Overview

Salesforce APIs provide powerful access to data and metadata for integration with external systems. However, unsecured API access can lead to data leaks, abuse, and compliance risks.

This guide outlines best practices for securing Salesforce API usage, ensuring data integrity, availability, and confidentiality.

---

🚨 Why API Security Matters

• Prevent unauthorized data access and manipulation.
• Avoid API abuse (e.g., DDoS, brute force attacks).
• Comply with data privacy regulations (e.g., GDPR, CCPA).
• Safeguard integration points with external systems.

---

🧱 Core Security Principles

Principle	Description
Authentication	Ensure only valid users/apps can access APIs.
Authorization	Limit what data and functions are accessible after login.
Auditing	Log and monitor API usage and changes.
Rate Limiting	Prevent abuse by restricting excessive API calls.
Encryption	Secure data in transit and at rest.

✅ Best Practices for API Security in Salesforce

🔐 1. Use OAuth for Authentication

• Prefer OAuth 2.0 over username-password flows.
• Use JWT Bearer Flow or Client Credentials Flow for server-to-server integrations.
• Avoid storing passwords in scripts or integrations.

📋 2. Restrict API Access via Profiles & Permission Sets

• Disable API Enabled permission for users who don’t need it.
• Grant only necessary object and field-level permissions.
• Use Permission Set Groups to manage access centrally.

🎯 3. Use Named Credentials

• Securely store external endpoint URLs and authentication details.
• Automatically handle token refreshes and keep secrets out of Apex code.

🛡️ 4. Use IP Restrictions

• Set trusted IP ranges on user profiles.
• Configure Login IP Ranges for integrations accessing the API.

📉 5. Limit Scope of OAuth Tokens

• Set OAuth Scopes (e.g., api, refresh_token) only as needed.
• Avoid using full admin scopes unless required.

🔍 6. Monitor and Audit API Usage

• Use Event Monitoring and API Usage dashboards.
• Enable Field Audit Trail to track field changes via API.
• Regularly review Connected App usage and logs.

🚫 7. Revoke Unused Tokens and Apps

• Remove unused Connected Apps and revoke OAuth tokens from Setup → Connected Apps OAuth Usage.
• Periodically audit active sessions.

⏳ 8. Apply Rate Limits and Throttling

• Enforce limits via API call quotas.
• Use Batching and Query Optimization to minimize load.
• Handle REQUEST_LIMIT_EXCEEDED gracefully in your integration.

🔒 9. Encrypt Sensitive Data

• Use TLS/SSL for all API communication (required by Salesforce).
• Enable Shield Platform Encryption for data at rest if applicable.

👤 10. Use Dedicated Integration Users

• Create non-human users (integration-only) with minimum access needed.
• This simplifies auditing and isolates access from real user activity.

---

🧰 Recommended Tools

Tool	Use Case
Named Credentials	Securely manage external API endpoints.
Postman / Workbench	Test and monitor API calls.
Event Monitoring	Analyze high-risk API usage.
Setup Audit Trail	Track changes to API-related configuration.

🚀 Pro Tips

• Use Connected Apps with IP Relaxation only when strictly necessary.
• Rotate secrets/tokens regularly.
• Always test in sandbox before deploying new integrations to production.

📝 Summary

Securing Salesforce APIs is essential for maintaining a trustworthy and compliant integration environment. By following the best practices outlined above, you can minimize risk, protect data, and ensure smooth operation of connected systems.