How Claude Connects Salesforce MCP Into Secure CRM Access
Table of Contents
Claude can answer better questions when it works with real Salesforce data.
But that access cannot be open-ended.
Salesforce data includes Accounts, Opportunities, Contacts, Activities, Cases and renewal details. Claude should only access approved tools. It should only return records the logged-in user can see. It should work through Salesforce security, not around it.
That is where Salesforce Hosted MCP Servers help.
Claude becomes the MCP client. Salesforce remains the governed system. MCP connects them through approved tools, OAuth and user-level permissions.
The secure AI access problem every Salesforce team knows
AI assistants are useful only when they can work with real business context.
For Salesforce teams, that context lives inside CRM records, related lists, object permissions, field-level security and sharing rules. Giving an AI tool broad access is not the right approach.
Teams need a controlled path.
Claude should retrieve Salesforce data through approved MCP tools. Salesforce should still manage authentication, access and permissions. The first implementation should be simple, read-only and easy to validate.
How Claude works: Activate → Authorize → Connect
Claude connects to Salesforce through MCP using Salesforce Hosted MCP Servers and an External Client App.
- Activate: Enable the required Salesforce Hosted MCP Server, such as platform/sobject-reads.
- Authorize: Create an External Client App with OAuth scopes for MCP access and refresh tokens.
- Connect: Add the Salesforce MCP endpoint as a custom connector in Claude and authenticate with Salesforce.
What the setup actually includes
The table below summarizes the key Salesforce and Claude components required to complete the MCP connection.
Why Claude — and why Salesforce MCP
These points show why MCP is a safer way to bring Salesforce CRM context into Claude.
Technical steps to connect Claude with Salesforce MCP
Recommended first setup
Impact: Start with read-only Salesforce record access, validate authentication, then expand only when governance is clear.
Step 1: Activate Salesforce Hosted MCP Servers
In Salesforce Setup:
- Go to Setup.
- Search for MCP Servers.
- Open MCP Servers under API Catalog.
- Click Salesforce Servers.
- Activate the required server.
For the first demo, start with:
platform.sobject-reads

platform.platform.sobject-all

This server allows Claude to read Salesforce records through approved MCP tools.
Common server options:
Salesforce provides different hosted MCP server options depending on the level and type of access required.
For most first implementations, use platform/sobject-reads.
It is safer. It is easier to validate. It limits the first use case to record reading.
Step 2: Create an External Client App
To connect Claude to Salesforce MCP, create an External Client App.
Do not use a traditional Connected App for Salesforce MCP client authentication.
In Salesforce Setup:
- Search for External Client App Manager.
- Click New External Client App.
- Fill in the basic app information.
- Enable OAuth Settings.
- Add the Claude callback URL: https://claude.ai/api/mcp/auth_callback
- Add these OAuth scopes: mcp_api , refresh_token
- Enable the recommended security options:
- JWT-based access tokens for named users
- PKCE for supported authorization flows
- Create the app.
- Copy the Consumer Key.

The Consumer Key is used as the OAuth Client ID inside Claude.
Step 3: Add Salesforce as a Claude connector
In Claude:
- Open Claude.
- Go to Customize.
- Select Connectors.
- Click +.
- Choose Add custom connector.
- Enter a connector name.
Example: Salesforce SObject Read
Add the Salesforce MCP server URL.
For production or Developer Edition orgs: https://api.salesforce.com/platform/mcp/v1/platform/sobject-reads
For sandbox or scratch orgs: https://api.salesforce.com/platform/mcp/v1/sandbox/platform/sobject-reads
Then open Advanced Settings and paste the External Client App Consumer Key into the OAuth Client ID field.
Step 4: Connect and authenticate
After adding the connector in Claude:
- Click Connect next to the Salesforce connector.
- Claude redirects the user to Salesforce.
- The user logs in.
- Salesforce handles OAuth authentication.
- Claude receives access based on the authenticated user.

This is the most important part of the architecture.
Claude works under the logged-in Salesforce user’s access. If the user cannot see a record or field in Salesforce, Claude should not see it through MCP.
Step 5: Test the connection
Start with a simple record-read prompt:
Use the Salesforce connector and list the first 10 Account records I can access. Show Name, Type, Industry and Annual Revenue if available.
Then test a business use case:
Use Salesforce data to summarize the Account named ABC Corp. Include key details, related opportunities and recent activity if available.
For renewal preparation:
Prepare a renewal briefing for this Account using Salesforce data only. Include opportunity stage, close date, amount, key contacts and suggested next questions.
If Claude answers without using Salesforce data, make the instruction explicit: Use the Salesforce connector to retrieve the latest Salesforce data before answering.
Conclusion
Connecting Claude with Salesforce through MCP gives teams a secure and practical way to bring CRM context into AI-assisted workflows. Instead of giving Claude broad or unmanaged access, Salesforce Hosted MCP Servers keep Salesforce as the governed system while Claude acts as the MCP client.
By starting with platform/sobject-reads, teams can validate a simple read-only setup, confirm OAuth authentication, and test whether Claude can retrieve Salesforce records based on the logged-in user’s permissions. This approach keeps the first implementation controlled, permission-aware, and easier to review before expanding into broader use cases.
The key takeaway is simple: Claude can work with Salesforce data, but access should happen through approved MCP tools, External Client App authentication, and Salesforce user-level security.




