
How to add Salesforce DX MCP Server to Windsurf
Salesforce's official DX server: run SOQL, deploy and retrieve metadata, run Apex tests and manage orgs from your agent. Paste the config into ~/.codeium/windsurf/mcp_config.json and restart Windsurf.
Last updated June 14, 2026 · 432★ · stdio · oauth · official
Windsurf config for Salesforce DX MCP Server
npx -y @salesforce/mcp --orgs DEFAULT_TARGET_ORG --toolsets orgs,metadata,data,users{
"mcpServers": {
"salesforce-dx-mcp-server": {
"command": "npx",
"args": [
"-y",
"@salesforce/mcp",
"--orgs",
"DEFAULT_TARGET_ORG",
"--toolsets",
"orgs,metadata,data,users",
"--tools",
"run_apex_test",
"--allow-non-ga-tools"
]
}
}
}Setup steps
- 1Open Windsurf → Cascade → the hammer/MCP icon → Configure (or edit ~/.codeium/windsurf/mcp_config.json).
- 2Paste the Salesforce DX MCP Server config below.
- 3Fill in placeholder secrets, then save.
- 4Click Refresh in the MCP panel.
- 5Salesforce DX MCP Server's tools become available to Cascade.
Before you start
- Node.js 18+ with npx
- Salesforce CLI installed and at least one org authorized (`sf org login web`)
- A Salesforce DX project for metadata deploy/retrieve workflows
What Salesforce DX MCP Server can do in Windsurf
get_usernameResolve the right username/alias for an operation, handling default orgs and Dev Hubs
resume_tool_operationResume a long-running operation started by another tool
run_soql_queryRun a SOQL query against a Salesforce org
deploy_metadataDeploy metadata from your DX project to an org
retrieve_metadataRetrieve metadata from an org into your DX project
list_all_orgsList all locally-configured orgs, optionally checking connection status
create_scratch_orgCreate a scratch org (NON-GA)
create_org_snapshotCreate a scratch org snapshot (NON-GA)
Security
No credentials live in the config — the server reuses orgs you've already authorized through the Salesforce CLI, restricted to the --orgs allowlist you set (avoid ALLOW_ALL_ORGS). Telemetry is on by default (--no-telemetry disables it), and pre-GA tools stay off unless you explicitly pass --allow-non-ga-tools.
Salesforce DX MCP Server + Windsurf FAQ
Where is the Windsurf config file?
Windsurf reads MCP servers from ~/.codeium/windsurf/mcp_config.json. Paste the Salesforce DX MCP Server config there under the "mcpServers" key and restart the client.
Is Salesforce DX MCP Server safe to use with Windsurf?
No credentials live in the config — the server reuses orgs you've already authorized through the Salesforce CLI, restricted to the --orgs allowlist you set (avoid ALLOW_ALL_ORGS). Telemetry is on by default (--no-telemetry disables it), and pre-GA tools stay off unless you explicitly pass --allow-non-ga-tools.
Is the Salesforce DX MCP Server safe to point at production orgs?
The access model is conservative — only locally pre-authorized orgs on your --orgs allowlist are reachable, and no secrets are stored in config. But tools like deploy_metadata and delete_org write to orgs, so the sane default is scratch orgs and sandboxes, with production access left off the allowlist.
Do I need the Salesforce CLI installed?
Effectively yes. The server piggybacks on Salesforce CLI authentication, so each org must be authorized with `sf org login web` (or the VS Code equivalent) before the MCP server can use it.
Which toolsets should I enable?
Start with `orgs,data,metadata,testing` for a typical dev loop and add `code-analysis` or `devops` when needed. Salesforce recommends against `all` — the 60+ tool catalog eats context. Individual tools can be cherry-picked with --tools.