Salesforce Named Credentials: Secure API Authentication Guide
Modern Salesforce implementations rarely operate in isolation. Organizations integrate Salesforce with ERP systems, payment gateways, marketing platforms, document management systems, AI services, and countless third-party applications.
To build these integrations securely, Salesforce recommends using Salesforce Named Credentials instead of storing authentication details directly in code. Combined with External Credentials, they provide a modern authentication framework that simplifies API integrations, improves security, and reduces maintenance.
If you’re designing or maintaining enterprise integrations, we also recommend reading our guide on Salesforce API Best Practices, which covers secure integration architecture, API performance, and scalability.
Many Salesforce teams still rely on legacy authentication methods, hardcoded endpoints, or manually managed OAuth tokens. These approaches often lead to security risks, duplicated configuration, and integrations that become difficult to scale.
This guide explains what Salesforce Named Credentials are, how they work with External Credentials, how to configure them, and the best practices for building secure enterprise integrations.

What Are Salesforce Named Credentials?
Salesforce Named Credentials are a secure way to configure connections between Salesforce and external systems.
Instead of storing authentication details and endpoints inside Apex code or Flow configurations, Salesforce centralizes this information in reusable metadata.
Named Credentials allow developers and administrators to:
- securely connect external APIs;
- manage authentication without hardcoding secrets;
- simplify HTTP callouts;
- reuse authentication across multiple integrations;
- reduce maintenance effort.
A traditional API call often requires developers to manually manage:
- endpoint URLs;
- OAuth access tokens;
- API keys;
- authentication headers.
With Named Credentials, Salesforce handles most of these tasks automatically.
For organizations managing multiple integrations, this significantly improves security, consistency, and long-term maintainability.
For a detailed overview of the feature, refer to the official Salesforce Named Credentials documentation.
Why Use Salesforce Named Credentials?
Before Named Credentials were introduced, many integrations followed a similar pattern:
Apex Code
├── Endpoint URL
├── Username
├── Password
├── OAuth Token
└── HTTP Headers
This approach creates several problems:
- sensitive credentials stored in code;
- duplicated authentication logic;
- difficult token management;
- increased security risks;
- complicated deployments.
Salesforce Named Credentials separate authentication from application logic, making integrations easier to secure, maintain, and deploy across multiple environments.
Understanding the Modern Authentication Architecture
One of the biggest changes introduced by Salesforce is the separation between authentication and endpoint configuration.
Many developers assume Named Credentials handle everything, but the modern architecture consists of two components working together.
External System
│
External Credential
(Authentication)
│
Named Credential
(API Endpoint)
│
Apex
Flow
External Services
What Is an External Credential?
An External Credential defines how Salesforce authenticates with an external service.
It manages:
- OAuth 2.0;
- JWT Bearer Flow;
- API Keys;
- AWS Signature Version 4;
- Basic Authentication;
- Custom authentication providers.
Authentication settings are configured once and can be reused across multiple integrations.
Salesforce provides additional implementation guidance in the official Named Credentials Developer Guide.
What Is a Named Credential?
A Named Credential defines where Salesforce sends requests.
It stores information such as:
- endpoint URL;
- associated External Credential;
- callout configuration.
Instead of embedding URLs throughout Apex classes, developers reference a Named Credential.
This separation makes integrations easier to update, improves security, and reduces duplicated configuration.
Salesforce Named Credentials vs Legacy Named Credentials
Salesforce redesigned the authentication framework with the introduction of External Credentials. While Legacy Named Credentials are still supported, Salesforce recommends using the modern architecture for new implementations.
| Legacy Named Credentials | Modern Named Credentials |
|---|---|
| Authentication stored inside the Named Credential | Authentication managed by External Credentials |
| Limited flexibility | Reusable authentication model |
| Older architecture | Recommended architecture |
| Harder to reuse across integrations | Easier to manage enterprise integrations |
For new Salesforce projects, the modern authentication model is the recommended approach because it provides better security, flexibility, and long-term maintainability.
Supported Authentication Methods
Salesforce Named Credentials support multiple authentication mechanisms, allowing organizations to integrate with a wide variety of external services.
| Authentication Method | Recommended Use Case |
|---|---|
| OAuth 2.0 | Enterprise APIs |
| JWT Bearer Flow | Server-to-server integrations |
| API Key | Third-party REST APIs |
| Basic Authentication | Legacy systems |
| AWS Signature Version 4 | AWS services |
For most enterprise integrations, OAuth 2.0 remains the preferred option because it eliminates the need to store user credentials while supporting secure token management.
To learn more about protecting OAuth-based integrations, read our Salesforce OAuth Security Best Practices guide.
How to Create Salesforce Named Credentials
The exact configuration depends on the authentication method, but the overall process is consistent.
- Create an External Credential.
- Configure the authentication method.
- Create a Named Credential.
- Specify the external API endpoint.
- Associate the Named Credential with the External Credential.
- Assign the required Permission Set.
- Test the connection.
This approach centralizes authentication and allows multiple Apex classes, Flows, and integrations to reuse the same secure configuration.
Using Salesforce Named Credentials in Apex
One of the biggest advantages of Named Credentials is that Apex code no longer needs to store endpoint URLs or authentication tokens.
HttpRequest req = new HttpRequest();
req.setEndpoint('callout:Customer_API/accounts');
req.setMethod('GET');
Notice that the code references only the Named Credential.
Salesforce automatically:
- resolves the endpoint;
- applies authentication;
- manages OAuth tokens;
- sends the request securely.
This results in cleaner Apex code and significantly reduces the risk of exposing sensitive credentials.
For implementation details, see the official Apex Callouts Using Named Credentials documentation.
Salesforce Named Credentials vs Remote Site Settings
One of the most common questions among Salesforce developers is whether Remote Site Settings are still required when using Salesforce Named Credentials.
The answer depends on the integration scenario, but for most modern HTTP callouts Salesforce recommends using Named Credentials because they combine endpoint management with secure authentication.
| Remote Site Settings | Salesforce Named Credentials |
|---|---|
| Allowlist external URLs | Manage secure API endpoints |
| No authentication management | Built-in authentication support |
| Legacy configuration | Modern Salesforce approach |
| Separate security configuration | Centralized configuration |
| Limited functionality | Supports OAuth, JWT, API Keys, and AWS Signature V4 |
While Remote Site Settings are still available for some legacy use cases, they should no longer be the default choice for new integrations.
If your project requires secure authentication, reusable configuration, and easier maintenance, Salesforce Named Credentials provide a more scalable solution.
Salesforce Named Credentials Best Practices
Following best practices helps organizations build integrations that are secure, scalable, and easier to maintain.
Use OAuth 2.0 Whenever Possible
OAuth 2.0 is the preferred authentication method for most enterprise integrations because it eliminates the need to store usernames and passwords while providing secure token-based authentication.
Reuse External Credentials
If several APIs use the same identity provider, reuse a single External Credential instead of creating separate authentication configurations for every integration.
This reduces duplicated configuration and simplifies administration.
Separate Sandbox and Production Endpoints
Always create separate Named Credentials for sandbox and production environments.
Using different endpoints reduces deployment risks and prevents accidental connections to production services during testing.
Assign Access Through Permission Sets
Access to Named Credentials should be granted through Permission Sets rather than broad administrator permissions.
Following the principle of least privilege helps protect sensitive integrations.
Avoid Hardcoded URLs and Secrets
Authentication details should never be stored in:
- Apex classes;
- Flow variables;
- Custom Metadata used as secret storage;
- Custom Settings.
Instead, centralize authentication using Named Credentials and External Credentials.
Monitor Authentication Failures
Authentication can fail because of:
- expired certificates;
- revoked OAuth tokens;
- incorrect permissions;
- API configuration changes.
Regularly monitoring integration logs helps detect problems before they impact business processes.
If your integrations exchange large volumes of data or connect multiple systems, our Salesforce API Integration Best Practices guide provides additional recommendations for designing reliable enterprise integrations.
Common Salesforce Named Credentials Mistakes
Even experienced Salesforce teams make similar mistakes when implementing integrations.
| Common Mistake | Better Approach |
|---|---|
| Hardcoding API tokens in Apex | Use Named Credentials |
| Creating duplicate authentication configurations | Reuse External Credentials |
| Using System Administrator for integrations | Apply least privilege permissions |
| Building new integrations with Legacy Named Credentials | Use the modern authentication framework |
| Mixing sandbox and production endpoints | Create separate Named Credentials |
| Ignoring authentication monitoring | Review logs and monitor failed callouts |
Avoiding these mistakes improves both security and long-term maintainability.
Enterprise Integration Examples
Salesforce Named Credentials are widely used in enterprise environments across many industries.
ERP Systems
Synchronize customers, products, orders, and invoices securely without exposing authentication details inside Apex.
Payment Gateways
Integrate payment providers while centralizing authentication and simplifying credential management.
Marketing Platforms
Connect Salesforce with marketing automation platforms using reusable authentication configurations.
AI Services
Securely connect Salesforce with AI platforms and external REST APIs without embedding API credentials in code.
Many enterprise integrations also depend on properly configured Connected Apps. Before deploying new integrations, review our Salesforce Connected Apps Security Changes guide.
Conclusion
Salesforce Named Credentials have become the recommended approach for building secure API integrations on the Salesforce platform.
Combined with External Credentials, they separate authentication from endpoint management, eliminate hardcoded secrets, and create a reusable framework for Apex, Flow, and external services.
Organizations adopting this modern authentication model benefit from:
- stronger security;
- simplified maintenance;
- reusable authentication;
- cleaner Apex code;
- scalable enterprise integrations.
Whether you’re building a new integration or modernizing an existing one, implementing Salesforce Named Credentials is one of the most effective ways to improve both security and long-term maintainability.
Need help designing or modernizing Salesforce integrations? Explore our Salesforce Integration Services to learn how Success Craft can help.
What are Salesforce Named Credentials?
Salesforce Named Credentials securely store external API endpoints and work with External Credentials to manage authentication for Apex, Flow, and other integrations.
What is the difference between Named Credentials and External Credentials?
External Credentials define how Salesforce authenticates with an external system, while Named Credentials define where requests are sent by storing the endpoint and referencing the authentication configuration.
Do I still need Remote Site Settings?
For most modern HTTP callouts, Salesforce Named Credentials are the recommended solution because they combine endpoint management with secure authentication. Remote Site Settings are mainly used for legacy scenarios.
Can Salesforce Flow use Named Credentials?
Yes. HTTP Callouts in Salesforce Flow can use Named Credentials, allowing administrators to build secure integrations without storing authentication details inside individual Flows.
Which authentication methods are supported?
Salesforce Named Credentials support several authentication methods, including OAuth 2.0, JWT Bearer Flow, API Keys, Basic Authentication, and AWS Signature Version 4.