Understanding Named Credentials in Salesforce

In the realm of Salesforce development, secure and efficient integration with external systems is paramount. Named Credentials, now part of the broader External Credentials framework, simplify and secure the process of integrating with external services. This article dives deep into what Named Credentials are, why they matter, and how you can leverage them in your Salesforce projects.

What Are Named Credentials?

Named Credentials in Salesforce streamline the authentication process for external callouts. Rather than hardcoding usernames, passwords, or tokens directly into your Apex code, Named Credentials securely store these details. This lets you reference them seamlessly in your code without exposing sensitive information.

With Named Credentials, you can:

• Define the endpoint URL of the external service.
• Specify the authentication mechanism (e.g., OAuth 2.0, Basic Auth, or custom authentication).
• Securely manage sensitive credentials in Salesforce.
• Reduce the risk of exposing passwords or tokens in code.

Why Use Named Credentials?

1. Security: Credentials are stored securely in Salesforce, eliminating the risk of exposing sensitive information in Apex or configuration files.
2. Simplicity: Integrations become more straightforward by separating authentication details from your code, thus reducing development effort.
3. Maintainability: Changing an endpoint or credentials requires updating only the Named Credential—no need to modify the underlying code.
4. Compliance: For organizations that must adhere to regulations like GDPR or SOC 2, Named Credentials provide a secure, auditable way to handle external integrations.

Key Components of Named Credentials

A Named Credential includes:

• Label and Name: Human-readable identifiers for easy reference.
• URL: The base endpoint of the external service.
• Identity Type: Whether the integration uses a shared credential (Named Principal) or uses each user’s credentials (Per User).
• Authentication Protocol: How Salesforce authenticates with the external service. Common examples include:
  • OAuth 2.0
  • Password Authentication
  • JWT Bearer Token Flow
  • Custom HTTP Header Authorization
• Custom Headers (Optional): Extra headers required by the external API (e.g., API keys).

Creating a Named Credential

1. Navigate to Setup
   • Go to Setup and search for “Named Credentials” in the Quick Find box.
2. Click “New Named Credential”
   • Provide a Label and Name.
   • Enter the URL of the external service.
3. Select Authentication Type
   • Choose Named Principal or Per User.
   • Specify the Authentication Protocol based on your integration requirements.
4. Configure Authentication
   • For OAuth, provide the authentication flow details (callback URL, scopes, etc.).
   • For Basic Auth, enter the username and password.
5. Save

Once everything is configured, click Save to create the Named Credential.

Using Named Credentials in Apex

Named Credentials greatly simplify HTTP callouts in Apex. Here’s an example:

• callout:My_Named_Credential references your Named Credential.
• /some/endpoint is appended to the base URL you defined.

Using Named Credentials in Flow

Salesforce Flows can also integrate with external systems using Named Credentials. Here’s how:

1. Enable External Services
   • In Setup, search for External Services.
   • Register the Named Credential for your external service.

2. Define an HTTP Callout in Flow
   • Create or open a Flow (e.g., Screen Flow or Record-Triggered Flow).
   • Add an Action element and choose “HTTP Callout.”
3. Choose the Named Credential
   • Select the Named Credential from the picklist.
   • Specify the HTTP method (GET, POST, etc.) and required parameters.

4. Map Inputs and Outputs
   • Provide inputs for the callout.
   • Map returned data to variables or leverage them in subsequent Flow elements.
5. Test and Activate
   • Test the Flow to confirm it works as intended.
   • Activate the Flow in your org.

Screenshot Suggestion: Show the Flow Builder screen with an HTTP Callout step and the Named Credential selected.

Best Practices for Named Credentials

• Use Named Credentials for All External Callouts
  Avoid storing credentials or endpoint URLs directly in Apex classes or configuration files.
• Secure Named Credentials
  Use proper permission sets, field-level security, and org-wide security controls to restrict who can view or modify sensitive data.
• Monitor and Rotate Credentials
  Regularly update credentials to comply with security best practices and organizational policies.
• Test in a Sandbox
  Validate integrations in a non-production environment before deploying to production.

Enhanced Capabilities with External Credentials

Starting in Winter ’23, Salesforce introduced External Credentials, which expands the functionality of Named Credentials. Some notable enhancements include:

• Custom Headers: Add specialized headers, such as API keys, for callouts.
• Permission Set Assignments: Control user access to credentials via Permission Sets.
• Amazon IAM Role Assumption: Temporarily access AWS resources using Amazon STS.
• Credential Reuse Across Endpoints: Use the same authentication for multiple APIs without replicating credentials.
• Custom Setup UIs: ISVs can create branded setup experiences using the Connect API in Apex.

Conclusion

Named Credentials (and the newer External Credentials framework) are cornerstones for secure, maintainable Salesforce integrations. By abstracting authentication from code, they bolster security and scalability. Whether you’re building a simple API connection or orchestrating complex multi-system integrations, adopting Named Credentials and External Credentials can save time and reduce risk—allowing you to focus on delivering value rather than wrestling with authentication details.