MCP Directory

How to add Salesforce DX MCP Server to Windsurf

Salesforce's official DX server: run SOQL, deploy and retrieve metadata, run Apex tests and manage orgs from your agent. Paste the config into ~/.codeium/windsurf/mcp_config.json and restart Windsurf.

Last updated June 14, 2026 · 432 · stdio · oauth · official

Windsurf config for Salesforce DX MCP Server

npx -y @salesforce/mcp --orgs DEFAULT_TARGET_ORG --toolsets orgs,metadata,data,users
{
  "mcpServers": {
    "salesforce-dx-mcp-server": {
      "command": "npx",
      "args": [
        "-y",
        "@salesforce/mcp",
        "--orgs",
        "DEFAULT_TARGET_ORG",
        "--toolsets",
        "orgs,metadata,data,users",
        "--tools",
        "run_apex_test",
        "--allow-non-ga-tools"
      ]
    }
  }
}

Setup steps

  1. 1Open Windsurf → Cascade → the hammer/MCP icon → Configure (or edit ~/.codeium/windsurf/mcp_config.json).
  2. 2Paste the Salesforce DX MCP Server config below.
  3. 3Fill in placeholder secrets, then save.
  4. 4Click Refresh in the MCP panel.
  5. 5Salesforce DX MCP Server's tools become available to Cascade.

Before you start

  • Node.js 18+ with npx
  • Salesforce CLI installed and at least one org authorized (`sf org login web`)
  • A Salesforce DX project for metadata deploy/retrieve workflows

What Salesforce DX MCP Server can do in Windsurf

get_username

Resolve the right username/alias for an operation, handling default orgs and Dev Hubs

resume_tool_operation

Resume a long-running operation started by another tool

run_soql_query

Run a SOQL query against a Salesforce org

deploy_metadata

Deploy metadata from your DX project to an org

retrieve_metadata

Retrieve metadata from an org into your DX project

list_all_orgs

List all locally-configured orgs, optionally checking connection status

create_scratch_org

Create a scratch org (NON-GA)

create_org_snapshot

Create a scratch org snapshot (NON-GA)

Security

No credentials live in the config — the server reuses orgs you've already authorized through the Salesforce CLI, restricted to the --orgs allowlist you set (avoid ALLOW_ALL_ORGS). Telemetry is on by default (--no-telemetry disables it), and pre-GA tools stay off unless you explicitly pass --allow-non-ga-tools.

Salesforce DX MCP Server + Windsurf FAQ

Where is the Windsurf config file?

Windsurf reads MCP servers from ~/.codeium/windsurf/mcp_config.json. Paste the Salesforce DX MCP Server config there under the "mcpServers" key and restart the client.

Is Salesforce DX MCP Server safe to use with Windsurf?

No credentials live in the config — the server reuses orgs you've already authorized through the Salesforce CLI, restricted to the --orgs allowlist you set (avoid ALLOW_ALL_ORGS). Telemetry is on by default (--no-telemetry disables it), and pre-GA tools stay off unless you explicitly pass --allow-non-ga-tools.

Is the Salesforce DX MCP Server safe to point at production orgs?

The access model is conservative — only locally pre-authorized orgs on your --orgs allowlist are reachable, and no secrets are stored in config. But tools like deploy_metadata and delete_org write to orgs, so the sane default is scratch orgs and sandboxes, with production access left off the allowlist.

Do I need the Salesforce CLI installed?

Effectively yes. The server piggybacks on Salesforce CLI authentication, so each org must be authorized with `sf org login web` (or the VS Code equivalent) before the MCP server can use it.

Which toolsets should I enable?

Start with `orgs,data,metadata,testing` for a typical dev loop and add `code-analysis` or `devops` when needed. Salesforce recommends against `all` — the 60+ tool catalog eats context. Individual tools can be cherry-picked with --tools.

View repo Full Salesforce DX MCP Server page