Skip to main content

Overview

The Salesforce + Alysio integration connects your Salesforce CRM to the Alysio platform, enabling AI-powered querying, analysis, and record management directly within Alysio. It securely leverages Salesforce’s REST API via Paragon’s proxy, ensuring all data access aligns with Salesforce permissions, sharing rules, and field-level security.
Read & Write Access: This integration supports both reading and writing data, with access to the standard Salesforce objects used across GTM teams.
Supported Objects
  • Standard Objects: Accounts, Contacts, Leads, Opportunities, Cases, Tasks, Events
  • Custom Objects: Any custom object defined in the connected org
  • Metadata: Object and field definitions for schema discovery
  • Relationships: Lookup and master-detail relationships
Key Use Cases
  • Query and analyze CRM data via natural language
  • Create or update Salesforce records securely
  • Discover object fields dynamically
  • Generate direct Salesforce record URLs
  • Surface AI-powered summaries and insights

Authentication

Method: OAuth 2.0 via Paragon Connect Redirect URI: https://passport.useparagon.com/oauth Token Handling:
  • OAuth tokens are issued by Salesforce and securely managed by Paragon; Alysio never stores them.
  • Each tenant connection is isolated by a signed X-Paragon-Credential header.
  • Tokens are automatically refreshed through Paragon.
  • Upon uninstall, credentials are removed and all API access stops.
  • All requests occur in the authenticated Salesforce user’s context, ensuring that access control, field-level security, and sharing rules are enforced.
Required OAuth Scopes 
api
id
profile
email
address
phone
refresh_token
Scope Justification
ScopePurposeJustification
apiSalesforce REST API accessRequired for all data operations — querying, reading, creating, and updating CRM records. No bulk or background sync operations are performed.
idUser and org identificationUsed to verify the authenticated user’s identity and associate the correct workspace connection in Alysio.
profileBasic profile accessAllows Alysio to show the connected user context (e.g., “Connected as John Doe”) and verify setup permissions.
emailUser email retrievalEnables audit logging, user mapping, and customer support verification.
addressOrg-level location dataUsed for compliance verification and data residency enforcement.
phoneUser phone metadataOptional; helps with support verification and identity resolution.
refresh_tokenToken renewalAllows persistent authentication without requiring repeated logins.
Summary: These scopes collectively provide the minimum necessary access for Alysio to read, query, and update CRM data, while fully respecting user-level permissions, organization-wide defaults, and Salesforce’s security model.
API Access Required: Salesforce requires Enterprise+ edition or a paid API add-on on Pro plans. Check your Salesforce edition before connecting.

API Usage

All requests are routed through Paragon’s secure proxy to the Salesforce REST API. Alysio performs both read and write operations but does not delete data. Endpoint Categories
CategoryEndpointPurpose
QueryGET /query?q={SOQL}Execute SOQL queries
MetadataGET /sobjects/{object}/describeRetrieve object and field metadata
ReadGET /sobjects/{object}/{id}Retrieve specific records
CreatePOST /sobjects/{object}Create new records
UpdatePATCH /sobjects/{object}/{id}Update existing records
Read & Write Behavior
  • Read: Executes SOQL queries and retrieves record or metadata details
  • Write: Supports creation and updates (delete operations are disabled for safety)
  • Metadata: Retrieves schema details to power field discovery in Alysio
  • Record URLs: Automatically generates Salesforce Lightning record links for direct access
Rate Limiting
  • Governed by Salesforce org limits (typically 15,000 API calls per 24h/org)
  • Additional throttling may occur at the Paragon proxy layer

App Behavior

  • API calls are initiated on-demand through user actions in Alysio (e.g., natural language queries).
  • Each call is validated against the granted OAuth scopes before execution.
  • All operations execute under the connected Salesforce user’s context.
  • Honors profiles, roles, and organization-wide defaults.
  • Enforces field-level and object-level security automatically.
  • No Salesforce data is persisted or cached (except transient metadata).
Example Flow
  1. A user asks: “Show me all open opportunities closing this month.”
  2. Alysio routes the request through the Salesforce MCP server.
  3. The MCP server translates the query to SOQL and calls /query?q={SOQL} through Paragon.
  4. Salesforce returns matching records respecting user permissions and sharing rules.
  5. Alysio displays those results in the chat — no data stored locally.

Troubleshooting

Salesforce Connected App Installation (Post–Sept 2025 Policy) In September 2025, Salesforce began enforcing restrictions on uninstalled Connected Apps. Administrators must now approve the Paragon Connected App before other users can connect. Setup Instructions
  1. Initial Connection
    • A user with the permission “Approve Uninstalled Connected Apps” connects first.
    • The System Administrator profile includes this by default or it can be granted via a Permission Set.
  2. Authorize the App
    • In Salesforce, go to Setup → Connected Apps OAuth Usage
    • Locate Paragon and click Install
    • Approve the app when prompted
  3. Control Access
    • Default: All users may self-authorize
    • To restrict access, change to “Admin approved users are pre-authorized”
    • Grant access via Profiles or Permission Sets
  4. Verification
    • Once approved, other users can connect from Alysio without additional steps
If users cannot connect: Ensure the Paragon app is installed and that their Salesforce profile includes OAuth authorization permissions. Common Issues
  • Missing API Access → Verify Salesforce edition (Enterprise+ or API add-on required).
  • 403 Forbidden → Check object and field-level permissions for the connected user.
  • 401 Unauthorized → Reauthorize connection in Alysio → Settings → Integrations.
Support

Version History

DateUpdateNotes
June 2025Legacy Salesforce app createdInitial app using standard OAuth
November 2025Migrated to Paragon Connected AppCompliance update for new Salesforce Connected App policy
OngoingSecurity & compliance improvementsContinuous SOC 2 / ISO 27001 alignment

Data Flow Diagram

Text Version: 
┌─────────────────┐
│ Salesforce User │
│  Initiates      │
│  Connection     │
└────────┬────────┘


┌─────────────────────────┐
│  (1) OAuth Authorization │
│  Redirect URI:           │
│  passport.useparagon.com │
└────────┬─────────────────┘


┌─────────────────────────┐
│   Paragon Connect       │
│                         │
│  • Manages OAuth tokens │
│  • Handles token refresh│
│  • Isolates credentials  │
│    via X-Paragon-       │
│    Credential header    │
└────────┬────────────────┘


┌─────────────────────────┐
│      Alysio App         │
│                         │
│  • Validates granted    │
│    OAuth scopes         │
│  • Translates queries    │
│    to SOQL              │
│  • Executes permitted   │
│    API calls            │
│  • Respects user        │
│    permissions          │
└────────┬────────────────┘


┌─────────────────────────┐
│  Salesforce REST API    │
│                         │
│  • Enforces permissions │
│  • Applies sharing rules│
│  • Returns data/        │
│    responses            │
│  • Validates field-level│
│    security             │
└─────────────────────────┘
Summary
  • All traffic passes securely through Paragon’s OAuth proxy.
  • No Salesforce data is stored or cached.
  • Permissions and sharing rules govern every operation.
  • Alysio cannot exceed the scopes granted by the user.
  • Every API call is validated against the token’s scopes before execution.