Skip to main content
Loadout
Guide2 min read

Salesforce MCP server: setup for Claude & Cursor (2026)

Connect Salesforce to your AI — the GA hosted MCP servers or the official CLI server. OAuth with PKCE, permissions, and common fixes.

Salesforce now has first-party MCP support: fully managed hosted MCP servers (generally available in 2026) and an official CLI-based server for local development. Both respect your existing permissions. Here is how to set up each.

Salesforce hosts and scales the servers — nothing to provision. You enable a server in Setup, and it is live. Your existing security applies automatically: CRUD, field-level security and sharing rules all carry over, so the AI can never see more than the connecting user can.

Setup outline:

  1. In Setup, enable the hosted MCP server you want (it exposes sObjects, Flows, Invocable Actions, Data 360, Prompt Builder and more as tools).
  2. Create an External Client App for OAuth 2.0 with PKCE (mandatory). Configure the callback URL.
  3. Select the scopes "Access MCP servers" and "Perform requests at any time" (refresh_token).
  4. Add the server to your client as a remote/OAuth connector and authorise.

Requires Enterprise Edition or above.

Option B — official CLI server (local dev)

For local development, Salesforce maintains the salesforcecli/mcp server, which talks to your orgs through the Salesforce CLI. Good when you are building and already authenticated via sf.

Verify

Ask: "List the 5 most recently created Opportunities and their stages." Real records back means it is connected and your permissions allow it.

Common problems

  • PKCE / OAuth errors — PKCE is mandatory on hosted servers; ensure your External Client App is configured for it and the callback URL matches.
  • "Insufficient access" — expected and correct: the server enforces the connecting user's CRUD/FLS/sharing. Adjust the user's permissions, not the server.
  • Missing scopes — add "Access MCP servers" and the refresh-token scope to the connected app.

Security

Because Salesforce enforces your existing permission model, the safest approach is to connect with a least-privilege user/permission set rather than an admin. See MCP security best practices.

Going further

Salesforce fits a revenue-ops stack with Slack and web search servers. Browse the productivity category or a curated loadout. Built a CRM server? Submit it.

Loadout

Build your AI agent loadout

The directory of MCP servers and AI agents that actually work. Pick the right loadout for Slack, Postgres, GitHub, Figma and 20+ integrations — with install commands ready to paste into Claude Desktop, Cursor or your own stack.

Contact
© 2026 Loadout. Built on Angular 21 SSR.