Skip to content

Metadata auth (one-time)

After installing the NumberForge managed package, an admin must complete two quick manual steps before NumberForge Configuration can create generated fields or deploy NF-managed automation. There is no in-app button for the OAuth policy work; that is normal Salesforce Setup.

Assign NumberForge Product Admin first if you have not already (Install & permissions).

Enable Client Credentials on the packaged External Client App

Section titled “Enable Client Credentials on the packaged External Client App”

The package installs an associated External Client App for metadata API access. Client Credentials must be turned on once per org on its OAuth policy.

Setup → search External Client AppsExternal Client App Manager → open NumberForge Metadata Auth (developer name NF_MetadataAuth, namespace nforge).

External Client App Manager listing NumberForge Metadata Auth

On the app detail page, open the Policies tab → expand OAuth PoliciesEdit. Set:

  • Enable Client Credentials Flow → checked
  • Run As (Username) → the same admin user from the permission set step (must be able to run metadata operations)

Save.

OAuth Policies edit form with Client Credentials Flow and Run As User

Open the NumberForge app → NumberForge Configuration tab → Validate metadata auth.

NumberForge Configuration showing Metadata auth is ready after validation

When validation succeeds, metadata auth is ready. No further subscriber action is required unless the package is reinstalled or the run-as user changes.

The package ships publisher OAuth credentials in a PackageProtected protected custom metadata record (NF_MetadataAuthSecret__mdt, record Default). Subscribers never paste credentials and cannot read those values in Setup, SOQL, or the Metadata API.