Experience Cloud Developer Guide
jSummer '26 (API version 67.0)
Spring '26 (API version 66.0)
Winter '26 (API version 65.0)
Summer '25 (API version 64.0)
Spring '25 (API version 63.0)
Winter '25 (API version 62.0)
Summer '24 (API version 61.0)
Spring '24 (API version 60.0)
Winter '24 (API version 59.0)
Summer '23 (API version 58.0)
Spring '23 (API version 57.0)
Winter '23 (API version 56.0)
Summer '22 (API version 55.0)
Spring '22 (API version 54.0)
Winter '22 (API version 53.0)
Summer '21 (API version 52.0)
Spring '21 (API version 51.0)
Winter '21 (API version 50.0)
Summer '20 (API version 49.0)
Spring '20 (API version 48.0)
Winter '20 (API version 47.0)
Summer '19 (API version 46.0)
Spring '19 (API version 45.0)
Winter '19 (API version 44.0)
Summer '18 (API version 43.0)
Spring '18 (API version 42.0)
Winter '18 (API version 41.0)
Summer '17 (API version 40.0)
Limit Declarative Access
Encrypt Record IDs for Guest Users
Give Guest Users Access to Read Records
Give Guest Users Access to Create Records
Give Guest Users Access to Update Records
Limit Access to Apex Classes
Flow Security
SOQL Injection
Analyze and Improve Experience Builder Site Performance
Add Pardot Tracking to Your Experience Builder Site
Newer Version Available
Unauthenticated Guest User Guidelines
Consider these guidelines about record ID encryption and providing different levels
of access to unauthenticated guest users before you choose a declarative or custom access
control model.
-
Encrypt Record IDs for Guest Users
For security reasons, don’t allow guest users to look up records by record ID unless you want the record to be public. When a guest user creates a record and wants to access it later, create an encrypted string that uses a combination of the record ID, record creation timestamp, and a current timestamp. The encrypted string acts as a unique identifier for the record that only the record creator has. At a later date, the Apex code that handles the request requires the guest user to submit the encrypted string. That Apex code decrypts the string to get the record ID and other record identifiers, and it retrieves or updates the requested record. -
Give Guest Users Access to Read Records
When you allow guest users access to read record data, you expose your data to the public. Review our guidelines, and design your implementation to allow the necessary access to guest users without compromising your data. -
Give Guest Users Access to Create Records
So guest users can create object records, configure the guest user profile to include create access for the desired object. -
Give Guest Users Access to Update Records
To allow guest users to update records, perform the action in the system context without sharing. Before you allow a user to update a record, verify an encrypted token previously provided to the user as a best practice. To ensure that it’s the correct record, verify information about the record, such as its creator.