Jam Knowledge Base
Jam Knowledge Base/
Salesforce Connection and Troubleshooting Guide
Salesforce Connection and Troubleshooting Guide
Search
Salesforce Connection and Troubleshooting Guide
Salesforce Connection and Troubleshooting Guide

Salesforce Connection and Troubleshooting Guide

Overview

 
Pam connects to your Salesforce organization using OAuth 2.0, which means Pam can access your CRM data securely without storing your password. This guide covers:
  • How to connect Pam to Salesforce
  • What permissions are required
  • How to fix the most common Salesforce OAuth errors (including enterprise sandbox / QA setups)

Supported Salesforce Setups

 
💡
Pam supports connecting to any Salesforce org as long as the org allows OAuth access, including:
  • Production orgs
  • Sandbox orgs (Developer / Partial / Full)
  • QA / staging sandboxes (often using “My Domain” URLs)
  • Enterprise orgs with SSO (Okta / Azure AD), if the org permits OAuth for external apps
 

OAuth entrypoints (important)

 
Salesforce orgs can require different login URLs.
Pam can connect via:
  • Production global login: https://login.salesforce.com
  • Sandbox global login: https://test.salesforce.com
  • Org-specific “My Domain” login URLs (very common in enterprise + QA), e.g.
    • https://yourcompany.my.salesforce.com
    • https://yourcompany--qa.sandbox.my.salesforce.com
 
If your organization enforces “My Domain” logins, you may need to start OAuth from your org-specific URL (especially for QA sandboxes).
 

Callback URLs used by Pam

Pam uses these callback URLs:
  • Production callback: https://link.wejam.ai/connect/salesforce/oauth-callback
  • Sandbox callback: https://link.wejam.ai/connect/salesforce_sandbox/oauth-callback
 

Do You Have the Right Permissions?

 
⚠️
What you'll need:
To connect Pam for the first time, you typically need:
  • A Salesforce user who can approve/install OAuth apps (often a Salesforce Admin)
 
Some orgs allow end users to connect after an admin has approved/installed Pam once.

How to Check

 
Try connecting Pam to Salesforce (see steps below). If you see an error screen that says:
 
OAUTH_APPROVAL_ERROR_GENERIC or You don't have permission to approve this app
 
...then you don't have the required permissions. This is normal—most sales agents don't have these permissions.
 
This is what it looks like if you do not have the correct permissions
 
 
 

If You Don't Have Permissions

 
No problem. Follow these steps:
  1. Identify your Salesforce Admin – Usually listed in your company's org settings or ask your IT team
  1. Invite them to Pam – In Pam's settings, go to Invitations and add your admin's email with the role Owner. Or you can click on this link
  1. Ask them to connect Salesforce – Your admin can now follow the installation steps below
  1. After they install: Once the app is installed in your Salesforce org, you and other team members can also connect without needing admin permissions
 

Installation Flow

(For Users with App Installation Permissions)
⚠️
First time connecting in this Org?
Pam uses Salesforce's External Client App framework, which requires explicit installation in each org before OAuth can proceed. On your very first attempt, you may see an invalid_client error instead of a login screen — this is expected. Follow the install steps in the troubleshooting section below, then retry.
 
 
 
 

Step 1: Start the Connection

  1. In Pam, go to Settings > Integrations
  1. Choose Salesforce connection type:
      • Production (most customers)
      • Sandbox (for sandbox orgs)
      • Org-specific login URL (if your org uses a special QA/My Domain login URL)
  1. Click Connect Salesforce

Step 2: Log in to Salesforce

You’ll be redirected to Salesforce. Log in with the Salesforce account that should connect to Pam.

Step 3: Consent

Salesforce will show a consent screen listing what Pam can access (based on scopes and your Salesforce permissions). Click Allow to proceed.

Step 4: Confirmation

 
You should see: “Salesforce connected successfully.”
 

What Pam Can Do Now

Once connected, you can ask Pam to:
  • Search and view data: "Show me my open deals" or "Find the Acme Corp contact"
  • Create and update records: "Log a meeting with John Smith about the TechCorp deal"
  • Log emails: "Log my follow-up email for the proposal we discussed"
  • Manage tasks: "Create a reminder to follow up by Friday"
  • Access meeting context: "What do I know about the ABC company?"
Pam respects your Salesforce permissions. Pam can only access data you're already authorized to see in Salesforce. If you can't see a record in Salesforce, Pam can't access it either.
 

Manage Pam App as a Salesforce Admin

 
Admins can manage Pam under:
  • Setup → External Client App Manager → Pam
  • Setup → Connected Apps OAuth Usage → Pam
There you will find the Settings to fix the most common issues.
 
 
 
 
Depending on your org’s security settings, you may need to explicitly “install” or approve Pam for your org (see troubleshooting below).
 

Troubleshooting

 

Error: OAUTH_APPROVAL_ERROR_GENERIC / “You don’t have permission to approve this app”

Cause: The user trying to connect does not have permissions to approve/install OAuth apps.
Fix:
  1. Ask your Salesforce Admin to connect first.
  1. The admin will likely see an invalid_client error on their first attempt — this is expected. Ask them to follow the invalid_client install steps below, then retry.
  1. After the app is installed, other users can typically connect without admin permissions (depending on org policy).

Error: invalid_client / “app must be installed into org”

What this means: Pam uses Salesforce's External Client App framework, which requires explicit installation in each org before OAuth can proceed. This is expected — it's how Salesforce works, not a bug or a new restriction.
Fix (Salesforce Admin):
  1. Go to Setup
  1. Search for Connected Apps OAuth Usage
  1. Find Pam
      • If Pam doesn't appear yet: attempt the OAuth connection once to make it show up, then refresh this page.
  1. Click Install
  1. (Optional) Review policies / permitted users (depending on your org's governance model)
  1. Retry connecting in Pam
 

Error: invalid_client after cloning or refreshing a sandbox

Cause: When you clone or refresh a Salesforce sandbox, Pam is not automatically carried over — it must be installed fresh in each sandbox org. This is a Salesforce platform limitation for External Client Apps.
Fix (Salesforce Admin): Follow the same steps as the invalid_client fix above, but do this inside the sandbox org:
  1. Attempt the OAuth connection once in the sandbox to surface Pam in Connected Apps OAuth Usage
  1. Go to Setup → Connected Apps OAuth Usage, find Pam, and click Install
  1. Retry connecting in Pam

Error: “User is not approved to access this app”

Cause: Pam is installed, but the user isn’t permitted to authorize it.
Fix (Admin):
  • In Salesforce, open Pam and set permitted users / policies so the user (or their profile / permission set) is allowed.

Error: “This app isn’t allowed in your organization”

Cause: Org security policies are blocking OAuth.
Common reasons:
  • IP restrictions / login IP ranges
  • strict session/security settings
  • app explicitly blocked by admins
  • “API Access Control” / allowlisting in place
Fix (Admin):
  • Review:
    • Setup → Login IP Ranges
    • Setup → Session Settings
    • Setup → Connected Apps OAuth Usage / External Client App Manager
  • Ensure Pam is allowed and installed.

Error: “Invalid login URL” (or you get routed to the wrong Salesforce org)

Cause: The OAuth flow started at the wrong Salesforce login URL.
This is common when:
  • You selected “Sandbox” but your org requires a specific QA/My Domain sandbox URL
  • Your company enforces “My Domain” login
Fix:
  • If you normally log in via:
    • login.salesforce.com → choose Production
    • test.salesforce.com → choose Sandbox
    • https://<yourcompany>--<qa>.sandbox.my.salesforce.com (or similar) → use Org-specific login URL (QA/My Domain)
If you’re not sure, copy the URL from your browser when you log into Salesforce and share it with your admin or Jam support.

Connected, but Pam can’t access certain data

Cause: Salesforce profile/permissions don’t grant access to specific objects/fields.
Fix (Admin): Ensure the user has access (as needed) to:
  • Accounts, Contacts, Opportunities
  • Tasks, Events
  • Notes, Emails
  • Any custom objects/fields you want Pam to use
 
 

Manage Your Connection

Disconnect Salesforce

  1. Go to Integrations
  1. Find Salesforce and click Disconnect
  1. Pam will no longer be able to access your Salesforce data

Reconnect After Disconnecting

Simply follow the installation flow again. If the app is still installed, you won't need admin permissions the second time.
 
 

Security & Privacy

  • Your password is never stored – Pam only receives a secure token that expires regularly
  • Your data stays in Salesforce – Pam doesn't copy or store your CRM records; it accesses them in real-time
  • You can revoke access anytime – Disconnect in Pam settings, or have your admin uninstall the app
  • All access is logged – Your Salesforce org tracks every API call Pam makes
 
 
 

Still Having Issues?

If you've tried the troubleshooting steps above and still can't connect:
  1. Contact your Salesforce Admin – They may need to adjust org settings or permissions
  1. Contact Jam Support – Email support@wejam.ai with:
      • The exact error message you're seeing
      • A screenshot or a Screen Recording of the error
      • Your Salesforce org name