Client applications that access your organization's Salesforce data are subject to the same security protections that are used in the Salesforce user interface. Additional protection is available for organizations that install Force.com AppExchange managed packages if those packages contain components that access Salesforce via the API.
Client applications must log in using valid credentials for an organization. The server authenticates these credentials and, if valid, provides the client application with:
Salesforce supports only the Transport Layer Security (TLS) protocol and frontdoor.jsp. Ciphers must have a key length of at least 128 bits.
An organization's Salesforce administrator controls the availability of various features and views by configuring profiles and permission sets, and assigning users to them. To access the API (to issue calls and receive the call results), a user must be granted the “API Enabled” permission. Client applications can query or update only those objects and fields to which they have access via the permissions of the logged-in user.
To create, edit, or delete a profile, from Setup, enter Profiles in the Quick Find box, then select Profiles in the Salesforce user interface. To create, edit, or delete a permission set, from Setup, enter Permission Sets in the Quick Find box, then select Permission Sets.
A security token is an automatically generated key from Salesforce. For example, if a user’s password is mypassword, and the security token is XXXXXXXXXX, the user must enter mypasswordXXXXXXXXXX to log in. Or, some client applications have a separate field for the security token.
Users can obtain their security token by changing their password or resetting their security token via the Salesforce user interface. When a user changes their password or resets their security token, Salesforce sends a new security token to the email address on the user’s Salesforce record. The security token is valid until a user resets their security token, changes their password, or has their password reset.
For more information about tokens, see “Reset Your Security Token” in the Salesforce online help.
When a user's password is changed, the user's security token is automatically reset. The user will experience a blocked login until he or she adds the automatically-generated security token to the end of his or her password or enters the new password after the administrator adds their IP address to the organization's list of trusted IP addresses.
If Single Sign-On (SSO) is enabled for your organization, users who access the API or a desktop client cannot log in to Salesforce unless their IP address is included on your organization's list of trusted IP addresses or on their profile, if their profile has IP address restrictions set. Futhermore, the delegated authentication authority usually handles login lockout policies for users with the “Uses Single Sign-On” permission. However, if the security token is enabled for your organization, then your organization's login lockout settings determine the number of times a user can attempt to log in with an invalid security token before being locked out of Salesforce. For more information, see “Setting Login Restrictions” and “Setting Password Policies” in the online help.
Certain objects can be created or deleted only in the Salesforce user interface. Other objects are read-only—client applications cannot create(), delete(), or update() such objects. Similarly, certain fields within some objects can be specified on create() but not on update(). Other fields are read-only—client applications cannot specify field values in create() or update() calls. For more information, see the respective object descriptions in Object Basics.
Editing API access for a package is done in the Salesforce user interface. For more information, see “Manage API and Dynamic Apex Access in Packages” in the Salesforce online help.
API access for a package affects the API requests originating from components within the package; it determines the objects that the API requests can access. If the API access for a package is not defined, then the objects that the API requests have access to are determined by the user's permissions.
The API access for a package never allows users to do more than the permissions granted to the user. API access in a package only reduces what the user's permissions allow.
Choosing Restricted for the API Access setting in a package affects the following:
To manage API access to packages, see “Manage API and Dynamic Apex Access in Packages” in the Salesforce online help.
For security reasons, Salesforce restricts the outbound ports you may specify to one of the following:
The port restriction applies to any feature where a port is specified, for example outbound messages, AJAX proxy, or single-sign on.