Salesforce Named Credentials: Secure API Authentication Guide

Modern Salesforce implementations rarely operate in isolation. Organizations integrate Salesforce with ERP systems, payment gateways, marketing platforms, document management systems, AI services, and countless third-party applications.

To build these integrations securely, Salesforce recommends using Salesforce Named Credentials instead of storing authentication details directly in code. Combined with External Credentials, they provide a modern authentication framework that simplifies API integrations, improves security, and reduces maintenance.

If you’re designing or maintaining enterprise integrations, we also recommend reading our guide on Salesforce API Best Practices, which covers secure integration architecture, API performance, and scalability.

Many Salesforce teams still rely on legacy authentication methods, hardcoded endpoints, or manually managed OAuth tokens. These approaches often lead to security risks, duplicated configuration, and integrations that become difficult to scale.

This guide explains what Salesforce Named Credentials are, how they work with External Credentials, how to configure them, and the best practices for building secure enterprise integrations.

Salesforce Named Credentials: API Authentication Best Practices

What Are Salesforce Named Credentials?

Salesforce Named Credentials are a secure way to configure connections between Salesforce and external systems.

Instead of storing authentication details and endpoints inside Apex code or Flow configurations, Salesforce centralizes this information in reusable metadata.

Named Credentials allow developers and administrators to:

A traditional API call often requires developers to manually manage:

With Named Credentials, Salesforce handles most of these tasks automatically.

For organizations managing multiple integrations, this significantly improves security, consistency, and long-term maintainability.

For a detailed overview of the feature, refer to the official Salesforce Named Credentials documentation.


Why Use Salesforce Named Credentials?

Before Named Credentials were introduced, many integrations followed a similar pattern:

Apex Code
 ├── Endpoint URL
 ├── Username
 ├── Password
 ├── OAuth Token
 └── HTTP Headers

This approach creates several problems:

Salesforce Named Credentials separate authentication from application logic, making integrations easier to secure, maintain, and deploy across multiple environments.


Understanding the Modern Authentication Architecture

One of the biggest changes introduced by Salesforce is the separation between authentication and endpoint configuration.

Many developers assume Named Credentials handle everything, but the modern architecture consists of two components working together.

External System
        │
External Credential
(Authentication)
        │
Named Credential
(API Endpoint)
        │
Apex
Flow
External Services

What Is an External Credential?

An External Credential defines how Salesforce authenticates with an external service.

It manages:

Authentication settings are configured once and can be reused across multiple integrations.

Salesforce provides additional implementation guidance in the official Named Credentials Developer Guide.


What Is a Named Credential?

A Named Credential defines where Salesforce sends requests.

It stores information such as:

Instead of embedding URLs throughout Apex classes, developers reference a Named Credential.

This separation makes integrations easier to update, improves security, and reduces duplicated configuration.


Salesforce Named Credentials vs Legacy Named Credentials

Salesforce redesigned the authentication framework with the introduction of External Credentials. While Legacy Named Credentials are still supported, Salesforce recommends using the modern architecture for new implementations.

Legacy Named CredentialsModern Named Credentials
Authentication stored inside the Named CredentialAuthentication managed by External Credentials
Limited flexibilityReusable authentication model
Older architectureRecommended architecture
Harder to reuse across integrationsEasier to manage enterprise integrations

For new Salesforce projects, the modern authentication model is the recommended approach because it provides better security, flexibility, and long-term maintainability.


Supported Authentication Methods

Salesforce Named Credentials support multiple authentication mechanisms, allowing organizations to integrate with a wide variety of external services.

Authentication MethodRecommended Use Case
OAuth 2.0Enterprise APIs
JWT Bearer FlowServer-to-server integrations
API KeyThird-party REST APIs
Basic AuthenticationLegacy systems
AWS Signature Version 4AWS services

For most enterprise integrations, OAuth 2.0 remains the preferred option because it eliminates the need to store user credentials while supporting secure token management.

To learn more about protecting OAuth-based integrations, read our Salesforce OAuth Security Best Practices guide.


How to Create Salesforce Named Credentials

The exact configuration depends on the authentication method, but the overall process is consistent.

  1. Create an External Credential.
  2. Configure the authentication method.
  3. Create a Named Credential.
  4. Specify the external API endpoint.
  5. Associate the Named Credential with the External Credential.
  6. Assign the required Permission Set.
  7. Test the connection.

This approach centralizes authentication and allows multiple Apex classes, Flows, and integrations to reuse the same secure configuration.


Using Salesforce Named Credentials in Apex

One of the biggest advantages of Named Credentials is that Apex code no longer needs to store endpoint URLs or authentication tokens.

HttpRequest req = new HttpRequest();
req.setEndpoint('callout:Customer_API/accounts');
req.setMethod('GET');

Notice that the code references only the Named Credential.

Salesforce automatically:

This results in cleaner Apex code and significantly reduces the risk of exposing sensitive credentials.

For implementation details, see the official Apex Callouts Using Named Credentials documentation.

Salesforce Named Credentials vs Remote Site Settings

One of the most common questions among Salesforce developers is whether Remote Site Settings are still required when using Salesforce Named Credentials.

The answer depends on the integration scenario, but for most modern HTTP callouts Salesforce recommends using Named Credentials because they combine endpoint management with secure authentication.

Remote Site SettingsSalesforce Named Credentials
Allowlist external URLsManage secure API endpoints
No authentication managementBuilt-in authentication support
Legacy configurationModern Salesforce approach
Separate security configurationCentralized configuration
Limited functionalitySupports OAuth, JWT, API Keys, and AWS Signature V4

While Remote Site Settings are still available for some legacy use cases, they should no longer be the default choice for new integrations.

If your project requires secure authentication, reusable configuration, and easier maintenance, Salesforce Named Credentials provide a more scalable solution.


Salesforce Named Credentials Best Practices

Following best practices helps organizations build integrations that are secure, scalable, and easier to maintain.

Use OAuth 2.0 Whenever Possible

OAuth 2.0 is the preferred authentication method for most enterprise integrations because it eliminates the need to store usernames and passwords while providing secure token-based authentication.


Reuse External Credentials

If several APIs use the same identity provider, reuse a single External Credential instead of creating separate authentication configurations for every integration.

This reduces duplicated configuration and simplifies administration.


Separate Sandbox and Production Endpoints

Always create separate Named Credentials for sandbox and production environments.

Using different endpoints reduces deployment risks and prevents accidental connections to production services during testing.


Assign Access Through Permission Sets

Access to Named Credentials should be granted through Permission Sets rather than broad administrator permissions.

Following the principle of least privilege helps protect sensitive integrations.


Avoid Hardcoded URLs and Secrets

Authentication details should never be stored in:

Instead, centralize authentication using Named Credentials and External Credentials.


Monitor Authentication Failures

Authentication can fail because of:

Regularly monitoring integration logs helps detect problems before they impact business processes.

If your integrations exchange large volumes of data or connect multiple systems, our Salesforce API Integration Best Practices guide provides additional recommendations for designing reliable enterprise integrations.


Common Salesforce Named Credentials Mistakes

Even experienced Salesforce teams make similar mistakes when implementing integrations.

Common MistakeBetter Approach
Hardcoding API tokens in ApexUse Named Credentials
Creating duplicate authentication configurationsReuse External Credentials
Using System Administrator for integrationsApply least privilege permissions
Building new integrations with Legacy Named CredentialsUse the modern authentication framework
Mixing sandbox and production endpointsCreate separate Named Credentials
Ignoring authentication monitoringReview logs and monitor failed callouts

Avoiding these mistakes improves both security and long-term maintainability.


Enterprise Integration Examples

Salesforce Named Credentials are widely used in enterprise environments across many industries.

ERP Systems

Synchronize customers, products, orders, and invoices securely without exposing authentication details inside Apex.

Payment Gateways

Integrate payment providers while centralizing authentication and simplifying credential management.

Marketing Platforms

Connect Salesforce with marketing automation platforms using reusable authentication configurations.

AI Services

Securely connect Salesforce with AI platforms and external REST APIs without embedding API credentials in code.

Many enterprise integrations also depend on properly configured Connected Apps. Before deploying new integrations, review our Salesforce Connected Apps Security Changes guide.


Conclusion

Salesforce Named Credentials have become the recommended approach for building secure API integrations on the Salesforce platform.

Combined with External Credentials, they separate authentication from endpoint management, eliminate hardcoded secrets, and create a reusable framework for Apex, Flow, and external services.

Organizations adopting this modern authentication model benefit from:

Whether you’re building a new integration or modernizing an existing one, implementing Salesforce Named Credentials is one of the most effective ways to improve both security and long-term maintainability.

Need help designing or modernizing Salesforce integrations? Explore our Salesforce Integration Services to learn how Success Craft can help.

What are Salesforce Named Credentials?

Salesforce Named Credentials securely manage external API endpoints while working with External Credentials to authenticate HTTP callouts from Apex, Flow, and other Salesforce services.

What is the difference between Named Credentials and External Credentials?

External Credentials define how Salesforce authenticates with an external system, while Named Credentials define where requests are sent by storing the endpoint configuration.

Do Salesforce Named Credentials support OAuth 2.0?

Yes. Salesforce Named Credentials support OAuth 2.0, JWT Bearer Flow, API Keys, Basic Authentication, AWS Signature Version 4, and other supported authentication methods.

Do I still need Remote Site Settings?

For most new integrations, Salesforce recommends using Named Credentials instead of Remote Site Settings because they provide both secure authentication and endpoint management in a single configuration.

Can Salesforce Flow use Named Credentials?

Yes. Salesforce Flow supports HTTP Callouts that use Named Credentials, allowing administrators to build secure API integrations without exposing authentication details inside individual Flows.