All posts
Salesforce Development Api Integration Automation Developer Tools Productivity Salesforce

Snippets: Skip OAuth — Use Salesforce CLI for Quick API Calls

· 4 min read

Tired of setting up a Connected App for every script? Here’s a shortcut for developers using the Salesforce CLI.

Snippets: Skip OAuth — Use Salesforce CLI for Quick API Calls

Tired of setting up a Connected App for every script? Here’s a shortcut for developers using the Salesforce CLI.

If you work with Salesforce, you’ve probably been there: you need to connect to an org via API for a quick, one-off task. Maybe it’s to run a quick analysis, explore a data model, or pull a small report.

Best approach is to follow the usual: set up a Connected App or ECA, manage OAuth scopes, and handle the credentials securely. And for any long-term, automated integration, that is absolutely the correct and most secure path.

Recently, however, I had a task that was strictly temporary and isolated. The usual setup felt like overkill. As I was thinking it through, I realized I was already authenticated to the org on my local machine through the Salesforce CLI. That led to a simple question: “Can I just use this existing session?”

It turns out, you can. It saved me a good bit of setup time, and I wanted to share it. It’s a handy shortcut for a developer’s toolkit, as long as its specific use case and limitations are respected. Here’s a look at how you can leverage your existing CLI configuration for temporary API access.

image

A Word of Caution: When (and When Not) to Use This

Before we dive into the code, let’s be clear. This method is NOT a replacement for a properly configured Connected App or the new External Client Apps for production integrations.

Think of this as a developer productivity hack for specific scenarios:

  • Temporary Analysis: You need to quickly query some data for a one-time report.
  • Org Evaluation: You’re assessing a new or unfamiliar org and want to explore its schema or data programmatically.
  • Isolated Scripts: You’re running a local script on your machine for a short-lived task.

This approach is unsuitable for:

  • Automated, recurring production jobs.
  • Integrations running on servers or shared environments.
  • Distributing to non-technical users.
  • Any situation where you need fine-grained control over permissions and scopes, which Connected Apps provide.

The security of this method is tied to the security of your local machine and your CLI session. The access token you generate will have the exact same permissions as the user you used to log in with the CLI.

The “How-To”: Leveraging the Salesforce CLI with Python

The solution is a simple Salesforce CLI command: sf org display --json. When you run this against an authenticated org, it outputs a JSON structure containing all the connection details, including the instanceUrl and, most importantly, a valid accessToken.

Let’s build a Python script to use this.

Step 1: Get the Access Token from the CLI

First, we need a function to execute the CLI command and parse its JSON output. This function will be our gateway to receiving a fresh access token whenever we need one.

CODEBLOCK_0_END

Step 2: Query Salesforce Using the Token

With the access token and instance URL, we can now make authenticated REST API calls. Here’s a function to run a simple SOQL query.

CODEBLOCK_1_END

Step 3: Putting It All Together & Handling Expiration

The access token from the CLI is temporary. If your script runs for a while, the token will expire, and your API calls will fail with a 401 Unauthorized status code. Our script needs to handle this gracefully by getting a new token and retrying the request.

This main function orchestrates the entire process.

CODEBLOCK_2_END

Final Thoughts and Security Reminders

This CLI shortcut is a great example of how our development tools can sometimes offer clever workarounds. It can certainly streamline ad-hoc tasks and help you avoid the ceremony of a full integration setup when it’s not needed.

However, always remember the security implications:

  1. Secure Your Machine: Since the script leverages your local CLI session, anyone with access to your user account on your machine could potentially run it. Maintain good local system security.
  2. Principle of Least Privilege: The script operates with your full user permissions. Be mindful of this when running scripts that perform data manipulation (DML).
  3. No Hardcoding: Notice the script doesn’t contain any secrets. It dynamically fetches them, which is a major security advantage over hardcoding credentials.
  4. Audit and Log: CLI commands and API calls made this way are still auditable within Salesforce Setup Audit Trail, associated with your user account.

It’s a useful technique for the right context. I hope you find it helpful in your own Salesforce development and analysis work.