Remote OpenClaw
Menu
SkillsMCPPluginsGuideDigestSubmit MCPSkillPluginMCPMCP, plugin, or skillAdvertise
Remote OpenClaw
SkillsMCPPluginsGuideDigestSubmit MCPSkillPluginMCPMCP, plugin, or skillAdvertise

Featured

Launch your own OpenClaw agent in one click logoLaunch your own OpenClaw agent in one click

A live, always-on OpenClaw agent that handles your tasks around the clock. No servers, no setup — pick a model, connect Telegram, and it starts working.

Try it for free →
SetupClaw: done-for-you OpenClaw for founders & exec teams logoSetupClaw: done-for-you OpenClaw for founders & exec teams

White-glove OpenClaw for founders and exec teams (4–50+ employees): we install, harden, integrate your tools, and maintain it — secured from day one.

Get it set up for you →
One API to scrape, enrich, and extract the internet. logoOne API to scrape, enrich, and extract the internet.

Context.dev gives your agents a single API to scrape, enrich, and extract live web data — no proxies, no parsers, no maintenance.

Start building free →
CLN.Work — Stop prompting, start hiring AI employees logoCLN.Work — Stop prompting, start hiring AI employees

Turn your Claude agents into a real team — onboard them, assign tasks, and manage them like staff.

Hire AI employees →
Launch OpenClaw or Hermes on Hostinger in 60 seconds logoLaunch OpenClaw or Hermes on Hostinger in 60 seconds

Your OpenClaw or Hermes agent, live around the clock on a Hostinger VPS. Set up in about 60 seconds, from a few dollars a month, with 20% off through this link.

Launch on Hostinger →
Launch your OpenClaw wrapper and start making money today logoLaunch your OpenClaw wrapper and start making money today

Auth, billing, and AI already wired in. Skip months of boilerplate and get paying customers now, not next quarter.

See the kit →
Launch your own OpenClaw agent in one click logoLaunch your own OpenClaw agent in one click

A live, always-on OpenClaw agent that handles your tasks around the clock. No servers, no setup — pick a model, connect Telegram, and it starts working.

Try it for free →
SetupClaw: done-for-you OpenClaw for founders & exec teams logoSetupClaw: done-for-you OpenClaw for founders & exec teams

White-glove OpenClaw for founders and exec teams (4–50+ employees): we install, harden, integrate your tools, and maintain it — secured from day one.

Get it set up for you →
One API to scrape, enrich, and extract the internet. logoOne API to scrape, enrich, and extract the internet.

Context.dev gives your agents a single API to scrape, enrich, and extract live web data — no proxies, no parsers, no maintenance.

Start building free →
CLN.Work — Stop prompting, start hiring AI employees logoCLN.Work — Stop prompting, start hiring AI employees

Turn your Claude agents into a real team — onboard them, assign tasks, and manage them like staff.

Hire AI employees →
Launch OpenClaw or Hermes on Hostinger in 60 seconds logoLaunch OpenClaw or Hermes on Hostinger in 60 seconds

Your OpenClaw or Hermes agent, live around the clock on a Hostinger VPS. Set up in about 60 seconds, from a few dollars a month, with 20% off through this link.

Launch on Hostinger →
Launch your OpenClaw wrapper and start making money today logoLaunch your OpenClaw wrapper and start making money today

Auth, billing, and AI already wired in. Skip months of boilerplate and get paying customers now, not next quarter.

See the kit →
Launch your own OpenClaw agent in one click logoLaunch your own OpenClaw agent in one click

A live, always-on OpenClaw agent that handles your tasks around the clock. No servers, no setup — pick a model, connect Telegram, and it starts working.

Try it for free →
SetupClaw: done-for-you OpenClaw for founders & exec teams logoSetupClaw: done-for-you OpenClaw for founders & exec teams

White-glove OpenClaw for founders and exec teams (4–50+ employees): we install, harden, integrate your tools, and maintain it — secured from day one.

Get it set up for you →
One API to scrape, enrich, and extract the internet. logoOne API to scrape, enrich, and extract the internet.

Context.dev gives your agents a single API to scrape, enrich, and extract live web data — no proxies, no parsers, no maintenance.

Start building free →
CLN.Work — Stop prompting, start hiring AI employees logoCLN.Work — Stop prompting, start hiring AI employees

Turn your Claude agents into a real team — onboard them, assign tasks, and manage them like staff.

Hire AI employees →
Launch OpenClaw or Hermes on Hostinger in 60 seconds logoLaunch OpenClaw or Hermes on Hostinger in 60 seconds

Your OpenClaw or Hermes agent, live around the clock on a Hostinger VPS. Set up in about 60 seconds, from a few dollars a month, with 20% off through this link.

Launch on Hostinger →
Launch your OpenClaw wrapper and start making money today logoLaunch your OpenClaw wrapper and start making money today

Auth, billing, and AI already wired in. Skip months of boilerplate and get paying customers now, not next quarter.

See the kit →
Skills/forcedotcom/sf-skills/integration-connectivity-connected-app-configure

integration-connectivity-connected-app-configure

forcedotcom/sf-skills
685 installs673 stars

Installation

npx skills add https://github.com/forcedotcom/sf-skills --skill integration-connectivity-connected-app-configure

Summary

Salesforce Connected Apps and External Client Apps OAuth configuration with 120-point scoring. Use this skill to configure OAuth flows, JWT bearer auth, Connected Apps, and External Client Apps in Salesforce. TRIGGER when: user configures OAuth flows, JWT bearer auth, Connected Apps, ECAs, or touches .connectedApp-meta.xml / .eca-meta.xml files. DO NOT TRIGGER when: configuring Named Credentials for callouts (use integration-connectivity-generate), reviewing permission policies (use platform-metadata-deploy), or writing Apex token-handling code (use platform-apex-generate).

SKILL.md

integration-connectivity-connected-app-configure: Salesforce Connected Apps & External Client Apps

Use this skill when the user needs OAuth app configuration in Salesforce: Connected Apps, External Client Apps (ECAs), JWT bearer setup, PKCE decisions, scope design, or migration from older Connected App patterns to newer ECA patterns.

Scope

In scope:

  • .connectedApp-meta.xml or .eca-meta.xml files
  • OAuth flow selection and callback / scope setup
  • JWT bearer auth, device flow, client credentials, or auth-code decisions
  • Connected App vs External Client App architecture choices
  • Consumer key / secret / certificate handling strategy

Out of scope — delegate elsewhere:

  • Configuring Named Credentials or runtime callouts → integration-connectivity-generate
  • Deploying metadata to orgs → platform-metadata-deploy
  • Writing Apex token-handling code → platform-apex-generate

---

First Decision: Connected App or External Client App

If the need is...Prefer
simple single-org OAuth appConnected App
new development with better secret handlingExternal Client App
multi-org / packaging / stronger operational controlsExternal Client App
straightforward legacy compatibilityConnected App

Default guidance:

  • Choose ECA for new regulated, packageable, or automation-heavy solutions.
  • Choose Connected App when simplicity and legacy compatibility matter more.
  • Spring '26 note: creation of new Connected Apps is disabled by default in orgs. For new integrations, prefer External Client Apps unless Connected App compatibility is explicitly required.

---

Required Inputs

Ask for or infer:

  • App type: Connected App or ECA
  • OAuth flow: auth code, PKCE, JWT bearer, device, client credentials
  • Client type: confidential vs public
  • Callback URLs / redirect surfaces
  • Required scopes
  • Distribution model: local org only vs packageable / multi-org
  • Whether certificates or secret rotation are required

---

Workflow

1. Choose the app model

Decide whether a Connected App or ECA is the better long-term fit using the decision table above.

2. Choose the OAuth flow

Use caseDefault flow
backend web appAuthorization Code
SPA / mobile / public clientAuthorization Code + PKCE
server-to-server / CI/CDJWT Bearer
device / CLI authDevice Flow
service account style appClient Credentials (typically ECA)

3. Start from the right template

Read the appropriate template before generating — do not build from scratch:

TemplateUse case
assets/connected-app-basic.xmlSimple API integration, minimal OAuth
assets/connected-app-oauth.xmlWeb app with full OAuth 2.0 configuration
assets/connected-app-jwt.xmlJWT bearer / server-to-server
assets/connected-app-canvas.xmlEmbedding external apps in Salesforce UI (Canvas)
assets/external-client-app.xmlECA header file — all new ECA builds start here
assets/eca-global-oauth.xmlECA global OAuth settings (scopes, PKCE, rotation)
assets/eca-oauth-settings.xmlECA per-app OAuth settings
assets/eca-policies.xmlECA configurable policies

If you need source-controlled ECA OAuth security metadata, retrieve it from an org first and treat the retrieved file as the schema source of truth:

sf project retrieve start --metadata ExtlClntAppOauthSecuritySettings:<AppName> --target-org <alias>

4. Apply security hardening

Read references/security-checklist.md for the full 120-point security checklist. Favor:

  • Least-privilege scopes
  • Explicit callback URLs
  • PKCE for public clients
  • Certificate-based auth where appropriate
  • Rotation-ready secret / key handling
  • IP restrictions when realistic and maintainable

5. Validate deployment readiness

Read references/testing-validation-guide.md before handoff. Confirm:

  • Metadata file naming is correct (see Gotchas below)
  • Scopes are justified
  • Callback and auth model match the real client type
  • Secrets are not embedded in source

6. Handle errors

If deployment fails, check the error output for:

  • DUPLICATE_VALUE — a Connected App or ECA with this name already exists; rename or retrieve-then-update instead
  • INVALID_CROSS_REFERENCE_KEY — the externalClientApplication name in an ECA settings file doesn't match the .eca-meta.xml filename exactly
  • INSUFFICIENT_ACCESS_OR_READONLY — user lacks the "Manage Connected Apps" permission
  • If any step fails, do not proceed to the next step — surface the error to the user with the specific message above

---

Rules / Constraints

RuleRationale
Never commit consumer secrets to source controlCredential exposure risk
Never use Full scope by defaultUnnecessary privilege; request only what the app needs
Always use PKCE for public clients (mobile, SPA)Prevents auth code interception
Never use wildcard or overly broad callback URLsToken interception risk
ECA OAuth security settings must be retrieved from org before editingFile schema is not fully documented; retrieve-first ensures accuracy
Use <alias> placeholders in CLI commands, never hardcoded org URLsOrg URLs vary per environment
Detect actual packageDirectory from sfdx-project.json before writing filesProjects may not use the default force-app/main/default/ layout

---

Metadata Notes That Matter

Connected App

Default source location (verify via sfdx-project.json → packageDirectories):

  • <packageDir>/connectedApps/

External Client App

ECA metadata spans multiple top-level source directories. Default locations (verify via sfdx-project.json):

DirectoryMetadata typeFile suffix
<packageDir>/externalClientApps/ExternalClientApplication.eca-meta.xml
<packageDir>/extlClntAppGlobalOauthSets/ExtlClntAppGlobalOauthSettings.ecaGlblOauth-meta.xml
<packageDir>/extlClntAppOauthSettings/ExtlClntAppOauthSettings.ecaOauth-meta.xml
<packageDir>/extlClntAppOauthSecuritySettings/ExtlClntAppOauthSecuritySettings.ecaOauthSecurity-meta.xml
<packageDir>/extlClntAppOauthPolicies/ExtlClntAppOauthConfigurablePolicies.ecaOauthPlcy-meta.xml
<packageDir>/extlClntAppPolicies/ExtlClntAppConfigurablePolicies.ecaPlcy-meta.xml

---

Gotchas

GotchaDetail
.ecaGlblOauth not .ecaGlobalOauthThe global OAuth suffix is abbreviated — using the long form will break deployment
.ecaPlcy not .ecaPolicySame abbreviation pattern — the general policy suffix is short form
.ecaOauthSecurity for security settingsUse .ecaOauthSecurity, not .ecaSecurity
ECA OAuth security settings are retrieve-onlyCannot be created from scratch in source — always retrieve from org first
Spring '26: new Connected Apps disabled by defaultNew orgs block Connected App creation; use ECA unless explicitly required
Consumer key is generated post-deployYou cannot set the consumer key in metadata — retrieve it after first deployment

---

Output Expectations

When finishing, confirm and report in this order:

  1. App type chosen — Connected App or External Client App
  2. OAuth flow chosen
  3. Files created or updated — list each metadata file path
  4. Security decisions — scopes, PKCE, certs, secrets, IP policy
  5. Next deployment / testing step

Suggested output shape:

App: <name>
Type: Connected App | External Client App
Flow: <oauth flow>
Files: <paths>
Security: <scopes, PKCE, certs, secrets, IP policy>
Next step: <deploy, retrieve consumer key, or test auth flow>
Score: <x>/120

---

Cross-Skill Integration

NeedDelegate toReason
Named Credential / callout runtime configintegration-connectivity-generateruntime integration setup
Deploy app metadataplatform-metadata-deployorg validation and deployment
Apex token or refresh handlingplatform-apex-generateimplementation logic

---

Score Guide

ScoreMeaning
80+production-ready OAuth app config
54–79workable but needs hardening review
< 54block deployment until fixed

---

Reference File Index

FileWhen to read
assets/connected-app-basic.xmlStep 3 — template for simple Connected App with minimal OAuth
assets/connected-app-oauth.xmlStep 3 — template for full OAuth 2.0 Connected App
assets/connected-app-jwt.xmlStep 3 — template for JWT bearer / server-to-server Connected App
assets/connected-app-canvas.xmlStep 3 — template for Canvas app embedding in Salesforce UI
assets/external-client-app.xmlStep 3 — ECA header file template
assets/eca-global-oauth.xmlStep 3 — ECA global OAuth settings template (PKCE, rotation, callbacks)
assets/eca-oauth-settings.xmlStep 3 — ECA per-app OAuth settings template
assets/eca-policies.xmlStep 3 — ECA configurable policies template
references/oauth-flows-reference.mdStep 2 — detailed OAuth flow comparison and decision guide
references/security-checklist.mdStep 4 — full 120-point security scoring checklist
references/testing-validation-guide.mdStep 5 — pre-deployment validation and testing guide
references/migration-guide.mdWhen migrating from Connected App to ECA patterns
references/example-usage.mdFull end-to-end examples for common OAuth scenarios

Featured

Launch your own OpenClaw agent in one click logoLaunch your own OpenClaw agent in one click

A live, always-on OpenClaw agent that handles your tasks around the clock. No servers, no setup — pick a model, connect Telegram, and it starts working.

Try it for free →
SetupClaw: done-for-you OpenClaw for founders & exec teams logoSetupClaw: done-for-you OpenClaw for founders & exec teams

White-glove OpenClaw for founders and exec teams (4–50+ employees): we install, harden, integrate your tools, and maintain it — secured from day one.

Get it set up for you →
One API to scrape, enrich, and extract the internet. logoOne API to scrape, enrich, and extract the internet.

Context.dev gives your agents a single API to scrape, enrich, and extract live web data — no proxies, no parsers, no maintenance.

Start building free →
CLN.Work — Stop prompting, start hiring AI employees logoCLN.Work — Stop prompting, start hiring AI employees

Turn your Claude agents into a real team — onboard them, assign tasks, and manage them like staff.

Hire AI employees →
Launch OpenClaw or Hermes on Hostinger in 60 seconds logoLaunch OpenClaw or Hermes on Hostinger in 60 seconds

Your OpenClaw or Hermes agent, live around the clock on a Hostinger VPS. Set up in about 60 seconds, from a few dollars a month, with 20% off through this link.

Launch on Hostinger →
Launch your OpenClaw wrapper and start making money today logoLaunch your OpenClaw wrapper and start making money today

Auth, billing, and AI already wired in. Skip months of boilerplate and get paying customers now, not next quarter.

See the kit →
Launch your own OpenClaw agent in one click logoLaunch your own OpenClaw agent in one click

A live, always-on OpenClaw agent that handles your tasks around the clock. No servers, no setup — pick a model, connect Telegram, and it starts working.

Try it for free →
SetupClaw: done-for-you OpenClaw for founders & exec teams logoSetupClaw: done-for-you OpenClaw for founders & exec teams

White-glove OpenClaw for founders and exec teams (4–50+ employees): we install, harden, integrate your tools, and maintain it — secured from day one.

Get it set up for you →
One API to scrape, enrich, and extract the internet. logoOne API to scrape, enrich, and extract the internet.

Context.dev gives your agents a single API to scrape, enrich, and extract live web data — no proxies, no parsers, no maintenance.

Start building free →
CLN.Work — Stop prompting, start hiring AI employees logoCLN.Work — Stop prompting, start hiring AI employees

Turn your Claude agents into a real team — onboard them, assign tasks, and manage them like staff.

Hire AI employees →
Launch OpenClaw or Hermes on Hostinger in 60 seconds logoLaunch OpenClaw or Hermes on Hostinger in 60 seconds

Your OpenClaw or Hermes agent, live around the clock on a Hostinger VPS. Set up in about 60 seconds, from a few dollars a month, with 20% off through this link.

Launch on Hostinger →
Launch your OpenClaw wrapper and start making money today logoLaunch your OpenClaw wrapper and start making money today

Auth, billing, and AI already wired in. Skip months of boilerplate and get paying customers now, not next quarter.

See the kit →
Launch your own OpenClaw agent in one click logoLaunch your own OpenClaw agent in one click

A live, always-on OpenClaw agent that handles your tasks around the clock. No servers, no setup — pick a model, connect Telegram, and it starts working.

Try it for free →
SetupClaw: done-for-you OpenClaw for founders & exec teams logoSetupClaw: done-for-you OpenClaw for founders & exec teams

White-glove OpenClaw for founders and exec teams (4–50+ employees): we install, harden, integrate your tools, and maintain it — secured from day one.

Get it set up for you →
One API to scrape, enrich, and extract the internet. logoOne API to scrape, enrich, and extract the internet.

Context.dev gives your agents a single API to scrape, enrich, and extract live web data — no proxies, no parsers, no maintenance.

Start building free →
CLN.Work — Stop prompting, start hiring AI employees logoCLN.Work — Stop prompting, start hiring AI employees

Turn your Claude agents into a real team — onboard them, assign tasks, and manage them like staff.

Hire AI employees →
Launch OpenClaw or Hermes on Hostinger in 60 seconds logoLaunch OpenClaw or Hermes on Hostinger in 60 seconds

Your OpenClaw or Hermes agent, live around the clock on a Hostinger VPS. Set up in about 60 seconds, from a few dollars a month, with 20% off through this link.

Launch on Hostinger →
Launch your OpenClaw wrapper and start making money today logoLaunch your OpenClaw wrapper and start making money today

Auth, billing, and AI already wired in. Skip months of boilerplate and get paying customers now, not next quarter.

See the kit →
View on GitHub

Recommended skills

Browse all →

find-skills

vercel-labs/skills

2.4M installsInstall

frontend-design

anthropics/skills

632K installsInstall

vercel-react-best-practices

vercel-labs/agent-skills

530K installsInstall

agent-browser

vercel-labs/agent-browser

517K installsInstall

grill-me

mattpocock/skills

466K installsInstall

web-design-guidelines

vercel-labs/agent-skills

443K installsInstall

Browse

Skills by category

Frontend250Git198Data154Testing120Design105Docs103Security96Automation87Backend76Devops37Productivity29Mcp23

Advertise on Remote OpenClaw

Get your AI tool in front of 54,000+ AI enthusiasts a month

Submit a tool →See placements & pricing →

Remote OpenClaw

AI agent skills directory, marketplace, and workflow hub for OpenClaw, Hermes Agent, Claude Code, Codex, and MCP-powered operator stacks.

The Agent Stack: weekly agent tooling digest, free.

Explore

  • Home
  • Skills Directory
  • Claude Code Skills
  • Codex Skills
  • Marketplace
  • Hermes Ecosystem
  • Guide
  • Learn
  • Blog
  • The Agent Stack (Digest)

More

  • Submit a Tool
  • Advertise
  • Playbook
  • Free Tools
  • API
  • Shipping
  • Contact
  • Terms
  • Privacy
© 2026 Remote OpenClaw
Fazier badgeFeatured on Twelve ToolsFeatured on Wired BusinessRemote OpenClaw - Featured on AI Agents DirectoryListed on Turbo0