Testing the Salesforce REST API in Postman lets you authenticate, query records, and create data without writing a line of integration code first. The path is the same every time: create a Connected App in Salesforce, authenticate with OAuth 2.0 to get an access token, then send GET and POST requests to your org. Before you start, have a Salesforce org you can administer (a Developer Edition org or Trailhead Playground works), a Postman account, and permission to create a Connected App. The OAuth 2.0 Username-Password flow is the fastest way to get a token for API testing, so that is the path used here.
Key Takeaways
|
What You Need Before You Start
Gather these before opening Postman so the setup runs without interruption:
- A Salesforce org you can administer, such as a Developer Edition org or a Trailhead Playground.
- A Postman account, using either the desktop app or the web app.
- Admin access to create a Connected App in Salesforce Setup.
- Your Salesforce username and password, plus your security token if your org requires one for API logins.
How Salesforce and Postman Work Together
Salesforce exposes its data through the REST API, a set of HTTP endpoints that return and accept JSON. Postman is an API client that sends those HTTP requests and shows you the raw responses, so you can confirm exactly how the API behaves before writing application code. The link between them is OAuth 2.0: Salesforce will not accept an API call until you present a valid access token. A Connected App is what lets Salesforce issue that token to an outside client like Postman.
Step 1: Create a Connected App in Salesforce
The Connected App is the trust relationship between Postman and your org. It produces the consumer key and consumer secret you will use to authenticate.
- In Salesforce, open Setup and search for App Manager, then click New Connected App.
- Enter a connected app name, API name, and contact email.
- Check Enable OAuth Settings.
- Enter a Callback URL. For API testing you can use https://login.salesforce.com/services/oauth2/callback.
- Under Selected OAuth Scopes, add Manage user data via APIs (api) and Perform requests at any time (refresh_token, offline_access).
- Save the app. New Connected Apps can take a few minutes to become active.
- Open the app, then under the API section reveal and copy the Consumer Key and Consumer Secret. You will need both to request a token.
Verification: You should see your new app listed in App Manager with a Consumer Key and a Consumer Secret available to copy. Keep the secret private.
Step 2: Set Up CORS for the Postman Web App
This step applies only if you use the Postman web app in a browser. The desktop app does not need it, so skip ahead if you are on desktop.
- In Salesforce Setup, search for CORS.
- Add https://.postman.com and https://.postman.co as allowed origins.
Verification: Both Postman origins appear in your CORS allowlist. This prevents the browser from blocking your token request.
Step 3: Configure Your Postman Environment and Variables
Storing your credentials as environment variables keeps secrets out of your request URLs and lets you switch between sandbox and production by swapping environments. Create a new environment in Postman and add the variables below.
Variable | Value | Used for |
login_url | https://login.salesforce.com (use https://test.salesforce.com for a sandbox) | The OAuth token endpoint base |
client_id | Your Connected App Consumer Key | Identifies the app to Salesforce |
client_secret | Your Connected App Consumer Secret | Authenticates the app |
username | Your Salesforce username | The user the token acts as |
password | Your Salesforce password (append your security token if required) | Authenticates the user |
instance_url | Populated from the token response | The base URL for all data calls |
access_token | Populated from the token response | The Bearer token for every request |
Leave instance_url and access_token empty for now. The token request in the next step fills them in.
Step 4: Authenticate and Get an Access Token
Authentication exchanges your credentials for an access token and your org’s instance URL. Send a POST request to the OAuth token endpoint.
- Create a POST request to {{login_url}}/services/oauth2/token.
- In the Body tab, choose x-www-form-urlencoded and add these keys:
Key | Value |
grant_type | password |
client_id | {{client_id}} |
client_secret | {{client_secret}} |
username | {{username}} |
password | {{password}} |
- Click Send. A successful response returns access_token, instance_url, and token_type.
- Copy the access_token and instance_url values into your environment variables so later requests can reuse them.
Verification: You receive a 200 OK with a JSON body containing access_token and instance_url. If you see invalid_grant, your username, password, or security token is wrong; if you see invalid_client_id, recheck the consumer key.
Step 5: Call the Salesforce REST API
With a token in hand, you can read and write records. Every data call goes to your instance_url and carries the token in an Authorization header.
Retrieve a record (GET):
- Create a GET request to {{instance_url}}/services/data/v67.0/sobjects/Account/{{recordId}}.
- In the Headers tab, set Authorization to Bearer {{access_token}}.
- Click Send and inspect the JSON body for the record’s fields.
Verification: A 200 OK returns the account fields. A quick way to confirm the connection itself is a GET to {{instance_url}}/services/data/v67.0/limits, which also returns 200 when the token is valid.
Create a record (POST):
- Create a POST request to {{instance_url}}/services/data/v67.0/sobjects/Account/.
- In Headers, set Authorization to Bearer {{access_token}} and Content-Type to application/json.
- In the Body tab, choose raw and JSON, then add a payload such as { “Name”: “Test Corp” }.
- Click Send.
Verification: A 201 Created returns the new record’s id. You can confirm by running the GET request above against that id.
Use your org’s current API version rather than the v67.0 shown here: open Setup, generate an Enterprise WSDL, and read the version near the top, or call {{instance_url}}/services/data/ to list the versions your org supports.
Faster Path: Fork the Official Salesforce Platform APIs Collection
If you would rather not build each request by hand, Salesforce publishes a Postman collection that comes preconfigured for the platform APIs. Fork the Salesforce Platform APIs collection from the Salesforce Developers workspace in Postman, fill in the same environment variables, and you get ready-made requests for authentication and common objects. Salesforce also offers a guided Trailhead project for connecting Postman to an org, which is useful if you want a checked, step-by-step walkthrough with a sandbox.
Troubleshooting Common Errors
- invalid_grant on the token request: Usually a wrong username, password, or a missing security token. Append the security token to the end of your password, or add your IP to the org’s trusted ranges to skip the token.
- invalid_session_id on a data call: Your access token expired or was copied incorrectly. Run the token request again and update your access_token variable.
- CORS error in the web app: The Postman origins are not in your Salesforce CORS allowlist. Add them, or switch to the desktop app where CORS does not apply.
- Wrong instance_url: Always send data calls to the instance_url returned by the token response, not to login.salesforce.com. Sandboxes return a different instance host.
- Redirect or Authorization header issues: Confirm the header is exactly Authorization: Bearer <token> with a single space, and that your callback URL in the Connected App matches what you configured.
Frequently Asked Questions
Create a Connected App in Salesforce to get a consumer key and secret, request an OAuth 2.0 access token from the token endpoint in Postman, then send GET and POST requests to your instance URL with the token in a Bearer Authorization header.
Use the Username-Password flow for quick API testing because it returns a token in a single request. Use the Authorization Code flow for production integrations or any app where a user signs in, since it does not require storing the user’s password.
Both work. The web app requires you to allow the Postman origins in your Salesforce CORS settings; the desktop app does not, which makes it the simpler option for first-time setup.
CORS only matters for the browser-based Postman web app. Without the Postman origins in your Salesforce CORS allowlist, the browser blocks the token request. The desktop app sends requests outside the browser, so it is exempt.
Send the token request from Step 4 again to get a fresh access_token, then update your environment variable. If your Connected App includes the refresh_token scope, you can also exchange a refresh token for a new access token without re-sending credentials.
Use your org’s current API version rather than an older hard-coded one. You can list the versions your org supports by sending a GET to {{instance_url}}/services/data/, then use the highest version returned.
The REST API uses lightweight HTTP and JSON and is the better fit for Postman testing and most modern integrations. The SOAP API uses XML and a WSDL and is more common in legacy enterprise integrations. For connecting Postman to Salesforce, the REST API is the standard choice.
Conclusion
Once a GET returns 200 and a POST returns 201, you have a working Salesforce REST API connection in Postman, and the same token and endpoints power any further calls you want to test. The natural next step is moving from manual testing to automated, governed data flows between Salesforce and the rest of your stack. If you reach that point, APPSeCONNECT can connect Salesforce with your ERP, eCommerce, and finance systems without maintaining custom API code. Book a demo to talk with an expert.
