How to Connect Salesforce to OpenClaw: AI-Powered CRM Automation

Q: Can I use a Salesforce sandbox for testing?

We recommend it. Change `SALESFORCE_INSTANCE_URL` in your `.env` file to your sandbox URL. The REST API endpoints and SOQL syntax are identical between sandbox and production. Test every operation in the sandbox before pointing at production. Sandbox orgs refresh from production periodically, so your schema and sample data stay current.

Salesforce admins spend hours each week on tasks the platform was supposed to eliminate: manually checking deal stages, exporting lead lists for scoring, copy-pasting pipeline numbers into Slack. OpenClaw fixes this by turning your CRM into a conversational tool. Connect Salesforce to OpenClaw through a custom skill, and your AI agent can run SOQL queries, update opportunity stages, and send you a daily pipeline summary, all from a Telegram message.

This guide covers the full native integration: creating a Salesforce Connected App with OAuth 2.0, writing the OpenClaw skill file with real SOQL templates, and building three automation recipes you can deploy this week. The whole setup takes about 30 minutes if you already have OpenClaw running.

What You Get After Connecting

Once Salesforce is connected, your OpenClaw agent becomes a conversational front-end for your CRM data. Instead of navigating Setup menus and running reports in the Salesforce UI, you message your agent in plain English.

Here is what the integration supports out of the box:

Query leads, contacts, and accounts by name, email, owner, or any standard/custom field using SOQL
Check opportunity stages and pipeline totals with a single message
Create and update records across leads, contacts, opportunities, and tasks
Log calls, emails, and meeting notes directly from your chat app
Run automated pipeline health checks via OpenClaw’s heartbeat scheduling
Get lead scoring alerts when new leads match your ideal customer profile

The skill uses Salesforce’s REST API (v60.0+) through an OAuth 2.0 Connected App. No third-party middleware, no paid connectors, no Composio plugin required. Your data flows directly between your machine and Salesforce’s servers.

Before You Start

You need three things in place:

OpenClaw installed and running on your machine or a VPS. If you have not set this up yet, follow our OpenClaw setup guide. For 24/7 availability, consider running OpenClaw on Hostinger.
A Salesforce org with API access enabled. Developer Edition, Enterprise Edition, and Unlimited Edition all include API access. Professional Edition requires the API add-on. If you are unsure, go to Setup and search for “API” in the Quick Find box. If you see API settings, you are good.
A text editor for writing the skill file. VS Code, Cursor, or any editor that handles Markdown works.

Step 1: Create a Salesforce Connected App

A Connected App is Salesforce’s mechanism for granting external systems controlled access to your org through OAuth 2.0. You define exactly which permissions the app gets, and Salesforce handles token issuance and refresh.

Navigate to App Manager

Log into Salesforce and click the gear icon (top right), then Setup
In the Quick Find box, type App Manager
Click New Connected App (top right)

Configure the App

Fill in the required fields:

Connected App Name: OpenClaw Integration
API Name: OpenClaw_Integration (auto-populated)
Contact Email: Your admin email address

Enable OAuth Settings

Scroll down to the API (Enable OAuth Settings) section:

Check Enable OAuth Settings
Set the Callback URL to http://localhost:8080/callback (OpenClaw’s default OAuth redirect)
Under Selected OAuth Scopes, add these scopes:

Scope	What It Enables
`api`	Full REST API access (required for all SOQL and CRUD operations)
`refresh_token, offline_access`	Long-lived tokens that auto-refresh without re-authentication

The api scope is broad by design. Salesforce’s Connected App policies let you restrict access further through profiles and permission sets after creation, so you can lock down which users and which objects the integration touches.

Check Require Proof Key for Code Exchange (PKCE) if your Salesforce edition supports it. PKCE adds a layer of security to the OAuth flow by preventing authorization code interception.
Click Save. Salesforce tells you the app takes 2-10 minutes to activate.

Copy Your Credentials

After saving, go to Manage Consumer Details (you may need to verify with a code sent to your email):

Consumer Key (Client ID): Copy this. You will need it in your OpenClaw config.
Consumer Secret (Client Secret): Copy this. Store it securely.

Store Credentials Safely

Do not paste these values into your skill file. Store them in a .env file outside your OpenClaw workspace:

# ~/.env or ~/openclaw/.env
SALESFORCE_CLIENT_ID=3MVG9d8...(your consumer key)
SALESFORCE_CLIENT_SECRET=ABC123...(your consumer secret)
SALESFORCE_INSTANCE_URL=https://yourcompany.my.salesforce.com

OpenClaw reads environment variables at runtime, keeping secrets out of any file your agent might log or share.

Step 2: Complete the OAuth Flow

Before the skill can make API calls, you need an access token. The OAuth 2.0 authorization code flow works like this:

OpenClaw opens a browser window to Salesforce’s authorization endpoint
You log in and approve the Connected App’s permissions
Salesforce redirects back to localhost:8080/callback with an authorization code
OpenClaw exchanges that code for an access token and refresh token
The refresh token keeps the connection alive without re-authentication

To trigger this flow, add the Salesforce configuration to your OpenClaw config:

# ~/.openclaw/config.yaml (or your workspace config)
integrations:
  salesforce:
    instanceUrl: "${SALESFORCE_INSTANCE_URL}"
    clientId: "${SALESFORCE_CLIENT_ID}"
    clientSecret: "${SALESFORCE_CLIENT_SECRET}"
    callbackUrl: "http://localhost:8080/callback"

Then restart OpenClaw:

openclaw gateway restart

When you first invoke the Salesforce skill, OpenClaw prompts you to authenticate. Complete the browser login, approve the app, and the tokens are stored locally.

Troubleshooting the OAuth flow:

Symptom	Likely Cause	Fix
”Invalid client_id” error	Consumer Key is wrong or app not yet active	Wait 10 minutes after creating the Connected App, verify the key
”redirect_uri_mismatch”	Callback URL does not match Connected App config	Ensure both sides use `http://localhost:8080/callback` exactly
Browser opens but login fails	User lacks API permissions	Assign the “API Enabled” permission to the user’s profile
Token expired after 2 hours	Missing refresh_token scope	Re-create Connected App with `refresh_token, offline_access` scope

Step 3: Write the OpenClaw Salesforce Skill

The skill file tells your agent how to interact with Salesforce: which API endpoints to call, what SOQL queries to run, and what rules to follow when modifying records.

Create the Skill Directory

mkdir -p ~/.openclaw/workspace/skills/salesforce

Write the SKILL.md File

Create ~/.openclaw/workspace/skills/salesforce/SKILL.md with this content:

---
name: salesforce
description: Query and manage Salesforce CRM data. Run SOQL queries, manage leads, contacts, opportunities, and tasks via the Salesforce REST API.
tools:
  - shell
---

# Salesforce CRM Skill

## Authentication

Use environment variables for all API requests.
Base URL: $SALESFORCE_INSTANCE_URL/services/data/v60.0
Authorization header: Bearer $SALESFORCE_ACCESS_TOKEN

## Available Operations

### Run a SOQL Query

Execute any SOQL query against your Salesforce org:

curl -s -H "Authorization: Bearer $SALESFORCE_ACCESS_TOKEN" \
  "$SALESFORCE_INSTANCE_URL/services/data/v60.0/query/?q=SOQL_QUERY_HERE" \
  | jq '.records'

### Search Leads by Status

Find leads matching a specific status or owner:

curl -s -H "Authorization: Bearer $SALESFORCE_ACCESS_TOKEN" \
  "$SALESFORCE_INSTANCE_URL/services/data/v60.0/query/?q=SELECT+Id,Name,Email,Company,Status,LeadSource+FROM+Lead+WHERE+Status='Open - Not Contacted'+ORDER+BY+CreatedDate+DESC+LIMIT+20" \
  | jq '.records[] | {name: .Name, email: .Email, company: .Company, status: .Status}'

### Look Up a Contact

Search contacts by email or name:

curl -s -H "Authorization: Bearer $SALESFORCE_ACCESS_TOKEN" \
  "$SALESFORCE_INSTANCE_URL/services/data/v60.0/query/?q=SELECT+Id,Name,Email,Phone,Account.Name+FROM+Contact+WHERE+Email='USER_EMAIL_HERE'" \
  | jq '.records[0]'

### List Open Opportunities

Fetch pipeline opportunities with amounts and close dates:

curl -s -H "Authorization: Bearer $SALESFORCE_ACCESS_TOKEN" \
  "$SALESFORCE_INSTANCE_URL/services/data/v60.0/query/?q=SELECT+Id,Name,StageName,Amount,CloseDate,Account.Name,Owner.Name+FROM+Opportunity+WHERE+IsClosed=false+ORDER+BY+CloseDate+ASC" \
  | jq '.records[] | {name: .Name, stage: .StageName, amount: .Amount, close: .CloseDate, account: .Account.Name}'

### Create a New Lead

curl -s -H "Authorization: Bearer $SALESFORCE_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -X POST "$SALESFORCE_INSTANCE_URL/services/data/v60.0/sobjects/Lead" \
  -d '{
    "FirstName": "FIRST_NAME",
    "LastName": "LAST_NAME",
    "Email": "EMAIL",
    "Company": "COMPANY_NAME",
    "Status": "Open - Not Contacted"
  }' | jq '.id'

### Update an Opportunity Stage

curl -s -H "Authorization: Bearer $SALESFORCE_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -X PATCH "$SALESFORCE_INSTANCE_URL/services/data/v60.0/sobjects/Opportunity/OPPORTUNITY_ID" \
  -d '{
    "StageName": "NEW_STAGE_NAME"
  }'

### Create a Task

curl -s -H "Authorization: Bearer $SALESFORCE_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -X POST "$SALESFORCE_INSTANCE_URL/services/data/v60.0/sobjects/Task" \
  -d '{
    "Subject": "TASK_SUBJECT",
    "WhoId": "CONTACT_OR_LEAD_ID",
    "WhatId": "OPPORTUNITY_OR_ACCOUNT_ID",
    "ActivityDate": "YYYY-MM-DD",
    "Status": "Not Started",
    "Priority": "Normal"
  }' | jq '.id'

## SOQL Quick Reference

Common queries you can adapt:

- Leads created this week: SELECT Id,Name,Company FROM Lead WHERE CreatedDate = THIS_WEEK
- Opportunities closing this month: SELECT Name,Amount,StageName FROM Opportunity WHERE CloseDate = THIS_MONTH AND IsClosed = false
- Contacts at a specific account: SELECT Name,Email,Phone FROM Contact WHERE Account.Name = 'ACCOUNT_NAME'
- Deals over $50K: SELECT Name,Amount,StageName,CloseDate FROM Opportunity WHERE Amount > 50000 AND IsClosed = false
- Stale leads (no activity in 30 days): SELECT Id,Name,Company,LastActivityDate FROM Lead WHERE LastActivityDate < LAST_N_DAYS:30 AND IsConverted = false

## Rules

- Always confirm before creating or updating records. Show the user what will change and ask for approval.
- When searching, try email first. Fall back to name search if no email is provided.
- For opportunity updates, show the current stage and proposed change before executing.
- Respect rate limits: Salesforce allows 100,000 API calls per 24 hours for Enterprise Edition (15,000 for Professional). Space batch operations accordingly.
- Never log the access token or client secret in responses or memory files.
- Use SOQL date literals (THIS_WEEK, LAST_N_DAYS:30) instead of hardcoded dates whenever possible.

What Each Section Does

The frontmatter (name, description, tools) tells OpenClaw when to activate this skill and what system tools it needs. The shell tool lets the agent execute curl commands against Salesforce’s REST API.

The operations section gives your agent templated API calls. When you ask “Show me all opportunities closing this month,” the agent reads the SOQL query template, substitutes the relevant parameters, runs the curl command, and parses the JSON response. The SOQL patterns use Salesforce’s native date literals like THIS_MONTH and LAST_N_DAYS:30, which adapt automatically to the current date.

The rules section sets guardrails. The confirmation rule matters: you do not want your agent silently moving deals to the wrong stage or creating duplicate leads.

Step 4: Test the Connection

Restart OpenClaw to load the new skill:

openclaw gateway restart

Open your Telegram chat (or whichever channel you use) and run these tests:

Read test:

“How many open leads do we have in Salesforce?”

The agent should run a SOQL COUNT() query and return a number.

Search test:

“Find the contact record for jane@acme.com”

The agent should return the contact’s name, phone, account name, and other properties.

SOQL test:

“Show me all opportunities over $25K closing this quarter”

The agent should construct a SOQL query with Amount > 25000 and CloseDate = THIS_QUARTER, then return formatted results.

Write test (after reads work):

“Create a new lead: Sarah Chen, sarah@newclient.com, company: TechFlow Inc”

The agent should show you the record details and ask for confirmation before creating it.

If any test fails, check these common issues:

Symptom	Likely Cause	Fix
401 UNAUTHORIZED	Access token expired or invalid	Re-run the OAuth flow, check refresh token scope
403 INSUFFICIENT_ACCESS	User lacks object-level permissions	Check the user’s profile/permission set in Salesforce Setup
MALFORMED_QUERY	SOQL syntax error	Verify field names match your org’s schema (custom fields end in `__c`)
REQUEST_LIMIT_EXCEEDED	Hit daily API limit	Check usage at Setup > Company Information > API Requests
Empty results	Wrong field name or filter	Run the SOQL query directly in Salesforce Developer Console to debug

Automation Recipes

After the connection works, you can set up automations that run without being asked. Here are three recipes we use in production.

Recipe 1: Lead Scoring Alerts

Add this to your heartbeat.md to get notified about high-value leads:

## Lead Scoring Alert (runs every 2 hours)
Query Salesforce for leads created in the last 2 hours.
For each new lead, check if the company has more than 100 employees
(use the NumberOfEmployees field) and if the lead source is "Web" or "Referral."
If both conditions match, send me a Telegram message with the lead name,
company, email, and employee count. Label it as "High-Priority Lead."

Recipe 2: Opportunity Stage Change Notifications

## Deal Movement Tracker (runs every 4 hours)
Query Salesforce for opportunities where the StageName was modified today
(use SystemModstamp = TODAY and compare current vs previous stage).
For each moved deal, send me: deal name, old stage, new stage, amount, and close date.
Flag any deal that moved backward (e.g., from Negotiation to Discovery) in bold.

Recipe 3: Daily Pipeline Summary

## Morning Pipeline Brief (runs at 8:00 AM)
Pull all open opportunities from Salesforce. Group by stage.
Calculate: total pipeline value, weighted pipeline (amount x probability),
number of deals closing this week, and deals with no activity in 7+ days.
Format as a clean summary and send to Telegram.

Start with Recipe 3. A daily pipeline summary is low-risk (read-only) and immediately useful. Add the other recipes once you trust the agent’s query accuracy.

Security Considerations

Your Connected App has direct API access to your Salesforce org. Treat these credentials with the same care as admin passwords.

Least-privilege scoping. The api OAuth scope is broad, but you can restrict access at the profile level. Create a dedicated Salesforce user for the OpenClaw integration with a custom profile that only has read/write access to the objects you need (Leads, Contacts, Opportunities, Tasks). Revoke access to Accounts, Cases, or any sensitive objects the agent should not touch.

Token storage. Keep the client secret and access tokens in .env files outside your workspace directory. Never place them in agents.md, soul.md, or any workspace file. OpenClaw’s memory files are context that gets sent to the LLM, and you do not want credentials in that context window.

Confirmation rules. The skill’s Rules section requires the agent to confirm before any write operation. This is your safety net against misunderstood instructions. If you find the agent skipping confirmations, strengthen the rule language or add specific examples of what “confirm” looks like.

Sandbox testing. Point SALESFORCE_INSTANCE_URL to your sandbox org (https://yourcompany--sandbox.sandbox.my.salesforce.com) and test every operation before switching to production. Sandbox orgs are free and contain a copy of your schema.

Audit trail. Salesforce logs all API activity. Go to Setup > Security > Event Monitoring (or check Login History) periodically to verify the integration user is making expected calls. Unusual query patterns or after-hours bulk operations are worth investigating.

For more on securing OpenClaw integrations, see Step 9 in our OpenClaw setup guide.

Frequently Asked Questions

Do I need Salesforce Enterprise Edition to connect OpenClaw?

Not necessarily. Developer Edition includes full API access and is free. Enterprise and Unlimited editions include it by default. Professional Edition requires the API Access add-on, which costs extra. Check Setup > Company Information to see your edition and current API usage.

How long does this setup take?

About 30 minutes total. Creating the Connected App takes 10 minutes (including the 2-10 minute activation wait). Writing and testing the skill file takes another 20 minutes. If you need to install OpenClaw first, add 30-45 minutes for the initial setup.

Can OpenClaw run SOQL queries on custom objects?

Yes. Replace the standard object name with your custom object’s API name (ending in __c). For example: SELECT Id, Name, Custom_Field__c FROM My_Custom_Object__c WHERE CreatedDate = TODAY. Custom field names also end in __c. Check the Object Manager in Salesforce Setup for the exact API names.

What happens when Salesforce API rate limits are hit?

Enterprise Edition allows 100,000 API calls per 24-hour period. Professional Edition allows 15,000. Normal conversational use consumes 1-5 calls per interaction, so you would need to run hundreds of queries daily to approach the limit. If you do hit it, the API returns a REQUEST_LIMIT_EXCEEDED error. Add a note to your skill’s Rules section: “If you receive a REQUEST_LIMIT_EXCEEDED error, stop making API calls and notify me.”

Is the OAuth token stored securely?

OpenClaw stores tokens on your local machine (or VPS) in its internal credential store. Tokens are not sent to third-party servers beyond Salesforce itself and your configured LLM provider. The refresh token auto-renews the access token, so you do not need to re-authenticate unless you revoke the Connected App.

Can I use a Salesforce sandbox for testing?

We recommend it. Change SALESFORCE_INSTANCE_URL in your .env file to your sandbox URL. The REST API endpoints and SOQL syntax are identical between sandbox and production. Test every operation in the sandbox before pointing at production. Sandbox orgs refresh from production periodically, so your schema and sample data stay current.

What is the difference between a native skill and Composio/MCP plugins?

A native skill (what this guide builds) gives you full control over which API calls your agent makes and how it formats responses. You see every curl command and can customize the SOQL queries. Composio and MCP plugins abstract the API layer and handle OAuth automatically, which is faster to set up but gives you less visibility into what the agent is doing. For Salesforce admins who want to understand and control every interaction, the native skill approach is better. For teams that want plug-and-play with minimal configuration, MCP plugins are a reasonable alternative.

Key Takeaways

Connect Salesforce to OpenClaw by creating an OAuth 2.0 Connected App and writing a custom SKILL.md with SOQL query templates
Use Salesforce’s REST API directly for full control over queries, CRUD operations, and rate limit management
Start with read-only queries (lead lookups, pipeline checks) before enabling write operations like record creation and stage updates
Store all credentials (client ID, client secret, access tokens) in .env files, never inside workspace files the agent can read
Deploy automation recipes for lead scoring alerts, deal movement tracking, and daily pipeline summaries using OpenClaw’s heartbeat scheduling
Test every operation in a Salesforce sandbox before pointing the integration at your production org