Laki Agent Docs
Connecting Salesforce
The two separate Salesforce channels — the browser login and the sf CLI — and how to verify both with the Connection Status panel.
This is the one thing worth understanding up front: Laki Agent reaches Salesforce through two separate, independent channels, and they authenticate in different places.
| Channel | Role | How it authenticates |
|---|---|---|
| Browser login | The agent's eyes — reads the rendered page via CDP | Cookies / SSO in the app's persistent browser session |
sf CLI | The agent's hands — sf org list, SOQL, deploys | sf org login web in a terminal → stored in ~/.sf |
Logging into Salesforce in the browser pane does NOT log in the `sf` CLI. They're separate. To have the agent fully working you connect both — once each.
1. Log into the browser
In the embedded browser, navigate to your org and log in normally. The app rides a persistent session, so SSO, IP restrictions, MFA, and "trusted browser" device tokens all work and survive restarts — you won't redo MFA every launch. This is what the agent *sees*.
2. Connect the sf CLI
In a terminal (or the app's Terminal tab), run:
sf org list # shows the orgs the CLI is authenticated to
sf org login web # authenticates a new org (opens a browser)
sf org list # confirm it now appearsNote the alias — that's how you'll refer to the org when asking the agent (e.g. *"describe the Account object in acme"*).
Verify both — the Connection Status panel
Open Settings → Connection status. It runs a three-way check and uses the browser's *real* current URL (never a value the UI supplies):
- Model — is your active model reachable (Claude CLI signed in, or a BYO key set).
- Salesforce CLI — is
sfinstalled and how many orgs it's authenticated to. - Browser org — does the org open in the browser match one of your
sf-authenticated orgs. It reports *matched* (with the alias), *no-match* (a real org you haven'tsf-authenticated), or *not on an org page yet*.
Sign out of Salesforce
Settings → Sign out of Salesforce wipes the browser's persistent session (cookies + storage) so you can test a clean login. It clears browser session state only — it never touches org data, and it's separate from Laki Bits sign-out.