Salesforce integrations — developer detail
Salesforce integrations — developer detail
Section titled “Salesforce integrations — developer detail”Outbound callouts go through Named Credentials so auth is handled by
the platform. Inbound integrations arrive via Connected Apps using
OAuth 2.0 (human flows) or JWT Bearer (server-to-server). For the
business-facing view, see docs/human/integrations.md.
Outbound pattern — Named Credential callouts
Section titled “Outbound pattern — Named Credential callouts”Apex callouts address Named Credentials rather than raw endpoints. The platform injects auth at callout time:
HttpRequest req = new HttpRequest();req.setEndpoint('callout:BoxNamedCreds/folders/0');req.setMethod('GET');HttpResponse res = new Http().send(req);Active Named Credentials:
| Named Credential | Endpoint | Auth Principal |
|---|---|---|
BoxNamedCreds | https://api.box.com/2.0/ | NamedUser |
BPAYCRNGeneratorDEV | — | — |
bronID | — | — |
Mass_Action | https://partnerswealthgroup.my.salesforce.com | NamedUser |
MSGraphAPI | — | — |
Three of the five have no endpoint visible through the Tooling API —
likely because they are sandbox variants or reference External
Credentials that hold the endpoint separately. See
docs/generated/integrations/named-credentials.md.
Inbound pattern — Connected Apps
Section titled “Inbound pattern — Connected Apps”48 Connected Apps are registered. For the security view, see
docs/human/known-issues.md — 44 of 48 are not locked to
Admin-Approved-Only, which is the highest-priority finding in the
recommendations report.
Server-to-server (JWT Bearer)
Section titled “Server-to-server (JWT Bearer)”The reference implementation is the MCP server:
- Connected App with Use digital signatures enabled and the public cert uploaded.
- Integration user (e.g.
automation@pwg.com.au) assigned a narrow Permission Set. sfdcJwtBearerSignRequestfromjsforcesigns the assertion.- POST the assertion to
/services/oauth2/tokenwithgrant_type=urn:ietf:params:oauth:grant-type:jwt-bearer.
Full runbook: mcp-server/docs/connected-app-setup.md.
Human OAuth
Section titled “Human OAuth”Standard authorize → token flow. Copilot for Sales,
PDF_Butler_APAC1, SUMO Connected App, and OIQ_Integration are
locked to Admin-Approved-Only — new users need explicit permission.
The other 44 are open to any user, which is the active backlog item.
SSO and identity
Section titled “SSO and identity”Entra ID is the upstream identity provider. User provisioning
flows through SCIM via the aad.provision@pwg.com.au integration
user. 16 Auth Providers are registered (Box, DocuSign, Google,
Microsoft, LinkedIn, etc.) — see
docs/generated/integrations/auth-providers.md.
API governance
Section titled “API governance”analysis/api-usage-{date}.mdquantifies API consumption per user over the last 24 hours.aad.provision@pwg.com.auaccounts for roughly 97% of traffic. Confirmed benign 2026-04-24 — bulk SCIM updates from Entra, not a runaway re-sync.- Hook to extend:
mcp-server/scripts/analyse-api-usage.ts. UsesEventLogFileof typeAPIwith a 24h window.
Platform Events
Section titled “Platform Events”TODO confirm. No Platform Events are referenced in the integrations inventory. If any are in use (DocuSign Connect, integration-user callbacks, async Apex fan-out), add them here.
Batch and Queueable Apex
Section titled “Batch and Queueable Apex”TODO confirm scheduled and Queueable jobs in production. The
ApexJob tooling-API object can enumerate run history if needed.
Observability
Section titled “Observability”- EventLogFile — the
mcp-serverexposesevent_log_filesandevent_log_downloadfor ad-hoc pull of API, Apex, Login, and Visualforce logs. - Own for Salesforce — backup + restore of metadata and data.
- SOQL query plans — use the Tooling API
/query/?explain=if a specific query is underperforming.
Further reading
Section titled “Further reading”docs/human/integrations.md— business-facing integration mapdocs/generated/integrations/— auto-generated inventorymcp-server/docs/connected-app-setup.md— JWT Bearer reference