Salesforce
The Salesforce connector gives AI agents full access to CRM data — SOQL queries, record management, lead creation and conversion, opportunity tracking, and report execution — all via the Salesforce REST API using OAuth 2.0. Your credentials are stored encrypted in MCPGate's vault and are never exposed to the AI client.
Required scopes#
MCPGate requests the following OAuth scopes when you connect a Salesforce org.
| Scope | Purpose |
|---|---|
| api | Access the Salesforce REST API for all CRUD and SOQL operations |
| refresh_token offline_access | Keep the session alive without re-prompting the user |
Tool reference#
The Salesforce connector exposes 14 tools. Use the MCP Apps page to enable or disable individual tools per app, and the Guardrails page to add fine-grained rules on top.
| Tool | Category | Description |
|---|---|---|
| salesforce_query | read | Execute a SOQL query against Salesforce objects |
| salesforce_get_record | read | Get a specific Salesforce record by object type and ID |
| salesforce_search | read | Search Salesforce using SOSL (Salesforce Object Search Language) |
| salesforce_list_objects | read | List all available Salesforce objects (sObjects) |
| salesforce_describe_object | read | Describe a Salesforce object's fields and metadata |
| salesforce_list_reports | read | List available Salesforce reports |
| salesforce_run_report | read | Run a Salesforce report by ID and return results |
| salesforce_list_opportunities | read | List Salesforce opportunities, optionally filtered by stage or account |
| salesforce_create_record | write | Create a new Salesforce record for any object type |
| salesforce_update_record | write | Update an existing Salesforce record by object type and ID |
| salesforce_create_lead | write | Create a new Salesforce Lead with contact and company information |
| salesforce_convert_lead | write | Convert a Salesforce Lead into an Account, Contact, and optionally an Opportunity |
| salesforce_update_opportunity | write | Update a Salesforce Opportunity's stage, amount, or close date |
| salesforce_delete_record | delete | Delete a Salesforce record by object type and ID |
SOQL queries can be broad
salesforce_query and salesforce_search accept arbitrary SOQL/SOSL. An unconstrained query like SELECT Id, Email FROM Contact can return thousands of records including PII. Consider applying the keyword_block guardrail to prevent unbounded queries, or restrict the agent to named report tools instead.Common guardrail recipes#
Read-only access#
Enable only the eight read tools and deny all write and delete tools. Ideal for reporting agents and pipeline dashboards that only need to surface CRM data.
Edit records preset#
Enable all tools except salesforce_delete_record and salesforce_convert_lead. This allows the AI to create and update records freely while blocking irreversible operations. The edit_records preset configures exactly this.
Restrict to specific object types#
Apply the allow_values template to salesforce_create_record, salesforce_update_record, and salesforce_delete_record. Target the object_type field and provide a list of sObject types (e.g. Lead, Contact, Opportunity) the agent is allowed to modify.
Troubleshooting#
- Instance URL required — Salesforce orgs have unique instance URLs (e.g.
https://mycompany.my.salesforce.com). MCPGate discovers this automatically during the OAuth flow. If API calls return "resource not found", disconnect and reconnect to refresh the instance URL. - SOQL field not found — The
salesforce_querytool passes your SOQL directly to Salesforce. Ensure field names match your org's schema exactly — usesalesforce_describe_objectto look up available fields. - Lead conversion requires an Account —
salesforce_convert_leadcreates an Account, Contact, and optionally an Opportunity. Ensure the lead has aCompanyfield set before converting, or the Salesforce API will reject the request.