This is for the Salesforce Critical Incident announcement. Please refer to Salesforce Help Article.
Last updated: 22/08/2025
Summary of the article:
What’s Changing
Starting September 2, 2025, Salesforce is enforcing tighter security around the use of uninstalled connected apps. These are apps that users have authorized but were never formally installed into the org via the AppExchange or admin processes.
Why This Matters
This change is aimed at reducing security risks - including social engineering attacks - by preventing non-admin users from authorizing or accessing uninstalled connected apps. It also addresses vulnerabilities in the OAuth 2.0 device flow.
New Permissions Introduced
Two new user permissions help admins maintain control:
- Approve Uninstalled Connected Apps
- Use Any API Client
These permissions enable trusted users (e.g., admins or developers) to use or authorize uninstalled apps post-launch.
How This Affects Existing Apps
Uninstalled connected apps already authorized before September 2 will continue to work—unless they were authorized using the OAuth 2.0 device flow (which will be blocked).
New users will be blocked from authorizing apps unless they have one of the new permissions (and the app isn't using the vulnerable device flow).
How this affects Payments2us Application
Any new Payments2Us installation after September 2, or if an existing organisation admin attempts to re-authorise Payments2Us after September 2, will definitely be affected by this update.