Bearer Token authentication in Payloads lets you fetch and cache an access token, then attach it automatically to outbound requests. This guide shows how to configure the refresh Payload, map the returned token back to the Credential, and verify the live request sends the correct Authorization header.
Who this guide is for
This guide is for Salesforce admins and integration builders who need to authenticate outbound payload requests with access-token-based authentication.
Before you begin
Make sure you already have:
a Bearer Token Credential with Client Id, Client Secret, and Access Token Duration configured
a live Payload record that calls out to the target external system
an external endpoint you can inspect for inbound requests and headers (for example, Beeceptor)
token endpoint details from the target API documentation (URL, method, and expected request/response fields)
How to configure & test the Credential
Review the Bearer Token Credential
Open your Bearer Token Credential and confirm Client Id, Client Secret, and Access Token Duration are set.
If the Access Token field is blank, Payloads treats it as expired and will fetch a fresh token on the next run.
Open the refresh Payload linked to the Credential
When you create a Bearer Token Credential, Payloads creates a refresh Payload for token retrieval. Open that refresh Payload and click Edit.
Configure your token refresh Payload
Configure the refresh Payload end to end in one pass:
set the token endpoint URL from your external API documentation
set the method required by that endpoint (often POST)
set Outbound & Inbound Content Types to match the token API
configure the callout body fields (grant_type, client_id, client_secret) with client_id and client_secret mapped from Credential
define the response body element for access_token first, so it is available as an inbound source
configure the response Data Targets to update the Credential record, mapping:
Id from the Payloads Credential record
Access Token from inbound body element access_token
Access Token Last Updated from global variable NOW()
Assign the Bearer Token Credential to your live Payload
Open your live Payload, click Edit, and set the Credential field to your Bearer Token Credential.
Run the live Payload and verify token flow
When you run the live Payload, Payloads checks the token state on the Credential. If Access Token is blank or expired, Payloads first runs the refresh Payload, calls the token endpoint, and stores the returned token on the Credential. Payloads then immediately runs your live Payload and attaches that token in the authentication header.
Verify both API calls in Beeceptor
In Beeceptor, confirm both requests are present for the run. Execution order is token refresh first (/token) and live Payload second (/account-updates), even if the UI lists newest requests first.
Verify the live request Authorization header
Open the /account-updates request headers in Beeceptor and confirm Authorization is set to Bearer <access_token>.
What "done" looks like
Your setup is correct when:
the live Payload runs successfully
the refresh Payload retrieves an access token from the token endpoint when needed
the Credential stores the returned access token and last-updated timestamp
Beeceptor shows both /token and /account-updates requests for the run
the /account-updates request includes an Authorization header with a Bearer value
Summary
With Bearer Token authentication in Payloads, the refresh Payload handles token retrieval and storage, and your live Payload automatically sends the current Authorization: Bearer header.