answers.

2. Enterprise-Grade Security and Compliance

Salesforce is built for enterprise security, and OpenClaw respects every permission:

• Profile-based access: Users only see data they have permission to view
• Field-level security: Sensitive fields (SSN, salary) remain hidden if user lacks access
• Sharing rules: Territory, role, and manual sharing all respected
• Object permissions: If you can't see Opportunities in Salesforce, you can't query them via OpenClaw
• Audit trail: Every query logged in Salesforce Setup Audit Trail
• IP restrictions: Honors Login IP Ranges and network access rules
• MFA compliance: Requires multi-factor authentication if your org enforces it

This makes it perfect for enterprises with strict compliance requirements (HIPAA, SOC 2, GDPR). Your admins control exactly what data the AI can access.

3. Real-Time Data Access Across All Objects

Salesforce stores everything - standard objects (Leads, Contacts, Accounts, Opportunities, Cases) and custom objects. OpenClaw can query it all:

Standard Objects:

• Leads: Qualification status, source, conversion metrics
• Accounts: Company info, industry, revenue, ownership
• Contacts: Decision makers, roles, engagement history
• Opportunities: Pipeline, stages, amounts, close dates
• Cases: Support tickets, resolution times, customer issues
• Tasks & Events: Activities, meetings, follow-ups
• Campaigns: Marketing attribution, ROI, member status

Custom Objects:

• Products: Inventory, SKUs, pricing, availability
• Contracts: Terms, renewals, compliance tracking
• Assets: Customer equipment, serial numbers, warranties
• Projects: Implementation status, milestones, resources
• Partners: Channel relationships, deal registration

Example: "Show me all Enterprise accounts in California with open support cases and opportunities closing this month" - OpenClaw joins Accounts, Cases, and Opportunities in one query.

4. Intelligent Context Understanding

OpenClaw understands Salesforce business logic and terminology:

• Stage progression: Knows "Closed Won" is different from "Negotiation"
• Lead status: Understands "Qualified" vs "Unqualified" vs "Converted"
• Record types: Differentiates between "New Business" and "Renewal" opportunities
• Relationship fields: Follows lookup and master-detail relationships automatically
• Formula fields: Reads calculated fields like "Days to Close" or "Opportunity Score"
• Roll-up summaries: Accesses aggregated child data on parent records

You ask business questions, not technical questions. "Show me our pipeline" automatically knows to query Opportunities where IsClosed = false.

5. Multi-Cloud and Multi-Org Support

Enterprises often run multiple Salesforce instances:

• Production org: Live customer data
• Sandbox orgs: UAT, development, testing environments
• Multiple business units: Separate orgs per region/division
• Acquired companies: Legacy Salesforce instances not yet migrated

OpenClaw connects to all of them:

• Query across orgs: "Compare pipeline in US org vs EMEA org"
• Sandbox testing: Test queries in sandbox before running on production
• Unified view: Aggregate metrics across multiple Salesforce instances
• Per-org permissions: Different access levels per Salesforce org

6. Advanced Query Capabilities

Beyond simple queries, OpenClaw handles complex Salesforce operations:

Aggregations:

• "What's our total pipeline by sales rep?"
• "Average deal size by industry"
• "Sum of all open cases by product line"

Time-based queries:

• "Opportunities created last week"
• "Accounts added in Q1"
• "Cases closed this month"

Filtering and sorting:

• "Top 10 accounts by revenue"
• "Leads from webinars, sorted by score"
• "Opportunities over $100K, stage = Proposal"

Related data:

• "Show account details AND related contacts for Acme Corp"
• "All opportunities for accounts in the Enterprise segment"
• "Cases associated with opportunities closing this quarter"

7. Einstein AI Integration

For Salesforce orgs with Einstein AI, OpenClaw can:

• Query Einstein Opportunity Scores
• Access Einstein Lead Scoring predictions
• Retrieve Einstein Activity Capture insights
• Read Einstein Analytics (Tableau CRM) datasets
• Analyze Einstein Conversation Insights data

Example: "Show me opportunities with Einstein score > 70 and no activity in 2 weeks" - combines AI predictions with activity data to identify hot leads going cold.

8. Workflow Automation and Data Updates

Beyond read-only queries, OpenClaw can update Salesforce data:

Create records:

• "Create a lead for John Smith at Acme Corp, title CEO, source = Referral"
• "Log a task to follow up with Sarah next Tuesday"
• "Create a case for Account ABC about login issues, priority High"

Update records:

• "Change opportunity XYZ stage to Closed Won"
• "Update lead status to Qualified for all leads from last week's webinar"
• "Add tag 'VIP' to all accounts with revenue > $1M"

Delete records:

• "Delete test leads created today"
• "Remove duplicate contacts with no activity"

All updates respect field-level security, validation rules, and workflow automation. If a human can't do it, OpenClaw can't either.

Real-World Use Cases

1. Sales Rep: Quick CRM Lookups During Calls

Scenario: Your sales reps are on Zoom calls with prospects and customers. They need instant access to account history, opportunity status, and customer context without putting prospects on hold to search Salesforce.

How OpenClaw helps:

Integrate OpenClaw with Slack or Microsoft Teams:

• Pre-call prep: "@OpenClaw give me background on Acme Corp" → Company overview, open opportunities, recent activity, key contacts
• During discovery: "What products does Acme use?" → Lists current licenses, usage, and contract details
• Objection handling: "Have we worked with other fintech companies?" → Case studies and references from similar industries
• Follow-up capture: "Create a task to send pricing to John by Friday" → Task created in Salesforce with due date
• Next steps: "Update opportunity ABC to stage Negotiation, close date end of month" → Updates in real-time

Impact:

• Sales calls feel more prepared and consultative
• No more awkward pauses to search Salesforce
• CRM stays updated without post-call data entry
• Reps close 25% more deals with instant context

2. Sales Manager: Pipeline Analysis and Forecasting

Scenario: You're a sales manager responsible for accurate forecasting. Every Monday you need to review pipeline health, identify at-risk deals, and coach your team. Building reports and analyzing data takes 2-3 hours per week.

How OpenClaw helps:

Ask strategic questions instead of building reports:

• Pipeline overview: "What's our total pipeline for Q2?" → $2.4M across 47 opportunities
• At-risk deals: "Which deals over $50K have no activity in 2 weeks?" → Identifies 8 opportunities needing attention
• Rep performance: "Compare quota attainment across my team" → Table showing each rep vs target
• Stage velocity: "Average time from Qualified to Closed Won this year" → 42 days (vs 38 days last quarter - flagged for investigation)
• Win rate analysis: "Win rate by lead source" → Referrals 45%, Inbound 32%, Cold outbound 12%
• Forecast accuracy: "Opportunities marked Commit that didn't close last quarter" → Lists deals to discuss in forecast call

Impact:

• Pipeline review time drops from 3 hours to 20 minutes
• Earlier identification of at-risk deals (more time to course-correct)
• Data-driven coaching conversations with reps
• Forecast accuracy improves 15-20%

3. Account Executive: Opportunity Management and Next Steps

Scenario: You manage 30-40 active opportunities across different stages. Keeping track of next steps, following up at the right time, and moving deals forward requires constant CRM monitoring.

How OpenClaw helps:

Proactive opportunity management:

• Daily standup: "What opportunities need my attention today?" → Prioritized list with upcoming close dates, overdue tasks, and stalled deals
• Deal status: "Give me a full summary of the Acme Corp opportunity" → Stage, amount, contacts, competitors, next steps, timeline
• Relationship mapping: "Who are the decision makers at Acme?" → Contact hierarchy with roles and engagement history
• Competitive intel: "What competitors are we facing in active deals?" → Lists competitors by opportunity with win/loss trends
• Task management: "Show all my overdue tasks" → Tasks sorted by priority with associated opportunities
• Multi-threading: "Which opportunities only have one contact?" → Flags single-threaded deals for relationship expansion

Impact:

• Never miss a follow-up or deadline
• Better prioritization (focus on high-value, high-probability deals)
• Stronger multi-threading in accounts
• 30% reduction in deal cycle time

4. SDR: Lead Qualification and Routing

Scenario: Your SDR team processes 500+ inbound leads per week. They need to quickly qualify leads, assign to the right sales rep, and ensure hot leads get immediate attention.

How OpenClaw helps:

Streamlined lead management:

• Lead triage: "Show me all unassigned leads from yesterday" → List of new leads needing assignment
• Qualification: "How many leads are marked 'MQL' but not yet contacted?" → Identifies 23 hot leads
• Territory routing: "Assign all Enterprise leads in California to Sarah" → Bulk assignment based on territory rules
• Lead scoring: "Which leads have score > 80 and came from paid ads?" → High-intent leads for immediate outreach
• Duplicate detection: "Find duplicate leads for john@acme.com" → Prevents wasted effort on duplicates
• Conversion metrics: "My lead-to-opportunity conversion rate this month" → Performance tracking for coaching

Impact:

• Lead response time drops from 3 hours to under 30 minutes
• Better lead assignment (right rep, right time)
• Higher conversion rates (20-30% improvement)
• SDRs handle 40% more volume with same team size

5. Customer Success Manager: Account Health Monitoring

Scenario: You manage a portfolio of 80 customer accounts. Your job is to ensure customer success, identify expansion opportunities, and prevent churn. Manually tracking account health is overwhelming.

How OpenClaw helps:

Proactive customer success:

• Health check: "Which accounts have open support cases over 7 days old?" → At-risk accounts needing attention
• Engagement tracking: "Accounts with no activity in the last month" → Identifies disengaged customers
• Expansion opportunities: "Customers using Product A but not Product B" → Cross-sell targets
• Renewal pipeline: "Contracts renewing in the next 90 days" → Prioritized renewal outreach list
• Usage analysis (if integrated with usage data): "Accounts with decreasing usage this quarter" → Churn risk signals
• Executive relationships: "Which strategic accounts haven't had an executive touchpoint this quarter?" → Ensures QBRs happen
• NPS tracking: "Accounts with NPS score under 6" → Detractors needing intervention

Impact:

• Proactive churn prevention (identify risk before cancellation)
• Higher expansion revenue (systematic cross-sell/upsell identification)
• Better customer relationships (timely touchpoints)
• Customer retention increases 10-15%

6. Support Agent: Case Creation and Customer History

Scenario: Your support team handles 200+ cases per day. Agents need instant access to customer history, product details, and case resolution patterns to resolve issues quickly.

How OpenClaw helps:

Faster, smarter support:

• Customer lookup: "Show me account details for customer@acme.com" → Company info, contacts, open opportunities, case history
• Case creation: "Create a case for Acme Corp: login issues, priority High" → Case created with proper categorization
• Related cases: "Have we seen login issues before with Acme?" → Historical case patterns
• Product context: "What products does this customer use?" → License details, implementation dates
• Escalation: "Show all P1 cases assigned to me" → Critical issues needing immediate attention
• Resolution patterns: "How did we resolve similar login issues?" → Knowledge base articles and past solutions
• Case metrics: "My average case resolution time this week" → Performance tracking

Impact:

• First response time drops 50% (instant customer context)
• Faster resolution (learn from past cases)
• Better customer experience (agents have full context)
• Case volume handled increases 30% without adding headcount

7. Marketing Ops: Campaign ROI and Attribution

Scenario: Your marketing team runs dozens of campaigns across channels (webinars, ads, events, content). You need to track which campaigns drive pipeline and revenue, but multi-touch attribution is complex.

How OpenClaw helps:

Data-driven marketing decisions:

• Campaign performance: "Which campaigns generated the most pipeline this quarter?" → Campaign ROI ranked by influenced pipeline
• Lead source analysis: "Conversion rate by lead source" → Webinars 15%, Paid ads 8%, Organic 12%
• Attribution: "Show opportunities influenced by Q1 webinar series" → Multi-touch attribution tracking
• Campaign members: "How many MQLs came from last week's trade show?" → Event ROI measurement
• Sales alignment: "Campaigns with highest lead-to-close rate" → Identifies best-performing programs
• Budget allocation: "Cost per opportunity by campaign" → Optimize marketing spend
• Content performance: "Which whitepapers led to the most SQLs?" → Content strategy insights

Impact:

• Marketing budget allocated to highest-ROI channels
• Faster campaign analysis (hours to minutes)
• Better sales-marketing alignment (shared data)
• Marketing-sourced pipeline increases 25%

8. Sales Ops: Data Cleanup and Deduplication

Scenario: Your Salesforce org has grown organically over 5 years. Data quality issues are everywhere: duplicates, incomplete records, stale data, inconsistent formatting. Cleanup projects are tedious and time-consuming.

How OpenClaw helps:

Systematic data hygiene:

• Duplicate detection: "Find duplicate accounts by domain" → Lists potential merges
• Incomplete records: "Accounts missing industry or employee count" → Data enrichment targets
• Stale data: "Leads created over 1 year ago with status = New" → Cleanup candidates
• Format standardization: "Update all phone numbers to E.164 format" → Bulk formatting fixes
• Territory gaps: "Accounts with no owner assigned" → Assignment needed
• Data validation: "Opportunities over $1M with close date in the past" → Data integrity issues
• Merge preview: "Show me all data before merging Account A and Account B" → Safer merges

Impact:

• Data quality improves systematically (not ad-hoc)
• Sales team trusts CRM data again
• Reports and dashboards become accurate
• Marketing campaigns avoid bounces and bad data

Features Deep Dive

Natural Language Queries

Ask questions in plain English (no SOQL required):

• "Show me all opportunities"
• "Which accounts are in California?"
• "Leads from last week"
• "Cases assigned to me"
• "Top 5 deals by amount"
• "Contacts at Acme Corp"

OpenClaw translates to SOQL automatically and handles Salesforce API calls.

Complex Filtering

Multiple conditions, boolean logic:

• "Opportunities over $50K AND stage = Negotiation"
• "Leads from webinars OR events"
• "Accounts in California, Texas, or New York"
• "Cases opened this month but not yet closed"
• "Contacts with email AND phone populated"

Relationship Traversal

Query across related objects:

• "Show Account name and Owner name for all Opportunities" (Opportunity → Account, User)
• "All Contacts where Account Industry = Technology" (Contact → Account)
• "Cases for Accounts owned by Sarah" (Case → Account → Owner)
• "Opportunities for Contacts with title 'CEO'" (Opportunity → Contact)

Aggregations and Analytics

Summarize data:

• "Total pipeline amount" (SUM)
• "Average deal size" (AVG)
• "Number of open cases" (COUNT)
• "Largest opportunity this quarter" (MAX)
• "Oldest lead not yet contacted" (MIN)

Time-Based Queries

Flexible date filtering:

• "TODAY", "YESTERDAY", "THIS WEEK", "LAST WEEK"
• "THIS MONTH", "LAST MONTH", "THIS QUARTER", "LAST QUARTER"
• "THIS YEAR", "LAST YEAR"
• "LAST N DAYS", "NEXT N DAYS"
• Custom date ranges: "Between Jan 1 and Mar 31"

Sorting and Limiting

Control result sets:

• "Show top 10 accounts by revenue"
• "Sort opportunities by close date descending"
• "Newest leads first"
• "Limit results to 50"

Field Selection

Request specific fields:

• "Show Name, Email, Phone for all Contacts"
• "Opportunity Name, Amount, Stage, Close Date"
• "Account Name, Industry, Annual Revenue"

Record Creation

Create new records:

• "Create lead: Name = John Smith, Company = Acme Corp, Email = john@acme.com"
• "Log a task to call Sarah tomorrow"
• "Create case for Account ABC"

Record Updates

Modify existing data:

• "Update Opportunity X to stage Closed Won"
• "Change lead status to Qualified"
• "Set Account rating to Hot for all accounts with pipeline > $100K"

Bulk Operations

Update many records at once:

• "Update all leads from Trade Show A to status = Contacted"
• "Assign all California accounts to Sarah"
• "Delete test data created today"

Custom Objects

Query your custom Salesforce objects:

• "Show all custom object records where Status = Active"
• "Count of Project__c records by Owner"
• "Assets with warranty expiring this year"

OpenClaw auto-discovers your custom objects and fields.

Salesforce Metadata Access

Query Salesforce configuration:

• "What fields exist on the Account object?"
• "List all custom objects in this org"
• "Show picklist values for Lead Status"
• "Describe validation rules on Opportunity"

Useful for admins and developers.

Multi-Org Queries

If connected to multiple Salesforce orgs:

• "Show pipeline in Production org"
• "Compare lead volume: Sandbox vs Production"
• "Query accounts in EMEA org"

Einstein AI Data

For orgs with Einstein:

• "Opportunities with Einstein score > 80"
• "Lead scores from Einstein Lead Scoring"
• "Activity insights from Einstein Activity Capture"

Security and Compliance

• Respects all Salesforce permissions (profile, object, field)
• Honors sharing rules (role hierarchy, territory, manual)
• Audit trail (all queries logged)
• IP restrictions enforced
• MFA required if your org requires it
• Encrypted connections (TLS 1.3)
• No data stored outside Salesforce (queries are real-time)

Setup Option 1: HeraClaw Cloud (Recommended)

Time required: 60 seconds Technical skill: None Cost: Included in HeraClaw Cloud subscription Best for: 95% of users, all team sizes

Why HeraClaw Cloud?

• No Salesforce Connected App configuration required
• No OAuth 2.0 flow setup
• No security token management
• No API version compatibility concerns
• No certificate management
• No IP allowlisting
• Professional support included
• Automatic updates when Salesforce APIs change
• 99.9% uptime SLA
• Enterprise-grade security (SOC 2, GDPR, HIPAA available)

Steps:

1. Sign up for HeraClaw Cloud

• Visit cloud.getopenclaw.ai
• Click "Sign In" (no credit card required)
• Create your account (takes 60 seconds)

2. Navigate to Integrations

• Click "Integrations" in the left sidebar
• Find "Salesforce" in the list
• Click "Connect to Salesforce"

3. Authorize Your Salesforce Org

• Salesforce OAuth login screen appears
• Enter your Salesforce credentials
• Select environment:
  • Production (login.salesforce.com) - for live customer data
  • Sandbox (test.salesforce.com) - for testing environments
  • Custom Domain - if your org uses My Domain
• Review permissions
• Click "Allow"

4. Configure Permissions (Optional)

• Back in HeraClaw dashboard
• Choose which objects the AI can access
• Set user-level restrictions (which team members can query Salesforce)
• Configure data retention policies
• Save configuration

5. Test the Connection

• In HeraClaw chat interface, ask:
  • "Show me 5 recent opportunities"
  • "How many accounts do we have?"
  • "List my open tasks"
• Verify data appears correctly

6. Invite Your Team

• Go to Team Settings
• Invite team members via email
• Assign Salesforce permissions per user
• They can start querying immediately

That's it! You're up and running.

What You Get with HeraClaw Cloud:

✅ Instant Setup - No technical configuration ✅ Automatic Updates - We handle Salesforce API version migrations ✅ Professional Support - Email, chat, and phone support ✅ 99.9% Uptime - SLA-backed reliability ✅ Enterprise Security - SOC 2, GDPR, HIPAA available ✅ Unlimited Orgs - Connect production, sandbox, and multiple business units ✅ Advanced Features - Multi-org queries, Einstein integration, custom object support ✅ No Maintenance - We manage servers, scaling, API limits

Pricing: See cloud.getopenclaw.ai/pricing (starts with affordable team plans)

Get Started: Start with HeraClaw Cloud →

Setup Option 2: Self-Hosted (Advanced)

Time required: 45-60 minutes (first time), 20-30 minutes (if experienced) Technical skill: Intermediate to Advanced Cost: VPS hosting ($10-50/month) + your time Best for: DevOps engineers, technical teams, strict compliance requirements

Who should self-host?

✅ DevOps engineers who enjoy infrastructure ✅ Organizations with strict data residency requirements ✅ Teams already running Kubernetes/Docker infrastructure ✅ Companies that cannot use third-party SaaS ✅ Technical enthusiasts with homelab setups ✅ Need to customize query logic or add proprietary business rules

Who should NOT self-host?

❌ Small teams without DevOps expertise ❌ Anyone who values time over cost savings ❌ Teams without security/compliance expertise ❌ Organizations without experience managing OAuth apps ❌ Teams that don't want to handle Salesforce API version upgrades

Prerequisites:

• OpenClaw installed and running (Mac/Linux/VPS)
• Terminal/SSH access to your OpenClaw server
• Salesforce System Administrator permissions
• Understanding of OAuth 2.0 and JWT
• Basic networking knowledge
• SSL certificate (for production)

Detailed Self-Hosted Setup

Step 1: Create a Salesforce Connected App

1. Log into Salesforce

2. Go to Setup (gear icon → Setup)

3. In Quick Find, search "App Manager"

4. Click New Connected App

5. Fill in basic information:

   • Connected App Name: "OpenClaw Integration"
   • API Name: Auto-generated (OpenClaw_Integration)
   • Contact Email: your-email@company.com

6. Check Enable OAuth Settings

7. Callback URL:

   • If using localhost for testing: http://localhost:8080/oauth/callback
   • If using a domain: https://your-openclaw-domain.com/oauth/callback
   • Must be HTTPS for production (Salesforce requires it)

8. Selected OAuth Scopes - Add these scopes:

   • Full access (full) - For complete API access (simplest)
   • OR select specific scopes:
     • Access and manage your data (api)
     • Perform requests on your behalf at any time (refresh_token, offline_access)
     • Access your basic information (id, profile, email, address, phone)
     • Access custom permissions (custom_permissions)

9. Check Require Secret for Web Server Flow (recommended for security)

10. Check Require Secret for Refresh Token Flow

11. Click Save

Important: After saving, it takes 2-10 minutes for Salesforce to activate the Connected App.

Step 2: Retrieve Consumer Key and Secret

1. After saving, click Continue
2. You'll see the Connected App detail page
3. Click Manage Consumer Details
4. Verify your identity (Salesforce will send a verification code to your email)
5. Copy the Consumer Key (this is your Client ID)
6. Copy the Consumer Secret (this is your Client Secret)
7. Store these securely - you'll need them for OpenClaw configuration

Step 3: Configure IP Relaxation and Security (Optional but Recommended)

1. Still on the Connected App detail page
2. Click Edit Policies
3. IP Relaxation:
   • Relax IP restrictions - Allows connections from any IP (easier, less secure)
   • Enforce IP restrictions - Requires connections from trusted IPs (more secure)
4. Refresh Token Policy:
   • Refresh token is valid until revoked (recommended)
5. Permitted Users:
   • All users may self-authorize (easiest)
   • Admin approved users are pre-authorized (more control - requires profile/permission set assignment)
6. Click Save

Step 4: Pre-Authorize Users (If Using Admin Approved Users)

If you selected "Admin approved users" in Step 3:

1. Go to Setup → Manage Connected Apps
2. Find your "OpenClaw Integration" app
3. Click on it
4. Click Manage
5. Click Edit Policies
6. Under Permitted Users, select Admin approved users are pre-authorized
7. Click Save
8. Scroll to Profiles section
9. Click Manage Profiles
10. Select profiles that should have access (e.g., System Administrator, Sales User)
11. Click Save

Alternatively, use Permission Sets:

1. Create a permission set: Setup → Permission Sets → New
2. Assign the Connected App to the permission set
3. Assign the permission set to users who need access

Step 5: Get Your Salesforce Org URL and API Version

You'll need:

• Instance URL: Your Salesforce org URL (e.g., https://yourcompany.my.salesforce.com)
• API Version: Current Salesforce API version (e.g., v60.0 as of Spring '24)
  • Find this at Setup → API → Check the version numbers
  • Use the latest version for best compatibility

Step 6: Configure OpenClaw

Edit your OpenClaw config file (usually ~/.openclaw/config.yaml or ~/.config/openclaw/config.yaml):

integrations:  salesforce:    enabled: true        # Connected App credentials from Step 2    clientId: "3MVG9...your_consumer_key_here"    clientSecret: "1234567890...your_consumer_secret_here"        # Salesforce environment    # Production: https://login.salesforce.com    # Sandbox: https://test.salesforce.com    # Custom domain: https://yourcompany.my.salesforce.com    loginUrl: "https://login.salesforce.com"        # OAuth callback URL (must match Connected App setting)    callbackUrl: "http://localhost:8080/oauth/callback"        # API version (use latest: v60.0, v61.0, etc.)    apiVersion: "v60.0"        # Optional: Restrict object access    allowedObjects:      - "Account"      - "Contact"      - "Opportunity"      - "Lead"      - "Case"      # Add custom objects: "CustomObject__c"        # Optional: Restrict field access (if not specified, all fields allowed)    # restrictedFields:    #   Account:    #     - "SSN__c"    #     - "Salary__c"        # Optional: Query limits (protect against expensive queries)    queryLimits:      maxRecords: 2000  # Max records returned per query      timeout: 30       # Query timeout in seconds        # Optional: Rate limiting    rateLimit:      requestsPerHour: 1000  # Salesforce API limits apply        # Optional: Enable/disable operations    permissions:      read: true       # Allow queries      create: true     # Allow record creation      update: true     # Allow record updates      delete: false    # Disallow deletions (recommended)

Security Best Practice: Use environment variables instead of hardcoding credentials:

integrations:  salesforce:    clientId: ${SALESFORCE_CLIENT_ID}    clientSecret: ${SALESFORCE_CLIENT_SECRET}

Then set environment variables:

export SALESFORCE_CLIENT_ID="3MVG9...your_key"export SALESFORCE_CLIENT_SECRET="1234567890...your_secret"

Step 7: Start OpenClaw and Authenticate

# If running as a servicesudo systemctl restart openclaw# If running directlyopenclaw gateway start# Check logsopenclaw gateway logs --follow

What to look for in logs:

✓ Salesforce integration enabled✓ OAuth client configured✓ Waiting for OAuth authorization...

Step 8: Complete OAuth Authorization Flow

1. In your browser, visit OpenClaw's authorization endpoint:

   bashCopy

   http://localhost:8080/integrations/salesforce/authorize

2. You'll be redirected to Salesforce login

3. Enter your Salesforce credentials

4. Review permissions requested

5. Click Allow

6. You'll be redirected back to OpenClaw

7. Should see: "✓ Salesforce authorization successful"

OpenClaw now has a refresh token to access your Salesforce org.

Step 9: Verify Connection

Test queries:

# Via OpenClaw CLIopenclaw query "Show me 5 accounts"# Via APIcurl http://localhost:8080/api/query \  -H "Content-Type: application/json" \  -d '{"query": "Show me my open opportunities"}'

Expected response: JSON with Salesforce account data

Step 10: Set Up Token Refresh (Important)

Salesforce access tokens expire after a few hours. Refresh tokens last much longer (until revoked). OpenClaw handles refresh automatically, but verify:

integrations:  salesforce:    tokenRefresh:      enabled: true      # Refresh token before expiration (seconds)      refreshBeforeExpiry: 300  # 5 minutes before expiry

Check logs for successful token refreshes:

✓ Salesforce access token refreshed✓ New token expires at: 2026-04-10 15:30:00 UTC

Advanced Self-Hosted Configuration

Multiple Salesforce Orgs

Connect to production, sandbox, and multiple business units:

integrations:  salesforce:    instances:      production:        clientId: "${SF_PROD_CLIENT_ID}"        clientSecret: "${SF_PROD_CLIENT_SECRET}"        loginUrl: "https://login.salesforce.com"        apiVersion: "v60.0"              sandbox:        clientId: "${SF_SANDBOX_CLIENT_ID}"        clientSecret: "${SF_SANDBOX_CLIENT_SECRET}"        loginUrl: "https://test.salesforce.com"        apiVersion: "v60.0"              emea_org:        clientId: "${SF_EMEA_CLIENT_ID}"        clientSecret: "${SF_EMEA_CLIENT_SECRET}"        loginUrl: "https://emea.my.salesforce.com"        apiVersion: "v60.0"

Query specific orgs:

• "Show accounts in production org"
• "Compare pipeline: production vs sandbox"
• "Query opportunities in EMEA org"

Custom Query Transformations

Add business logic to queries:

integrations:  salesforce:    queryTransformations:      # Automatically filter deleted records      excludeDeleted: true            # Add default filters      defaultFilters:        Account:          - "IsDeleted = false"          - "Type != 'Test'"        Opportunity:          - "IsDeleted = false"          - "StageName != 'Closed Lost'"            # Field aliases (rename fields in responses)      fieldAliases:        Account:          AnnualRevenue: "Revenue"          BillingCountry: "Country"

SOQL Query Logging

Log all SOQL queries for debugging:

integrations:  salesforce:    logging:      logQueries: true      logResults: false  # Don't log data (privacy)      logFile: "/var/log/openclaw/salesforce-queries.log"

Example log output:

2026-04-10 10:30:15 | User: sarah@company.com | Query: SELECT Name, Amount, StageName FROM Opportunity WHERE Amount > 500002026-04-10 10:31:42 | User: john@company.com | Query: SELECT Id, Name, Email FROM Contact WHERE AccountId = '001xx000003DGbY'

Field-Level Security Enforcement

Respect Salesforce field-level security:

integrations:  salesforce:    security:      # Enforce field-level security (FLS)      respectFieldSecurity: true            # Enforce object-level security (CRUD)      respectObjectSecurity: true            # Enforce sharing rules      respectSharingRules: true            # Run queries as specific user (sees only what that user sees)      runAsUser: true

Bulk API for Large Queries

Use Salesforce Bulk API for queries returning 10,000+ records:

integrations:  salesforce:    bulkApi:      enabled: true      # Use Bulk API when result count exceeds threshold      threshold: 10000      # Bulk API timeout (can take minutes for large queries)      timeout: 300  # 5 minutes

Custom Object Auto-Discovery

Automatically discover custom objects and fields:

integrations:  salesforce:    metadata:      autoDiscover: true      # Refresh metadata cache interval (hours)      refreshInterval: 24      # Cache location      cacheDir: "/var/cache/openclaw/salesforce-metadata"

This allows queries like:

• "Show all CustomObject__c records"
• "What fields exist on Product__c?"

Einstein AI Integration

For orgs with Einstein:

integrations:  salesforce:    einstein:      enabled: true      # Access Einstein Opportunity Scoring      opportunityScoring: true      # Access Einstein Lead Scoring      leadScoring: true      # Access Einstein Activity Capture      activityCapture: true

Queries:

• "Opportunities with Einstein score > 80"
• "Lead score distribution"
• "Einstein activity insights for Account ABC"

Webhook Integration

Receive Salesforce events (requires Salesforce Platform Events or Change Data Capture):

integrations:  salesforce:    webhooks:      enabled: true      endpoint: "https://your-openclaw-domain.com/webhooks/salesforce"      events:        - "OpportunityChangeEvent"        - "LeadChangeEvent"        - "CaseChangeEvent"

Use cases:

• Notify team when opportunity reaches "Closed Won"
• Alert when high-value lead is created
• Trigger workflow when case is escalated

Troubleshooting Self-Hosted Setup

"Invalid Client" Error During OAuth

Symptoms: OAuth flow fails with "invalid_client_id" or "invalid_client"

Potential causes:

1. Consumer Key (Client ID) incorrect
2. Consumer Secret incorrect
3. Connected App not yet activated (wait 2-10 minutes after creation)
4. Wrong Salesforce environment (using test.salesforce.com for production org)

Fix:

1. Double-check Consumer Key and Secret
2. Verify you're using the correct loginUrl (login.salesforce.com vs test.salesforce.com)
3. Wait 10 minutes after creating Connected App
4. Check Connected App status: Setup → App Manager → Find your app → Should say "Active"

"Redirect URI Mismatch" Error

Symptoms: OAuth fails with "redirect_uri_mismatch"

Potential causes:

1. Callback URL in OpenClaw config doesn't match Connected App
2. HTTP vs HTTPS mismatch
3. Port number missing or incorrect

Fix:

1. Connected App callback URL must EXACTLY match OpenClaw config
2. If using HTTPS in Connected App, must use HTTPS in OpenClaw (and vice versa)
3. Include port if non-standard (e.g., :8080)

Example - these must match:

• Connected App: https://openclaw.company.com/oauth/callback
• OpenClaw config: callbackUrl: "https://openclaw.company.com/oauth/callback"

"Insufficient Privileges" Error When Querying

Symptoms: Query fails with "INSUFFICIENT_ACCESS_OR_READONLY" or "INSUFFICIENT_PRIVILEGES"

Potential causes:

1. User lacks object-level permissions (CRUD)
2. User lacks field-level permissions (FLS)
3. Sharing rules prevent access to records
4. Profile restrictions

Fix:

1. Check user's Profile: Setup → Users → Find user → Profile
2. Verify object permissions: Setup → Profiles → [User's Profile] → Object Settings → [Object] → Check Read permission
3. Verify field permissions: Object Settings → [Object] → Check field visibility
4. Check sharing rules: Setup → Sharing Settings → [Object] → Verify user has access

API Rate Limit Exceeded

Symptoms: Queries fail with "REQUEST_LIMIT_EXCEEDED"

Potential causes:

1. Exceeded Salesforce daily API limit (varies by edition)
   • Developer Edition: 5,000 requests/day
   • Enterprise Edition: 10,000 + 1,000 per user license
   • Unlimited Edition: 20,000 + 1,000 per user license
2. Too many concurrent requests

Fix:

1. Check current API usage: Setup → System Overview → API Usage
2. Reduce query frequency
3. Use SOQL more efficiently (request only needed fields)
4. Implement caching in OpenClaw:

integrations:  salesforce:    caching:      enabled: true      ttl: 300  # Cache results for 5 minutes

1. Consider upgrading Salesforce edition for higher limits

Access Token Expired

Symptoms: Queries work initially, then fail with "INVALID_SESSION_ID" or "Session expired or invalid"

Potential causes:

1. Access token expired (Salesforce tokens expire after ~2 hours)
2. Refresh token not configured or failed
3. User changed password (invalidates tokens)
4. Admin revoked access

Fix:

1. Verify token refresh is enabled:

integrations:  salesforce:    tokenRefresh:      enabled: true

1. Check logs for refresh token errors
2. Re-authorize if refresh token is invalid:

openclaw integrations salesforce reauthorize

1. Ensure OAuth scope includes refresh_token and offline_access

Query Returns No Results (But Data Exists)

Symptoms: Query succeeds but returns empty results, even though records exist in Salesforce

Potential causes:

1. Sharing rules - user can't see those records
2. Record type filtering (if using Record Types)
3. Deleted records (IsDeleted = true)
4. Wrong org (querying sandbox instead of production)

Fix:

1. Check the same query in Salesforce Developer Console:
   • Developer Console → Query Editor → Run same SOQL
   • If returns results in Dev Console but not OpenClaw: likely a permission issue in the Connected App user context
2. Check sharing settings: Setup → Sharing Settings → [Object]
3. Verify record visibility in Salesforce UI (can you see the records when logged in as the integrated user?)

"INVALID_FIELD" Error

Symptoms: Query fails with "No such column 'FieldName' on entity"

Potential causes:

1. Field doesn't exist on that object
2. Field name typo
3. Custom field missing __c suffix
4. Field was deleted

Fix:

1. Verify field exists: Setup → Object Manager → [Object] → Fields & Relationships
2. Check field API name (not label)
3. Custom fields must end with __c (e.g., CustomField__c, not CustomField)
4. Use metadata query to list available fields:

openclaw query "What fields exist on Account?"

SSL Certificate Errors

Symptoms: OAuth or queries fail with SSL/TLS errors

Potential causes:

1. Self-signed certificate not trusted
2. Expired SSL certificate
3. Hostname mismatch
4. Old TLS version (Salesforce requires TLS 1.2+)

Fix:

1. Ensure TLS 1.2 or higher:

openssl s_client -connect login.salesforce.com:443 -tls1_2

1. Use a valid SSL certificate (Let's Encrypt for free certificates)
2. For development, can disable SSL verification (NOT for production):

integrations:  salesforce:    security:      verifySsl: false  # ONLY for development

Connected App Not Appearing for Users

Symptoms: Users can't authorize (app doesn't appear in OAuth flow)

Potential causes:

1. Connected App not assigned to user's profile/permission set
2. "Admin approved users" setting requires pre-authorization

Fix:

1. Setup → App Manager → Your Connected App → Manage
2. Under Permitted Users, choose:
   • "All users may self-authorize" (easier)
   • OR assign profiles/permission sets (more secure)
3. If using profiles: Manage Profiles → Select user's profile → Save
4. If using permission sets: Create permission set → Assign to users

Security Best Practices for Self-Hosted

1. Use Environment Variables for Secrets

Never hardcode credentials:

# .env file (add to .gitignore)SALESFORCE_CLIENT_ID=3MVG9...SALESFORCE_CLIENT_SECRET=1234567890...# Load in configexport $(cat .env | xargs)

# config.yamlintegrations:  salesforce:    clientId: ${SALESFORCE_CLIENT_ID}    clientSecret: ${SALESFORCE_CLIENT_SECRET}

2. Restrict OAuth Scopes

Only request necessary permissions:

• ✅ Use specific scopes (api, refresh_token) instead of "full"
• ❌ Don't request "full" access unless absolutely needed

3. Use IP Allowlisting

Restrict Connected App to known IPs:

1. Setup → Connected Apps → Your App → Edit Policies
2. IP Relaxation: Enforce IP restrictions
3. Setup → Network Access → New
4. Add your OpenClaw server IPs

4. Implement Audit Logging

integrations:  salesforce:    audit:      enabled: true      logFile: "/var/log/openclaw/salesforce-audit.log"      logQueries: true      logResults: false  # Don't log actual data (privacy)

Review logs regularly for suspicious queries.

5. Rotate Credentials Regularly

1. Every 90 days, rotate Consumer Secret:
   • Setup → App Manager → Your App → View → Manage Consumer Details → Regenerate Secret
2. Update OpenClaw config with new secret
3. Restart OpenClaw

6. Use Role-Based Access Control

Restrict which OpenClaw users can query Salesforce:

integrations:  salesforce:    access:      # Only these users can query Salesforce      allowedUsers:        - "sarah@company.com"        - "john@company.com"            # Or use role-based access      allowedRoles:        - "sales_team"        - "support_team"

7. Disable Dangerous Operations

Prevent accidental data deletion:

integrations:  salesforce:    permissions:      read: true      create: true      update: true      delete: false  # Disable deletions

8. Monitor Salesforce Session Inspector

Regularly review active sessions:

1. Setup → Session Management
2. Check for unexpected sessions
3. Revoke suspicious sessions

9. Enable Multi-Factor Authentication

Require MFA for all users:

1. Setup → Identity → Multi-Factor Authentication
2. Enable MFA for all users accessing Connected Apps

10. Use Salesforce Shield (If Available)

For sensitive data:

• Platform Encryption: Encrypt sensitive fields at rest
• Event Monitoring: Track API usage and anomalies
• Field Audit Trail: Track field history changes

Comparison: HeraClaw Cloud vs Self-Hosted

Why 95% of users choose HeraClaw Cloud:

✅ Time is valuable - 45-60 min setup + ongoing maintenance adds up ✅ Salesforce API changes frequently - 3 major releases per year (Spring, Summer, Winter) ✅ OAuth is complex - Connected Apps, security tokens, JWT flows - easy to misconfigure ✅ Security is hard - SOC 2 compliance costs $50K-$150K to achieve ✅ Reliability matters - 99.9% SLA vs DIY uptime monitoring ✅ Support is worth it - Email/chat/phone support when Salesforce throws errors ✅ Hidden costs - SSL certs, API monitoring, version upgrade testing

When self-hosting makes sense:

✅ You have Salesforce admins and DevOps engineers with spare capacity ✅ Data cannot leave your infrastructure (regulatory compliance) ✅ You need to integrate proprietary business logic into queries ✅ You want to customize SOQL generation for specific use cases ✅ You have 24/7 on-call rotation to handle incidents ✅ You already maintain other Salesforce integrations (familiar with Connected Apps)

Frequently Asked Questions

Q: Which Salesforce editions are supported?

A: All editions with API access:

• ✅ Developer Edition (free, for testing)
• ✅ Professional Edition (requires API access add-on)
• ✅ Enterprise Edition
• ✅ Unlimited Edition
• ✅ Performance Edition

Note: Salesforce Professional Edition does not include API access by default. You must purchase the API add-on.

Q: Does it work with Salesforce sandboxes?

A: Yes! Connect to:

• Production orgs (login.salesforce.com)
• Full Copy sandboxes
• Partial Copy sandboxes
• Developer sandboxes
• Developer Pro sandboxes

Recommendation: Test queries in sandbox before running on production.

Q: Can I connect multiple Salesforce orgs?

A: Yes! HeraClaw Cloud supports unlimited orgs. Self-hosted requires configuring each org separately. Common use cases:

• Production + multiple sandboxes
• Multiple business units (separate orgs)
• Acquired companies (legacy orgs)
• Global operations (regional orgs)

Q: What about Salesforce API limits?

A: Salesforce enforces daily API request limits:

• Developer Edition: 5,000 requests/day
• Enterprise Edition: 10,000 base + 1,000 per user license
• Unlimited Edition: 20,000 base + 1,000 per user license

HeraClaw Cloud monitors your API usage and optimizes queries to stay under limits. Self-hosted users must monitor usage manually (Setup → System Overview → API Usage).

Q: Does it work with custom objects?

A: Absolutely! Query any custom object:

• "Show all Product__c records"
• "Count of Contract__c by Status"
• "Assets with SerialNumber__c populated"

OpenClaw auto-discovers custom objects and fields.

Q: What about Einstein AI features?

A: Full support for Einstein:

• Einstein Opportunity Scoring
• Einstein Lead Scoring
• Einstein Activity Capture
• Einstein Analytics (Tableau CRM)
• Einstein Conversation Insights

Example queries:

• "Opportunities with Einstein score > 80"
• "Lead score distribution by source"

Q: Can I create/update/delete Salesforce records?

A: Yes (if configured):

• Create: "Create a lead for John Smith at Acme Corp"
• Update: "Change opportunity ABC to stage Closed Won"
• Delete: "Delete test accounts created today" (usually disabled for safety)

All operations respect validation rules, triggers, and workflow automation.

Q: Is my Salesforce data secure?

A: HeraClaw Cloud:

• SOC 2 Type II certified
• Encrypted in transit (TLS 1.3)
• Encrypted at rest (AES-256)
• GDPR compliant
• HIPAA available (BAA upon request)
• No data stored (queries are real-time to Salesforce)

Self-hosted: Your responsibility, but you control the infrastructure.

Both options respect all Salesforce permissions (profile, object, field, sharing).

Q: What if Salesforce API changes?

A: Salesforce releases 3 major API updates per year (Spring, Summer, Winter).

HeraClaw Cloud: We handle all API migrations automatically with zero downtime.

Self-hosted: You must:

1. Test queries against new API version
2. Update OpenClaw configuration
3. Deploy updates to production

Q: Can I query across multiple objects (joins)?

A: Yes! OpenClaw handles relationship queries:

• "Show Account name and Owner name for all Opportunities"
• "Contacts where Account Industry = Technology"
• "Cases for Accounts owned by Sarah"

Salesforce relationships (lookups and master-detail) are automatically traversed.

Q: How fast are queries?

A: Typically 1-3 seconds, depending on:

• Query complexity (simple vs aggregations)
• Result size (10 records vs 10,000 records)
• Salesforce org performance (large orgs can be slower)
• Network latency (cloud regions)

Q: Does it support Salesforce reports and dashboards?

A: Not directly, but you can replicate report logic:

• Instead of building a report, ask: "Show opportunities by stage"
• Instead of a dashboard, ask: "What's our win rate this quarter?"

OpenClaw generates the SOQL query to get the same data.

Q: What about Salesforce Communities (Experience Cloud)?

A: OpenClaw connects via standard Salesforce APIs, so it can query data visible to Community users if you authenticate as a Community user. However, most users connect as an internal Salesforce user.

Q: Can I schedule automated queries?

A: Yes! Set up scheduled queries:

• Daily pipeline report emailed to sales team
• Weekly lead volume summary
• Monthly closed-won analysis
• Real-time alerts (e.g., when opportunity > $100K is created)

Q: Does it work with Salesforce Mobile App?

A: OpenClaw is separate from Salesforce Mobile. However, if you integrate OpenClaw with Slack or Teams, you can query Salesforce data from mobile via those apps.

Q: What about Salesforce CPQ (Configure, Price, Quote)?

A: Yes, if you have CPQ:

• Query Quote objects
• Access Product rules
• Retrieve pricing information
• Analyze quote-to-close metrics

CPQ uses custom objects (SBQQ__*), which OpenClaw auto-discovers.

Q: Can I migrate from self-hosted to Cloud?

A: Absolutely! Export your OpenClaw configuration, sign up for HeraClaw Cloud, re-authorize Salesforce (60 seconds), and you're done. We'll help you migrate - most migrations complete in under 15 minutes.

Q: What about Salesforce Shield encryption?

A: OpenClaw can read Shield-encrypted fields if the authenticated user has "View Encrypted Data" permission. Encrypted fields are decrypted by Salesforce before being returned via API.

Q: Does it support Salesforce Knowledge?

A: Yes! Query Knowledge articles:

• "Show all Knowledge articles about password resets"
• "Most viewed articles this month"
• "Articles by topic = Billing"

Q: How do I revoke access?

A: HeraClaw Cloud:

1. Dashboard → Integrations → Salesforce → Disconnect
2. (Optional) Revoke in Salesforce: Setup → Connected Apps → HeraClaw → Revoke

Self-hosted:

1. Disable in OpenClaw config
2. Revoke in Salesforce: Setup → Connected Apps → Your App → Manage → Revoke All Sessions

Get Started

For 95% of users (recommended):

Start with HeraClaw Cloud →

• 60-second setup
• No technical skills needed
• No Connected App configuration
• Professional support
• 99.9% uptime SLA
• No credit card required to start

For advanced users only:

Self-Hosting Setup Guide →

• 45-60 minute setup
• Requires Salesforce admin + DevOps skills
• You maintain infrastructure
• Full control and customization
• Must handle API version upgrades

Questions? Email support@cloud.getopenclaw.ai or join our community Slack for help.

Last updated: April 10, 2026

Built with OpenClaw — The open-source AI assistant platform. Self-host or use HeraClaw Cloud.