Salesforce Admin Guide — Pam Connected App
This guide is for Salesforce Administrators. It covers how Pam appears in your Salesforce org, how to install and manage the Connected App, how to control user access, and how to revoke access at the org level.
Prerequisites
- You have been invited to Pam as an Org Admin by your team owner (check your inbox — you must accept the invitation before proceeding)
- Salesforce System Administrator profile or equivalent access
Note: The Pam Connected App will not appear in Salesforce until at least one user has initiated the OAuth flow from within Pam. If you do not see Pam under Connected Apps OAuth Usage yet, complete the Salesforce connection in Pam first (via Customize → Integrations → Salesforce), then return here.
How Pam Connects to Salesforce
Pam uses a registered Salesforce Connected App with a fixed OAuth
client_id — the same identity across all customer organisations. When a user connects Pam to Salesforce, they authorise this app through the standard Salesforce OAuth 2.0 flow. No passwords are stored; access is governed entirely by Salesforce's Connected App policies.Step 1 — Find Pam in Connected Apps OAuth Usage
Navigate to Setup → Apps → Connected Apps → Connected Apps OAuth Usage.
You will see Pam listed alongside other connected apps in your org.
At this point the Install button is shown — Pam has been OAuth'd by a user but not yet formally installed at the org level. The app is visible and manageable here regardless of installation status.
Step 2 — Install Pam at the Org Level
Click Install next to Pam. Salesforce will show a confirmation dialog.
Click Install. After installation, the Uninstall button replaces Install, and a Manage App Policies link appears — confirming Pam is now org-level managed.
Step 3 — Review the Connected App Detail
After installation, click Pam (or navigate via Setup → Apps → Connected Apps → Manage Connected Apps → Pam) to view the full app detail.
Key settings visible here:
Setting | Value |
Version | 1 |
Description | Pam — Your AI Assistant |
Permitted Users | All users may self-authorize |
IP Relaxation | Enforce IP restrictions |
Refresh Token Policy | Refresh token is valid until revoked |
Application Permissions | Perform requests at any time · Access identity URL service · Manage user data via APIs |
Step 4 — Manage Access Policies
From the Connected App Detail, click Edit Policies to configure access controls.
Available controls:
- Permitted Users — change from "All users may self-authorize" to a specific profile or permission set to restrict who can connect
- Refresh Token Policy — set expiry or immediately revoke all refresh tokens
- IP Relaxation — enforce or relax IP restrictions for this app
- High Assurance Session Required — require step-up authentication
You can also view the full app detail including trusted IP ranges, custom scopes, and OAuth permissions:
Step 5 — Manage Connected Apps Overview
Navigate to Setup → Apps → Connected Apps → Manage Connected Apps to see all installed apps and their permitted user settings.
Pam appears here as version 1.0 with "All users may self-authorize". Click Edit to modify policies.
Viewing Individual User OAuth Activity
To inspect a specific user's connected app sessions and token history, navigate to their user record and click Advanced User Details.
This shows:
- All OAuth tokens granted to this user, including Pam's
- Login history with timestamps, IP addresses, and authentication method
- Third-party account links and connected app sessions
Distinguishing Pam API Calls from User-Initiated Actions
Two Salesforce mechanisms allow you to identify Pam's activity separately from direct user actions.
1. Login History (session-level)
Every OAuth session Pam opens is recorded in Login History with
Application = Pam and Login Type = Remote Access 2.0. Navigate to a user's Advanced User Details → Authentication History, or export from Setup → Login History.Field | User logging in directly | Pam making an API call |
Login Type | Application | Remote Access 2.0 |
Application | Browser | Pam |
Browser | Chrome, Firefox, Safari | Unknown |
Authentication Method | — | OAuth Web Server (initial) / OAuth Refresh Token (subsequent) |
Source IP | User's office/home IP | Heroku infrastructure (EU-West) |
Filter by
Application = Pam to see every session Pam has opened — with timestamp, IP, and auth method.2. Event Monitoring — ApiEvent (per-request)
With Salesforce Event Monitoring (paid add-on), every individual API request is logged as an
ApiEvent. Each entry includes CONNECTED_APP_NAME, which will show Pam for requests made through our integration and null or the user's client for requests made directly.This allows you to answer per-request: "was this specific API call made by Pam or by the user directly?" — including the exact endpoint, object type, timestamp, and the authorising user.
Record-level attribution:CreatedById/LastModifiedByIdon Salesforce records always reflects the authorising user, not the Connected App. This is standard OAuth behaviour — the token acts as the user, consistent with how all OAuth-based integrations operate in Salesforce.
Revoking Access
Revoke a single user's access
- Open the user's Advanced User Details
- Find Pam under Third-Party Account Links or OAuth Tokens
- Click Revoke next to Pam's token
Revoke all access at the org level
Two options:
Option A — Block in Connected Apps OAuth Usage:
Navigate to Setup → Connected Apps OAuth Usage, find Pam, and click Block. This immediately ends all active sessions and prevents new ones.
Option B — Uninstall:
From the Connected App Detail page, click Uninstall. This removes Pam from the org entirely. Users will need to reinstall before reconnecting.
Frequently Asked Questions
Does Pam use a registered Connected App with a consistent OAuth
client_id?Yes. Pam is a registered Salesforce Connected App (version 1, description: "Pam — Your AI Assistant") with a fixed
client_id that is consistent across all customer organisations and all sessions.Is the Connected App visible in our org's App Manager?
Yes. Once installed, Pam appears in Setup → Apps → Connected Apps → Connected Apps OAuth Usage and Manage Connected Apps, where administrators can view user counts, manage policies, and block or uninstall the app.
Can our Salesforce administrator revoke Pam's access at the org level, independently of any individual user?
Yes. Two options are available: Block (Connected Apps OAuth Usage — immediately ends all active sessions and prevents new ones) or Uninstall (Connected App Detail — removes Pam from the org entirely). Both act at the org level regardless of individual user sessions.
Can we distinguish Pam's API activity from user-initiated actions?
At the session level: Login History shows
Application = Pam and Login Type = Remote Access 2.0 for all Pam-initiated sessions — clearly distinguishable from direct browser logins. At the individual request level: Salesforce Event Monitoring (ApiEvent) includes CONNECTED_APP_NAME = Pam per API call, allowing per-request attribution. At the record level: CreatedById / LastModifiedById reflects the authorising user rather than the Connected App — this is standard OAuth behaviour by design.Why do CRM record changes show the user's name rather than Pam?
Pam connects to Salesforce using OAuth on behalf of each user. The token acts as that user, so Salesforce attributes record changes to them — the same behaviour as any third-party OAuth integration. This means Pam respects each user's individual Salesforce permissions and data access controls.
What data does Pam access?
Pam only accesses data the connected user is already authorised to see in Salesforce. It does not copy or store CRM data — all records are accessed in real time and remain in Salesforce.