NamedCredential

All credentials stored within this entity are encrypted under a framework that is consistent with other encryption frameworks on the platform. Salesforce encrypts your credentials by auto-creating org-specific keys. Credentials encrypted using the previous encryption scheme have been migrated to the new framework.

Note

Parent Type

This type extends the Metadata metadata type and inherits its fullName field.

File Suffix and Directory Location

NamedCredential components have the suffix .namedCredential and are stored in the namedCredentials folder.

Version

NamedCredential components are available in API version 33.0 and later.

Special Access Rules

As of Spring ’20 and later, only users with the View Setup and Configuration permission can access this type.

Fields

Field Name	Description
allowMergeFieldsInBody	Field Type boolean Description Specifies whether Apex code can use merge fields to populate the HTTP request body with org data when a callout is made. Corresponds to Allow Merge Fields in HTTP Body in the user interface. Defaults to `false`. This field is available in API version 41.0 and later.
allowMergeFieldsInHeader	Field Type boolean Description Specifies whether Apex code can use merge fields to populate the HTTP header with org data when a callout is made. Corresponds to Allow Merge Fields in HTTP Header in the user interface. Defaults to `false`. This field is available in API version 41.0 and later.
authProvider	Field Type string Description The authentication provider that the AuthProvider component represents. This field is valid only when NamedCredentialType is set to `Legacy`. This field is deprecated in API version 56.0.
authTokenEndpointUrl	Field Type string Description The URL where JWTs are exchanged for access tokens. This field is valid only when NamedCredentialType is set to `Legacy`. First available in API version 46.0, this field is deprecated in API version 56.0 and later.
awsAccessKey	Field Type string Description First part of the access key used to sign programmatic requests to AWS. Use when AWS Signature Version 4 is your authentication protocol. This field is valid only when NamedCredentialType is set to `Legacy`. First available in API version 46.0, this field is deprecated in API version 56.0 and later.
awsAccessSecret	Field Type string Description The second part of the access key that's used to sign programmatic requests to AWS. Use when AWS Signature Version 4 is your authentication protocol. This field is valid only when NamedCredentialType is set to `Legacy`. First available in API version 46.0, this field is deprecated in API version 56.0 and later.
awsRegion	Field Type string Description Specifies which AWS Region the named credential accesses. This field is valid only when NamedCredentialType is set to `Legacy`. First available in API version 46.0, this field is deprecated in API version 56.0 and later.
awsService	Field Type string Description Specifies which AWS resource the named credential accesses. This field is valid only when NamedCredentialType is set to `Legacy`. First available in API version 46.0, this field is deprecated in API version 56.0 and later.
calloutStatus	Field Type calloutStatus (enumeration of type string) Description Specifies whether the named credential is enabled for callouts. Valid values are: `Disabled`: The named credential is disabled for callouts. `Enabled`: The named credential is enabled for callouts. This field is available in API version 59.0 and later.
certificate	Field Type string Description If you specify a certificate, your Salesforce org supplies it when establishing each two-way SSL connection with the external system. The certificate is used for digital signatures, which verify that requests are coming from your Salesforce org. This field is valid only when NamedCredentialType is set to `Legacy`. This field is deprecated in API version 56.0.
description	Field Type string Description A meaningful description of the named credential.
endpoint	Field Type string Description The URL or root URL of the callout endpoint. Corresponds to URL in the user interface. This field is valid only when NamedCredentialType is set to `Legacy`. This field is deprecated in API version 56.0.
generateAuthorizationHeader	Field Type boolean Description Specifies whether Salesforce generates an authorization header and applies it to each callout that references the named credential. Corresponds to Generate Authorization Header in the user interface. Defaults to `true`. This field is available in API version 41.0 and later.
jwtAudience	Field Type string Description External service or other allowed recipients for the JWT. Written as JSON, with a quoted string for a single audience and an array of quoted strings for multiple audiences. Single audience example: “aud1” Multiple audiences example: [“aud1”, “aud2”, “aud3”]. This field is valid only when NamedCredentialType is set to `Legacy`. This field is deprecated in API version 56.0.
jwtFormulaSubject	Field Type string Description Formula string calculating the Subject of the JWT. API names and constant strings, in single quotes, can be included. Allows a dynamic Subject unique per user requesting the token. For example, `'User='+$User.Id`. Use this field when principalType is set to `PerUser`. Corresponds to Per User Subject in the user interface. This field is valid only when NamedCredentialType is set to `Legacy`. First available in API version 46.0, this field is deprecated in API version 56.0 and later.
jwtIssuer	Field Type string Description Specify who issued the JWT using a case-sensitive string. This field is valid only when NamedCredentialType is set to `Legacy`. First available in API version 46.0, this field is deprecated in API version 56.0 and later.
jwtSigningCertificate	Field Type string Description Certificate verifying the JWT’s authenticity to external sites. This field is valid only when NamedCredentialType is set to `Legacy`. First available in API version 46.0, this field is deprecated in API version 56.0 and later.
jwtTextSubject	Field Type string Description Static text, without quotes, that specifies the JWT Subject. Use this field when principalType is set to `NamedUser`. Corresponds to Named Principal Subject in the user interface. This field is valid only when NamedCredentialType is set to `Legacy`. First available in API version 46.0, this field is deprecated in API version 56.0 and later.
jwtValidityPeriodSeconds	Field Type int Description Specify the number of seconds that the token is valid. This field is valid only when NamedCredentialType is set to `Legacy`. First available in API version 46.0, this field is deprecated in API version 56.0 and later.
label	Field Type string Description Required. A user-friendly name for the named credential that appears in the Salesforce user interface, such as in list views.
namedCredentialParameters	Field Type NamedCredentialParameter[] Description Reference to the (one or more) NamedCredentialParameter used to configure a named credential. This field is available in API version 56.0 and later.
namedCredentialType	Field Type NamedCredentialType (enumeration of type string) Description Specifies the type or behavior of this named credential. Valid values are: `Legacy`: The named credential is a legacy type, which means that it doesn’t use the schema introduced in the Winter ‘23 release. Used for backward compatibility. `PrivateEndpoint`: The named credential sends traffic through a private connection, bypassing the public internet. If the credential type is `PrivateEndpoint`, you must specify the value of OutboundNetworkConnection. `SecuredEndpoint`: The named credential is extensible and uses external credentials to control authentication and permissions. `Standard`: Reserved for internal use. This field is available in API version 56.0 and later.
oauthRefreshToken	Field Type string Description The OAuth refresh token. Used to obtain a new access token for an end user when a token expires. This field is valid only when NamedCredentialType is set to `Legacy`. This field is deprecated in API version 56.0.
oauthScope	Field Type string Description Specifies the scope of permissions to request for the access token. Corresponds to Scope in the user interface. This field is valid only when NamedCredentialType is set to `Legacy`. This field is deprecated in API version 56.0.
oauthToken	Field Type string Description The access token that’s issued by your authorization server. This field is valid only when NamedCredentialType is set to `Legacy`. This field is deprecated in API version 56.0.
outboundNetworkConnection	Field Type string Description Specifies the outbound network connection that uses the named credential to send callouts to AWS. This field is valid only when NamedCredentialType is set to `Legacy`. First available in API version 49.0, this field is deprecated in API version 56.0 and later.
password	Field Type string Description The password to be used by your org to access the external system. Ensure that the credentials have adequate privileges to access the external system. Depending on how you set up access, you might need to provide the administrator password. This field is valid only when NamedCredentialType is set to `Legacy`. This field is deprecated in API version 56.0.
principalType	Field Type ExternalPrincipalType (enumeration of type string) Description Determines whether you're using one set or multiple sets of credentials to access the external system. Corresponds to Identity Type in the user interface. Values are: `Anonymous` `NamedUser` `PerUser` This field is valid only when NamedCredentialType is set to `Legacy`. This field is deprecated in API version 56.0.
protocol	Field Type AuthenticationProtocol (enumeration of type string) Description The authentication protocol that’s required to access the external system. Valid values are: `AwsSv4` `Jwt` `JwtExchange` `NoAuthentication` `Oauth` `Password` For connections to Amazon Web Services using Signature Version 4, use `AwsSv4`. For connections using a direct token system, select `Jwt`. If using an intermediary authorization provider to process JWTs and return access tokens, use `JwtExchange`. For Simple URL data sources, select `NoAuthentication`. For cloud-based Files Connect external systems, select `Oauth`. For on-premises systems, select `Password`. This field is valid only when NamedCredentialType is set to `Legacy`. This field is deprecated in API version 56.0.
username	Field Type string Description The username to be used by your org to access the external system. Ensure that the credentials have adequate privileges for performing callouts to the external system. Depending on how you set up access, you might need to provide the administrator username. This field is valid only when NamedCredentialType is set to `Legacy`. This field is deprecated in API version 56.0.

NamedCredentialParameter

Represents the parameters that configure a named credential. Named credential parameters are used to configure Named Credential callouts through a combination of the type, name, and value/lookup fields. Available in API version 56.0 and later.

These parameters are used internally to provide a flexible architecture and are exposed here for packaging reasons.

Field Name	Description
certificate	Field Type string Description If the value of the parameterType field is `ClientCertificate` then this field references the certificate.
description	Field Type string Description A human-readable description of this named credential parameter.
externalCredential	Field Type string Description If the value of the parameterType field is `Authentication`, then this field references an external credential that in turn references a set of authenticated user credentials.
globalNamedPrincipalCredential	Field Type boolean Description Reserved for internal use.
managedFeatureEnabledCallout	Field Type boolean Description Reserved for internal use.
outboundNetworkConnection	Field Type string Description The lookup field for the `OutboundNetworkConnection` parameter type. Used when namedCredentialType is `PrivateEndpoint`.
parameterName	Field Type string Description Required. The name of the named credential parameter.
parameterType	Field Type NamedCredentialParamType (enumeration of type string) Description Required. The type of the named credential parameter. Valid values are: `AllowedManagedPackageNamespaces`: Allows managed packages identified by specified namespaces to use the named credential and make callouts through it. `Authentication`: Specifies that this parameter configures authentication using the credentials specified in the external credential, referenced by the externalCredential field. `ClientCertificate`: Specifies that this parameter configures a client certificate, referenced by the certificate field. `ConnectionStatus`: Reserved for internal use. `CreatedByNamespace`: Reserved for internal use. `CustomParameter`: Reserved for internal use. `HttpHeader`: Allows the user to specify custom headers to be added to the callout at run time. When using `HttpHeader`, the parameterName field must be the header name as a string, and parameterValue must be a formula of a header value that is evaluated at run time. `ManagedByComponent`: Reserved for internal use. `ManagedByFeature`: Reserved for internal use. `ManagedByNamespace`: Specifies the manageability capabilities for a packaged named credential. The parameterValue indicates whether the named credential uses subscriber-controlled or developer-controlled manageability. `NamedCredentialOptions`: Reserved for internal use. `OutboundNetworkConnection`: Specifies a lookup to an outbound network connection. When using this parameter type, the outboundNetworkConnection field is a string representing the lookup. Used when namedCredentialType is `PrivateEndpoint`. `SfHttpRequestExtensionName`: Reserved for internal use. `StandardNamedCredentialType`: Reserved for internal use. `Url`: Specifies that this parameter configures the URL of the endpoint. Store the actual URL in the parameterValue field.
parameterValue	Field Type string Description If the parameterType field describes a literal value, such as `Url`, then the literal value is stored in this field, such as `https://iam.amazonaws.com/`.
readOnlyNamedCredential	Field Type boolean Description Reserved for internal use.
sequenceNumber	Field Type int Description Used to order `HttpHeader` parameters.
systemUserNamedCredential	Field Type boolean Description Reserved for internal use.

Declarative Metadata Sample Definition

The following is an example of a NamedCredential component.

1<?xml version="1.0" encoding="UTF-8"?>
2<NamedCredential xmlns="http://soap.sforce.com/2006/04/metadata">
3    <label>SampleNamedCredential</label>
4    <namedCredentialType>SecuredEndpoint</namedCredentialType>
5    <namedCredentialParameters>
6        <description>IAM Endpoint</description>
7        <parameterName>DefaultEndpoint</parameterName>
8        <parameterType>Url</parameterType>
9        <parameterValue>https://iam.amazonaws.com/</parameterValue>
10    </namedCredentialParameters>
11    <namedCredentialParameters>
12        <description>AWS Auth</description>
13        <parameterName>DefaultAuth</parameterName>
14        <parameterType>Authentication</parameterType>
15        <externalCredential>SampleExternalCredential</externalCredential>
16    </namedCredentialParameters>
17    <namedCredentialParameters>
18        <description>Cert</description>
19        <parameterName>DefaultCert</parameterName>
20        <parameterType>ClientCertificate</parameterType>
21        <certificate>MyCertificate</certificate>
22    </namedCredentialParameters>
23    <allowMergeFieldsInBody>true</allowMergeFieldsInBody>
24    <allowMergeFieldsInHeader>true</allowMergeFieldsInHeader>
25    <generateAuthorizationHeader>true</generateAuthorizationHeader>
26</NamedCredential>

The following is an example package.xml that references the previous definition.

1<?xml version="1.0" encoding="UTF-8"?>
2<Package xmlns="http://soap.sforce.com/2006/04/metadata">
3    <types>
4        <members>*</members>
5        <name>NamedCredential</name>
6    </types>
7    <version>56.0</version>
8</Package>

Wildcard Support in the Manifest File

This metadata type supports the wildcard character * (asterisk) in the package.xml manifest file. For information about using the manifest file, see Deploying and Retrieving Metadata with the Zip File.

Metadata API Developer Guide