Connect Bolt.new to Salesforce by creating a Connected App in Salesforce Setup to obtain OAuth 2.0 credentials, then build API routes that use the client credentials flow to authenticate and query Salesforce's REST API. Use SOQL queries to fetch leads, contacts, and opportunities. Salesforce's OAuth callback URL requires a deployed app — the WebContainer preview cannot handle the redirect. Deploy to Netlify or Bolt Cloud before testing authentication.
Build a Custom CRM Dashboard with Salesforce and Bolt.new
Salesforce is the enterprise CRM standard — the platform where sales teams track every lead, contact, deal, and account interaction. While Salesforce has its own UI, many teams need custom dashboards that surface the specific data they care about, or apps that feed data into Salesforce from other tools. Bolt.new lets you build these custom integrations by connecting to Salesforce's comprehensive REST API, which provides full access to standard and custom objects through SOQL (Salesforce Object Query Language).
The integration uses OAuth 2.0 to authenticate your Bolt app with Salesforce. You create a Connected App in Salesforce Setup, which gives you a Consumer Key and Consumer Secret. These credentials authenticate API requests and return access tokens that let your app query CRM data. Because OAuth requires a registered callback URL, the full authentication flow must be tested on a deployed app — Bolt's WebContainer preview uses dynamic URLs that cannot be pre-registered in Salesforce. The most common workaround for development is the client credentials flow (server-to-server OAuth without browser redirect), which works in the preview for direct data access without user-specific permissions.
Salesforce's REST API is comprehensive but can be complex — it exposes hundreds of standard objects and allows custom object creation. This guide focuses on the most common use cases: fetching leads, contacts, and opportunities for pipeline dashboards, and creating or updating records from your Bolt app. Rate limits vary by Salesforce edition (15,000 API calls/day on Professional, 100,000+ on Enterprise), so implementing caching in your API routes is important for production apps.
Integration method
Bolt.new connects to Salesforce through server-side API routes that proxy authentication and data requests to Salesforce's REST API. Because Salesforce uses OAuth 2.0 with a callback URL requirement, the integration must be tested on a deployed URL — the WebContainer preview uses a dynamic URL that cannot be registered as a stable OAuth redirect URI. API routes handle token management and SOQL queries while keeping Salesforce credentials out of client-side code.
Prerequisites
- A Salesforce account with API access (Professional edition or higher — Developer edition is free at developer.salesforce.com)
- System Administrator profile or permission to create Connected Apps in Salesforce Setup
- A Bolt.new project with a Next.js or Vite setup
- A deployed URL on Netlify or Bolt Cloud for OAuth callback URL registration (required for web server OAuth flow)
- Your Salesforce instance URL (e.g., https://yourcompany.my.salesforce.com)
Step-by-step guide
Create a Salesforce Connected App
Create a Salesforce Connected App
Every integration with Salesforce requires a Connected App — this is how Salesforce issues OAuth credentials to external applications. Log in to your Salesforce org, then navigate to Setup by clicking the gear icon in the top-right corner and selecting Setup. In the Quick Find search box, type 'App Manager' and click it in the results. Click the 'New Connected App' button in the top-right corner of the App Manager page. Fill in the required fields: Connected App Name (e.g., 'Bolt Dashboard'), API Name (auto-fills), and Contact Email. In the API (Enable OAuth Settings) section, check the 'Enable OAuth Settings' checkbox. This reveals the OAuth configuration fields. For the Callback URL, you'll need your deployed Bolt app URL — enter a placeholder like 'https://your-app.netlify.app/api/salesforce/callback' for now and update it after deploying. Under Selected OAuth Scopes, add: 'Access and manage your data (api)', 'Perform requests at any time (refresh_token, offline_access)', and 'Full access (full)'. If you plan to use the client credentials flow (server-to-server, no user login), also check 'Enable Client Credentials Flow' in the OAuth settings. Click Save. Salesforce takes 2-10 minutes to activate the new Connected App. Once saved, navigate back to the app and click 'Manage Consumer Details' to retrieve your Consumer Key (Client ID) and Consumer Secret (Client Secret). Store these values — you'll need them in your .env file.
Pro tip: Use a Salesforce Developer Edition org (free at developer.salesforce.com) during development — it has the same API capabilities as paid editions and your experiments won't affect real CRM data.
Expected result: You have a Consumer Key and Consumer Secret from your Salesforce Connected App, ready to use in API authentication.
Set Up Environment Variables and Prompt Bolt to Generate the Integration
Set Up Environment Variables and Prompt Bolt to Generate the Integration
With your Salesforce credentials ready, add them to your Bolt project's .env file and then prompt Bolt to generate the API routes. Create or open the .env file in your Bolt project root and add the following variables: SALESFORCE_CLIENT_ID (your Consumer Key), SALESFORCE_CLIENT_SECRET (your Consumer Secret), SALESFORCE_INSTANCE_URL (your Salesforce org URL, e.g., https://yourcompany.my.salesforce.com), and SALESFORCE_API_VERSION (e.g., v59.0). In a Next.js project, prefix these with nothing — they'll be used server-side only. In a Vite project, you'll need to proxy requests through a server-side handler since these credentials must never reach the client. The client credentials OAuth flow is the most practical approach for development: your API route exchanges the Client ID and Secret directly for an access token without requiring a user browser redirect. This works in Bolt's WebContainer preview during development, unlike the web server flow which requires a deployed callback URL. Prompt Bolt to generate the authentication helper and SOQL query routes. The generated code will handle token caching (access tokens are valid for 1-2 hours) so you're not making authentication requests on every API call.
Set up a Salesforce REST API integration for my Next.js Bolt app. Create a utility at lib/salesforce.ts that implements the client credentials OAuth 2.0 flow: POST to https://${process.env.SALESFORCE_INSTANCE_URL}/services/oauth2/token with grant_type=client_credentials, client_id, and client_secret from environment variables. Cache the returned access_token and its expiry. Export a salesforceRequest(path, method, body) function that adds the Authorization: Bearer {token} header and calls the Salesforce REST API at ${SALESFORCE_INSTANCE_URL}/services/data/${SALESFORCE_API_VERSION}/${path}. Then create an API route at app/api/salesforce/opportunities/route.ts that calls this utility to run the SOQL query: SELECT Id, Name, StageName, Amount, CloseDate FROM Opportunity WHERE IsClosed = false ORDER BY Amount DESC LIMIT 50.
Paste this in Bolt.new chat
1// lib/salesforce.ts2interface SalesforceTokenResponse {3 access_token: string;4 instance_url: string;5 token_type: string;6}78let cachedToken: { token: string; expiresAt: number } | null = null;910async function getSalesforceToken(): Promise<string> {11 if (cachedToken && Date.now() < cachedToken.expiresAt) {12 return cachedToken.token;13 }1415 const params = new URLSearchParams({16 grant_type: 'client_credentials',17 client_id: process.env.SALESFORCE_CLIENT_ID!,18 client_secret: process.env.SALESFORCE_CLIENT_SECRET!,19 });2021 const response = await fetch(22 `${process.env.SALESFORCE_INSTANCE_URL}/services/oauth2/token`,23 {24 method: 'POST',25 headers: { 'Content-Type': 'application/x-www-form-urlencoded' },26 body: params.toString(),27 }28 );2930 if (!response.ok) {31 throw new Error(`Salesforce auth failed: ${response.statusText}`);32 }3334 const data: SalesforceTokenResponse = await response.json();35 // Cache for 1 hour (tokens last ~2 hours, refresh early)36 cachedToken = { token: data.access_token, expiresAt: Date.now() + 3600000 };37 return data.access_token;38}3940export async function salesforceQuery(soql: string) {41 const token = await getSalesforceToken();42 const encoded = encodeURIComponent(soql);43 const apiVersion = process.env.SALESFORCE_API_VERSION || 'v59.0';4445 const response = await fetch(46 `${process.env.SALESFORCE_INSTANCE_URL}/services/data/${apiVersion}/query?q=${encoded}`,47 { headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' } }48 );4950 if (!response.ok) {51 throw new Error(`Salesforce query failed: ${response.statusText}`);52 }5354 return response.json();55}5657export async function salesforceCreate(objectType: string, data: Record<string, unknown>) {58 const token = await getSalesforceToken();59 const apiVersion = process.env.SALESFORCE_API_VERSION || 'v59.0';6061 const response = await fetch(62 `${process.env.SALESFORCE_INSTANCE_URL}/services/data/${apiVersion}/sobjects/${objectType}`,63 {64 method: 'POST',65 headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' },66 body: JSON.stringify(data),67 }68 );6970 return response.json();71}Pro tip: The client credentials flow (server-to-server) works during Bolt development without a deployed callback URL. The web server flow (user-facing login) requires a deployed app — test that on Netlify or Bolt Cloud.
Expected result: Bolt generates the Salesforce authentication utility and API routes. The .env file contains your Salesforce credentials. Running the app shows Salesforce data in the preview.
Build SOQL Query Routes for CRM Data
Build SOQL Query Routes for CRM Data
Salesforce's REST API uses SOQL (Salesforce Object Query Language) to query records. SOQL is similar to SQL but designed for Salesforce's object model — you query specific objects (Lead, Contact, Opportunity, Account) and select the fields you need. Build dedicated API routes for each data type your dashboard needs. For a pipeline dashboard, you typically need Opportunities (open deals), Leads (new inquiries), and Contacts (people associated with accounts). Each route should accept query parameters for filtering — for example, stage name or date range for opportunities. The Salesforce REST API returns paginated results — the response includes a totalSize, a done flag, and a records array. If done is false, a nextRecordsUrl provides the URL for the next page of results. For most dashboard use cases with LIMIT clauses you won't hit pagination, but building in support is good practice. The API also supports relationship queries using dot notation — for example, Account.Name in a Contact query returns the contact's associated account name without a separate request. Important for performance: always include LIMIT in your SOQL queries. Unbounded queries can time out, trigger governor limits, and consume a large fraction of your daily API call quota. A well-designed dashboard typically needs 3-5 targeted SOQL queries on page load rather than one large query fetching everything.
Create three Salesforce API routes for my CRM dashboard. Route 1: GET /api/salesforce/opportunities — query open opportunities with SOQL: SELECT Id, Name, StageName, Amount, CloseDate, Account.Name, OwnerId FROM Opportunity WHERE IsClosed = false ORDER BY CloseDate ASC LIMIT 100. Route 2: GET /api/salesforce/leads — query recent leads: SELECT Id, FirstName, LastName, Email, Company, Status, CreatedDate FROM Lead WHERE IsConverted = false ORDER BY CreatedDate DESC LIMIT 50. Route 3: POST /api/salesforce/leads — create a new Lead from JSON body (FirstName, LastName, Email, Company required). All routes use the salesforceQuery and salesforceCreate utilities from lib/salesforce.ts. Return the Salesforce API response as JSON.
Paste this in Bolt.new chat
1// app/api/salesforce/opportunities/route.ts2import { NextResponse } from 'next/server';3import { salesforceQuery } from '@/lib/salesforce';45export async function GET(request: Request) {6 const { searchParams } = new URL(request.url);7 const stage = searchParams.get('stage');89 let soql = `SELECT Id, Name, StageName, Amount, CloseDate, Account.Name 10 FROM Opportunity 11 WHERE IsClosed = false`;1213 if (stage) {14 soql += ` AND StageName = '${stage.replace(/'/g, "\\'")}'`;15 }1617 soql += ' ORDER BY CloseDate ASC LIMIT 100';1819 try {20 const data = await salesforceQuery(soql);21 return NextResponse.json(data);22 } catch (error) {23 console.error('Salesforce opportunity query failed:', error);24 return NextResponse.json({ error: 'Failed to fetch opportunities' }, { status: 500 });25 }26}2728// app/api/salesforce/leads/route.ts29import { NextRequest, NextResponse } from 'next/server';30import { salesforceQuery, salesforceCreate } from '@/lib/salesforce';3132export async function GET() {33 const soql = `SELECT Id, FirstName, LastName, Email, Company, Status, CreatedDate 34 FROM Lead 35 WHERE IsConverted = false 36 ORDER BY CreatedDate DESC LIMIT 50`;37 try {38 const data = await salesforceQuery(soql);39 return NextResponse.json(data);40 } catch (error) {41 return NextResponse.json({ error: 'Failed to fetch leads' }, { status: 500 });42 }43}4445export async function POST(request: NextRequest) {46 const body = await request.json();47 try {48 const result = await salesforceCreate('Lead', body);49 return NextResponse.json(result);50 } catch (error) {51 return NextResponse.json({ error: 'Failed to create lead' }, { status: 500 });52 }53}Pro tip: Always sanitize SOQL string parameters by escaping single quotes (replace ' with \') to prevent SOQL injection. Never interpolate user input directly into SOQL queries without sanitization.
Expected result: The API routes return Salesforce CRM data as JSON. The dashboard shows opportunities grouped by stage and a list of recent leads.
Deploy and Configure OAuth Callback for User-Facing Login
Deploy and Configure OAuth Callback for User-Facing Login
If your app needs to access Salesforce data on behalf of individual users (not just via a service account), you'll need the full OAuth 2.0 web server flow where users log in with their own Salesforce credentials. This flow requires a deployed callback URL — the WebContainer preview's dynamic URL (e.g., https://[hash].local.webcontainer-api.io/) cannot be registered in Salesforce as a stable redirect URI. Deploy your app to Netlify or Bolt Cloud first to get a stable URL. Once deployed, go to your Salesforce Connected App: Setup → App Manager → find your app → Edit. Update the Callback URL to your deployed URL: https://your-app.netlify.app/api/salesforce/callback. Save the change. On your hosting platform, add the same environment variables from your .env file: SALESFORCE_CLIENT_ID, SALESFORCE_CLIENT_SECRET, SALESFORCE_INSTANCE_URL, and SALESFORCE_API_VERSION. For Netlify: Site Configuration → Environment Variables → Add Variable. The OAuth web server flow redirects users to Salesforce's login page, authenticates them, then sends an authorization code to your callback URL. The callback exchanges this code for an access token and refresh token, which you store in the user's session. Salesforce refresh tokens have configurable expiry — set it to 'token is valid until revoked' in the Connected App's OAuth policies for the best user experience.
Add Salesforce OAuth web server flow to my deployed Next.js app. Create a login route at /api/salesforce/auth that redirects to Salesforce's authorization URL: ${SALESFORCE_INSTANCE_URL}/services/oauth2/authorize with response_type=code, client_id, redirect_uri=${APP_URL}/api/salesforce/callback, and scope=api refresh_token. Create the callback route at /api/salesforce/callback that exchanges the code for tokens via POST to /services/oauth2/token, then stores the access_token and refresh_token in an encrypted session cookie. Create a /api/salesforce/refresh route that uses the refresh_token to get a new access_token when it expires.
Paste this in Bolt.new chat
1// app/api/salesforce/callback/route.ts2import { NextRequest, NextResponse } from 'next/server';34export async function GET(request: NextRequest) {5 const { searchParams } = new URL(request.url);6 const code = searchParams.get('code');78 if (!code) {9 return NextResponse.redirect(new URL('/error?msg=no_code', request.url));10 }1112 const params = new URLSearchParams({13 grant_type: 'authorization_code',14 client_id: process.env.SALESFORCE_CLIENT_ID!,15 client_secret: process.env.SALESFORCE_CLIENT_SECRET!,16 redirect_uri: `${process.env.APP_URL}/api/salesforce/callback`,17 code,18 });1920 const tokenResponse = await fetch(21 `${process.env.SALESFORCE_INSTANCE_URL}/services/oauth2/token`,22 {23 method: 'POST',24 headers: { 'Content-Type': 'application/x-www-form-urlencoded' },25 body: params.toString(),26 }27 );2829 const tokens = await tokenResponse.json();30 // Store tokens in session (implement session storage per your auth setup)31 // tokens.access_token, tokens.refresh_token, tokens.instance_url3233 return NextResponse.redirect(new URL('/dashboard', request.url));34}Pro tip: The client credentials flow (server-to-server) is simpler and works in the WebContainer preview — use it for internal tools. Only implement the web server flow if end users need to authenticate with their own Salesforce accounts.
Expected result: After deployment, navigating to /api/salesforce/auth redirects to Salesforce login, and after authentication, users are redirected back to your dashboard with their CRM data loaded.
Common use cases
Sales Pipeline Dashboard
Build a real-time sales pipeline dashboard that pulls open opportunities from Salesforce, groups them by stage, and calculates total pipeline value per stage. The dashboard replaces manual Salesforce report exports with a live, custom-styled view tailored to your team's workflow.
Build a Salesforce pipeline dashboard. Create an API route at /api/salesforce/opportunities that authenticates with Salesforce using the client credentials OAuth flow (Consumer Key and Consumer Secret from .env), then queries opportunities using SOQL: SELECT Id, Name, StageName, Amount, CloseDate, AccountId FROM Opportunity WHERE IsClosed = false ORDER BY CloseDate ASC. Display the results as a Kanban board grouped by StageName with total pipeline value per column.
Copy this prompt to try it in Bolt.new
Lead Capture Form to Salesforce
Add a contact form to your Bolt app that automatically creates a Lead record in Salesforce when submitted. When a visitor fills out the form, the app calls a server-side API route that authenticates with Salesforce and creates the lead — no manual data entry required.
Create a contact form with fields: First Name, Last Name, Email, Company, Phone, and Message. On submit, call an API route at /api/salesforce/leads that creates a new Lead record in Salesforce with the form data. Map Message to the Description field. Use the Salesforce REST API with client credentials OAuth. Show a success confirmation after the lead is created. Store the Salesforce credentials in .env as SALESFORCE_CLIENT_ID and SALESFORCE_CLIENT_SECRET.
Copy this prompt to try it in Bolt.new
Contact Lookup and Update Tool
Build an internal tool that lets your team search for Salesforce contacts by name or email, view their details, and update fields directly from the Bolt app without opening Salesforce. Useful for teams who need quick edits without navigating Salesforce's full interface.
Build a Salesforce contact lookup tool. Create a search input that queries the Salesforce API via a route at /api/salesforce/contacts?q={search}. The SOQL query should be: SELECT Id, FirstName, LastName, Email, Phone, Account.Name, Title FROM Contact WHERE Name LIKE '%{term}%' OR Email LIKE '%{term}%' LIMIT 20. Display results in a table. Clicking a row shows a detail panel with an Edit button. The Edit form should call PATCH /api/salesforce/contacts/:id to update the record using the Salesforce REST API PATCH endpoint.
Copy this prompt to try it in Bolt.new
Troubleshooting
Authentication fails with 'invalid_client_id' or 'OAUTH_APP_BLOCKED' error
Cause: The Connected App is not yet active (Salesforce takes 2-10 minutes to provision), or the Client ID/Secret values are incorrect, or the client credentials flow is not enabled on the Connected App.
Solution: Wait 10 minutes after creating the Connected App before testing. Verify the Consumer Key and Secret from Setup → App Manager → your app → Manage Consumer Details. If using client credentials flow, confirm 'Enable Client Credentials Flow' is checked in the Connected App's OAuth settings and a user profile has been selected under the client credentials flow section.
SOQL query returns 'MALFORMED_QUERY' or 'INVALID_FIELD' error
Cause: The field name in the SOQL query doesn't exist on that Salesforce object, or the SOQL syntax has an error (missing quotes around string values, invalid relationship name).
Solution: Verify field names in Salesforce Setup → Object Manager → select the object (e.g., Opportunity) → Fields & Relationships. Field API names are case-sensitive in SOQL. String values in WHERE clauses must be wrapped in single quotes. Use Salesforce's Workbench tool (workbench.developerforce.com) to test SOQL queries interactively before adding them to your API routes.
1// CORRECT SOQL string filter2const soql = `SELECT Id, Name FROM Contact WHERE Email = '${email.replace(/'/g, "\\'")}'`;34// WRONG — missing quotes around string value5// const soql = `SELECT Id, Name FROM Contact WHERE Email = ${email}`;OAuth callback URL mismatch error during user-facing authentication
Cause: The callback URL in your code does not exactly match the Callback URL registered in the Salesforce Connected App, including protocol, domain, path, and any trailing slashes.
Solution: In Salesforce Setup → App Manager → your Connected App → Edit, verify the Callback URL matches your deployed app exactly. The URL in your API route must be identical character-for-character. Remember that Bolt's WebContainer preview URL changes dynamically — only use deployed URLs (Netlify or Bolt Cloud) for OAuth callback registration. This OAuth callback limitation is a fundamental constraint of WebContainers.
API returns 'REQUEST_LIMIT_EXCEEDED' error
Cause: Your Salesforce edition's daily API call limit has been reached. Professional edition allows 15,000 calls/day; Enterprise allows 100,000+.
Solution: Implement response caching in your API routes — cache SOQL query results for at least 5 minutes before re-fetching. For dashboard data that doesn't change frequently, 15-minute or 1-hour cache times are reasonable. Check your usage in Salesforce Setup → Company Information → API Requests, Last 24 Hours.
Best practices
- Use the client credentials OAuth flow for internal tools and dashboards — it's simpler to set up and works in Bolt's WebContainer preview without a deployed callback URL
- Always use LIMIT clauses in SOQL queries to avoid hitting Salesforce governor limits and consuming excessive API call quota
- Cache Salesforce access tokens — they're valid for about 2 hours, so re-authenticating on every request is wasteful and slow
- Never put your Salesforce Consumer Secret or access tokens in client-side code — always proxy Salesforce API calls through server-side API routes
- Sanitize string parameters in SOQL queries by escaping single quotes to prevent SOQL injection attacks
- Use a Salesforce Developer Edition org (free) for all development and testing — never test against a production Salesforce org with real customer data
- Test OAuth callback flows on your deployed Netlify or Bolt Cloud URL — the WebContainer's dynamic preview URL cannot be registered as a stable OAuth redirect URI
- Request only the minimum OAuth scopes your app needs — 'api' scope for REST API access is sufficient for most dashboard integrations
Alternatives
HubSpot has a simpler REST API, a generous free tier with full API access, and better documentation for developers — making it a more accessible CRM integration for most Bolt.new projects.
Zoho CRM offers a comparable feature set to Salesforce at a fraction of the cost, with a more straightforward REST API and OAuth implementation.
Pipedrive is a sales-focused CRM with a clean REST API and no complex Connected App setup — the simplest option for building pipeline dashboards in Bolt.new.
Salesforce Commerce Cloud is the e-commerce-specific Salesforce platform, better suited for online storefront integrations than the general CRM use cases covered here.
Frequently asked questions
Can I use Salesforce with Bolt.new in the WebContainer preview?
Yes, with the client credentials OAuth flow (server-to-server authentication). This flow doesn't require a browser redirect, so it works in Bolt's preview. You can query Salesforce data and create records during development. However, the web server OAuth flow (where end users log in with their Salesforce credentials) requires a deployed app with a stable callback URL — that part must be tested on Netlify or Bolt Cloud.
Do I need a paid Salesforce account to use the API?
No — Salesforce Developer Edition is completely free and includes full REST API access. Sign up at developer.salesforce.com. Developer Edition has a 200MB storage limit and 5MB file storage, but is otherwise fully functional for building and testing integrations. Paid production orgs (Professional, Enterprise) have higher API call limits.
What is SOQL and how does it differ from SQL?
SOQL (Salesforce Object Query Language) is Salesforce's query language, syntactically similar to SQL but designed for Salesforce's object model. Key differences: SOQL uses Salesforce object names instead of table names (e.g., Opportunity instead of opportunities), supports relationship queries with dot notation (e.g., Account.Name), doesn't support JOIN syntax, and has governor limits on query results. Most SQL developers can write basic SOQL queries within minutes.
How many API calls can I make to Salesforce per day?
API limits depend on your Salesforce edition: Developer Edition allows 15,000 calls/day, Professional allows 15,000, Enterprise allows 100,000, and Unlimited allows 1,000,000+. For dashboards with multiple users, implement response caching in your API routes to minimize API call consumption. You can check your current usage in Salesforce Setup → Company Information.
Can Bolt.new receive Salesforce outbound messages or webhooks?
During development in Bolt's WebContainer, no — the preview URL is dynamic and unreachable from Salesforce's servers. Salesforce outbound messages (their push notification system) and Change Data Capture events require a publicly accessible HTTPS endpoint. Deploy to Netlify or Bolt Cloud first, then configure outbound messages in Salesforce to point to your deployed webhook URL.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation