You should not normally create Credential Payloads manually.

Payloads creates this type of Payload automatically when you create a Bearer Token Credential. The generated Payload supports the token callout needed by that Credential, so your business Payloads can use the Credential without each one needing its own token refresh setup.

You may still open the generated Credential Payload to review how the token request and response are configured.

If you are deciding which Payload type to use for a business integration step, see Choose a Payload type.

You will usually see a Credential Payload after creating a Bearer Token Credential that needs to:

Only create or edit this type manually when you are deliberately building an advanced authentication flow and you understand how the related Credential will use it.

The demo Bearer Token Credential creates a Payload named Demo OAuth Bearer Token Refresh. That generated Payload includes a token request body, a token response body, and a Data Target that writes the returned token values back to the Credential.

A Credential Payload has a Callout side and a Response side.

The Callout side builds the request sent to the authentication or validation endpoint. It can include Data Queries, Body, Headers, Parameters, and Modifiers.

The Response side models the response and can use Data Targets to update Salesforce records, including Credential records where appropriate.

A Bearer Token Credential automatically creates this Credential Payload, including the request body fields and the Data Target that updates the related Credential.

When you review a generated Credential Payload, start with the main fields on the Payload record.

For token refresh flows, the Credential Payload normally updates the related Credential from the response.

Use Data Queries only when the credential call needs Salesforce data.

Most Credential Payloads do not need queries. A more complex token flow might need values from a related configuration record.

Use the Body tab when the authentication API expects a request body.

For OAuth-style token calls, the body often contains grant type, client id, client secret, refresh token, or scope values. Put sensitive values in Credential records where possible, and keep the Payload body focused on the structure of the request.

For a simple credential check, the body may be empty.

Use Headers and Parameters for the values required by the authentication API.

Authentication headers should normally come from the attached Credential. Use Payload-level headers and parameters for values that are specific to the validation or refresh request.

Model the response values Payloads needs to understand.

For a credential check, you might only care whether the request returns a successful response status. For a token refresh, you usually need to model values such as access token, refresh token, token type, expires in, or expiry timestamp.

Use Response Headers if the authentication API returns meaningful values outside the response body.

The generated response body gives Payloads named fields to read from the token response, such as access_token and refresh_token.

Use Data Targets when the response should update Salesforce.

For a token refresh flow, a Data Target can update the relevant Credential record with the new token values. Keep those mappings tight and easy to review. Credential updates should be predictable, because other Payloads may depend on the Credential immediately after the refresh runs.

Before you use the related Credential in another Payload, check that:

After a test run, open the Job record and confirm the request, response status, response body, and any Credential updates.