Connect a client org through Salesforce OAuth and start analyzing it in minutes. This is the first step for any engagement — every dx0 feature runs against a connected org.
Before you connect
dx0 reads Salesforce metadata and org configuration. It does not query CRM data like Accounts, Contacts, or Opportunities — if you need to run SOQL against object records, use the Query Data feature separately.
Because dx0 operates at the metadata and configuration layer, the connecting user needs elevated permissions:
Modify All Data — required for Metadata API access
View Setup and Configuration — required to read org configuration
Approve Uninstalled Connected Apps — required if dx0 has not been previously installed in the org, or if you're not using the standard System Administrator profile
The connecting user does not need to be the org owner, but they do need to hold these permissions directly or through a permission set. A System Administrator profile covers all of them by default.
If possible, we recommend using a dedicated user using an Integration User License.
dx0 does not write to the org. All access is read-only.
Connecting an org
Go to Configuration → Connected Orgs and click Add Org.
Fill in the form:
Org Name — a label for this specific org within the project (e.g. "Production", "Full Sandbox", "UAT").
Login Type — choose the right entry point for the org:
Sandbox — for sandboxes and scratch orgs (
test.salesforce.com)Production — for production, developer, and Trailhead orgs (
login.salesforce.com)My Domain — when the org has disabled the standard login URL; paste the full
https://your-domain.my.salesforce.comURL
Click Connect to Org. You'll be redirected to Salesforce to authorize the connection. Log in with the user that holds the required permissions. After authorization, Salesforce redirects back to dx0 and the org status updates to Connected.
Checking and fixing connection status
Each connected org shows a Connected or Disconnected status. OAuth tokens can expire or be revoked — this is normal, especially in sandbox orgs that get refreshed.
From the org detail page you can:
Check Connection — tests the current token against the org. If the connection is still valid, you'll get a confirmation. If it's failed, the status updates to Disconnected.
Re-authenticate — runs the same OAuth flow as the initial connection. Use this to restore a disconnected org without deleting and recreating it. The org record, settings, and history are preserved.
You do not need to delete an org to fix a broken connection. Re-authentication is always the right first step.
Managing connected orgs
From the Connected Orgs list, click any row to open the org detail page. From there you can:
Rename the org — useful when an environment changes role (e.g. a sandbox promoted to staging).
Delete the org — removes the org record from dx0 and revokes the OAuth connection. This cannot be undone. All analysis data associated with the org is also removed.
Practical scenarios
Starting a new engagement. Connect the client's production org and one full sandbox. Use the project field to group them under the client name — this keeps the Connected Orgs list clean when you're managing several clients at once.
Org refresh broke the sandbox connection. After a sandbox refresh, the OAuth tokens are invalidated. Open the org detail page and use Re-authenticate to restore the connection without losing any of your dx0 configuration for that org.
Non-admin user needs to connect. The connecting user doesn't have to be the org owner, but they do need Modify All Data, View Setup and Configuration, and Approve Uninstalled Connected Apps. Create a permission set with those permissions and assign it before attempting to connect.
Handing an engagement to a teammate. The org is connected to the workspace, not to a specific user. Any teammate with access to your dx0 workspace can access the connected org and run analyses without needing to reconnect it.
Client wants to revoke access. Deleting the org from dx0 revokes the OAuth token in Salesforce. You can also ask the client to revoke it directly in Salesforce under Setup → Connected Apps OAuth Usage, if they prefer to manage it on their side.