Connected App
A Salesforce Connected App is a framework by which third party applications can integrate with Salesforce in a trusted fashion. A properly installed Connected App is necessary for GRAX to utilize your Integration User and for end-users to use Single Sign On to access GRAX. Additionally, Connected App settings can be customized to restrict access to GRAX or make it more seamless.
Changes to Connected Apps (September 2025)
Starting in early September 2025, Salesforce will restrict the use of uninstalled connected apps. This usage restriction will block end users from using uninstalled connected apps. This change is in response to recent Salesforce data breaches, and improves the default security posture of all Orgs.
For more information on this change, including how to prepare, see the related Salesforce Knowledge Article.
Installing the Connected App
The GRAX OAuth connected app will be added to your org by default the first time it is used, but will not be installed automatically in all cases; it must be installed for users to make use of it. To view the connected apps that exist in your org as well as if they're installed, open the "Connected Apps OAuth Usage" page in setup.

If your table shows the "Install" action for "GRAX OAuth" and is missing the "Managed App Policies" link as shown above, the Connected App is not installed. To install it, click "Install". You will be asked to confirm the installation:

Once the app is installed, you will see "Uninstall" as an available action instead of "Install", as shown below:

Customizing the Connected App
By clicking the "Managed App Policies" option in the "Connected Apps OAuth Usage" menu, administrators can modify the behavior of the connected app, the sessions associated with it, and the ability of users in the org to utilize the app. The option will not appear if the app is not installed.

GRAX is not compatible with all possible options, and not all possible options have an effect on GRAX. Meaningful settings and their impact are broken out below.
Permitted Users
All users may self-authorize
All users in the org may SSO via the connected app, but will be individually asked for their consent and authorization of the app and associated scopes. This can interfere with use of the LWCs if users have never logged into GRAX before.
Admin approved users are pre-authorized
Users must be pre-approved based on assigned profile by an administrator, but will not need to individually consent to and authorize the app and associated scopes. This can make the LWC and SSO experience more seamless, but may be more of a burden to manage. Enabling this option will immediately prevent all users in the org from using the app, regardless of whether they have authorized it previously. They must be authorized by profile before they can use the app again.
IP Relaxation
Enforce IP restrictions
Login requests using this connected app must come from one of the IPs configured within the user's "Login IP Ranges". If no ranges are configured for the user, this has no effect.
Relax IP Restrictions
Login requests using this connected app are allowed regardless of the configured "Login IP Ranges" for a user.
Refresh Token Policy
Refresh token is valid until revoked
This is the only supported value. GRAX will perpetually refresh the integration user connection until the refresh token is revoked by any means.
Last updated
Was this helpful?