API Integration Security Patterns

Overview

API integrations are a major risk surface in Salesforce programs. This guide captures practical controls for API authentication, connected app governance, token management, and monitoring.

Consensus Best Practices

• Use OAuth-based flows over hardcoded token patterns whenever possible.
• Use Named Credentials for outbound integrations from Salesforce.
• Restrict API permissions to integration users and required scopes only.
• Monitor connected app usage routinely, not only during incidents.
• Keep API access revocation and credential rotation as tested runbooks.

Core Security Patterns

Pattern 1: Least-Privilege Integration Identity

• Use dedicated integration users.
• Assign minimal permission sets needed for integration function.
• Avoid broad admin permissions on integration principals.

Pattern 2: Connected App Governance

• Inventory all connected apps.
• Document owner, purpose, scopes, data domains.
• Review usage and revoke stale/unknown app access.

Pattern 3: Outbound Callout Hardening

• Use Named Credentials for endpoint + auth abstraction.
• Keep secrets out of Apex code and metadata source where possible.
• Enforce timeout/retry/error-handling standards in service layers.

Pattern 4: Token and Session Hygiene

• Rotate secrets and credentials on a schedule.
• Revoke compromised app/user sessions quickly.
• Validate what survives password resets vs token reset actions.

Pattern 5: Data Egress Controls

• Review URL-based data passing patterns for leakage risk.
• Use signed/encrypted request schemes for sensitive payloads.
• Avoid exposing directly guessable identifiers in external URLs.

API Selection Guidance

• REST API: flexible and lightweight for most service integrations.
• SOAP API: useful for systems with strict contract/WSDL tooling.
• Apex REST: use when business-specific endpoints are required; enforce security explicitly.
• Metadata/Tooling APIs: treat as privileged operations and gate tightly.

Monitoring Checklist

• Connected Apps OAuth usage reviewed.
• Integration user session activity reviewed.
• Stale app connections revoked.
• Named Credential inventory maintained.
• Incident playbook tested (revoke, rotate, recover).

Sources Used

• Knowledge/Jodie Miners/TDD-Salesforce-API.md - Practical API security, auth, and monitoring considerations

Related Patterns

• Named Credentials Patterns
• Authentication Flow Patterns
• Salesforce LLM Data Governance