You tried making an OAuth call using the username-password flow. Everything seemed set up correctly — client ID, secret, username, password + security token, correct endpoint — but in the Login History you see:
“Username-Password Flow Disabled”
This isn’t a credentials error. It means Salesforce has disabled that flow in your org (or for that type of app) — by default, for security reasons.
✅ Why Salesforce Disables It
Here are the main reasons:
- Security: The username-password flow exposes user credentials more directly than other OAuth grant types.
- Recent policy: If your org was created in Summer ’23 or later, Salesforce blocks this flow by default.
- Type of app: With the newer External Client Apps, the username-password flow is not supported.
⚠ What Happens If You Try Anyway
If you try to use username-password despite being blocked:
- The API returns something like
{ "error": "invalid_grant", "error_description": "authentication failure" } - Login History shows “Username-Password Flow Disabled”
- No matter how correct your credentials are, the flow is rejected if disabled at the org/app level.
🔧 What You Should Do Instead / Alternatives
| Situation | Recommended Action |
|---|---|
| You want to stick with username-password just for a test or legacy reasons | Check in Setup → OAuth and OpenID Connect Settings that “Allow OAuth Username-Password Flows” is enabled. |
| Your org is new (created after Summer ’23) or you’re using an External Client App | Use a different OAuth flow: Client Credentials, JWT Bearer, or Authorization Code depending on whether there’s a user involved or just server-to-server. |
| You’ve enabled the setting but it’s still not working | Also verify: • You’re using a Connected App, not an External Client App • IP restrictions are not preventing login • You appended the security token to the user’s password (when required) • The endpoint (production vs sandbox) is correct • No org-wide policy is blocking the flow automatically. |
💡 Best Practices / Tips
- Avoid using the username-password flow for new integrations — it’s considered insecure and likely to cause trouble later.
- Favor flows that don’t expose user credentials, like JWT Bearer or Client Credentials — especially for backend / server-to-server work.
- Regularly check Salesforce’s documentation for security policy updates, because what’s allowed can change.
Conclusion
Discovering that “Username-Password Flow Disabled” may feel like a surprise, but it is intentional. Salesforce is pushing toward more secure OAuth flows. Fortunately, solid, safer alternatives already exist.