ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Get Ready to Distribute on AppExchange
Use Managed Packages to Develop Your AppExchange Solution
Manage Orgs with Environment Hub
Architectural Considerations for Group and Professional Editions
Security Requirements for AppExchange Partners and Solutions
Security Policy Requirements
Prevent Secure Coding Violations
Secure Your B2C Commerce Solution
Secure Your Tableau Accelerator
Secure Your Agentforce Solution
Secure Your Connected Apps and External Client Apps
Pass the AppExchange Security Review
Manage Your AppExchange Listings
AgentExchange Go-To-Market App Guide
Sell on AppExchange with Checkout
Report Orders to Salesforce with the Channel Order App
Provide Free Trials of Your AppExchange Solution
OEM User License Guide
PDF

Secure Your Connected Apps and External Client Apps

These requirements apply to any Connected App or External Client App (ECA) that is included or used in connection with a Partner Application, provided or created by the Partner, and in use by more than two customer production orgs.

These requirements include specific deadlines for compliance. Failure to comply may result in the Partner Application’s AppExchange de-listing and/or Salesforce’s temporary or permanent suspension of the Partner Application’s interoperation with Salesforce’s services.

Important

Starting in the Spring ‘26 release, you can't create new Connected Apps. Use ECAs instead. For more information, see New Connected Apps Can No Longer Be Created in Spring ‘26 for Salesforce.

Note

Proof Key for Code Exchange

PKCE (Proof Key for Code Exchange) protects the OAuth authorization code flow against interception attacks on authorization code, especially for public clients, like mobile apps. Partners must enable PKCE in the OAuth settings of their Salesforce Connected Apps and ECAs, regardless of whether the client is public or confidential.

After PKCE is enabled, partners won't be permitted to disable.

Note

For Public Clients, the token exchange request must not include the client_secret parameter. The presence of the correct code_verifier parameter is the only mechanism for verifying the client's identity.

For Confidential Clients, the token exchange request must include both the code_verifier parameter, for code binding, and the client_secret parameter, for client authentication, in the /services/oauth2/token endpoint request.

Partners must also make sure that they implement the client changes referenced below. After PKCE is enabled, the Partner Application’s Connected Apps and ECAs won't work unless the client changes listed below are implemented.

Client changes:

  • Generate code_verifier parameter: Create a high-entropy, random string (43-128 chars).
  • Create code_challenge parameter: Hash the code_verifier, using SHA256 and BASE64URL to encode it.
  • Authorization request: Include code_challenge and code_challenge_method=S256 parameters in the request to the authorization server.
  • Token request: Send the original code_verifier parameter, not the hash, when exchanging the authorization code for an access token.

For more information, see Enabling PKCE for OAuth for Salesforce External Client and Connected Apps and Proof Key for Code Exchange (PKCE) Extension.

Refresh Token Rotation

Refresh Token Rotation (RTR) enhances security by invalidating the old refresh token, and replacing it with a new refresh token, after a new access token is issued. Stolen tokens are invalidated upon the next refresh token flow, which limits the window of opportunity for an attacker if a refresh token is compromised. It's a critical defense against long-term session hijacking.

Partners must have RTR enabled in the OAuth settings of all of their Salesforce Connected Apps and ECAs.

After RTR is enabled, Partners won't be permitted to disable.

Note

Partners must also make sure that they implement the client changes referenced below. After RTR is enabled, the Partner Application’s Connected Apps and ECAs won't work unless the client changes listed below are implemented.

Client changes:

  • Implement code changes to capture the new refresh token returned by the refresh token flow and store the new refresh token securely.
  • Implement robust error handling to detect when a refresh token is rejected. Sometimes a failed refresh token flow indicates that the token was compromised.
  • Applications that make parallel refresh token flow requests may encounter potential race conditions where multiple requests try to use the same, about-to-be-invalidated refresh token. Your client implementation should handle potential race conditions.

For more information, see Force one-time-use Refresh Tokens - (RTR) Refresh Token Rotation and OAuth 2.0 Refresh Token Flow for Renewed Sessions.

Deadlines for Implementation

All Partners must implement the preceding requirements for Connected Apps and ECAs by the deadlines set forth below.

Security Feature Compliance Due Date
OAuth PKCE May 11, 2026
OAuth Refresh Token Rotation May 11, 2026

Failure to comply may result in the Partner Application’s AppExchange de-listing and/or Salesforce’s temporary or permanent suspension of the Partner Application’s interoperation with Salesforce’s services.

Important

Report Suspicious Activity

Any suspicious activity or security incidents that impact a Partner’s applications or solutions and/or the customer integrations with a Partner’s applications or solutions must be reported by the Partner immediately to the Salesforce security team by emailing security@salesforce.com for further investigation.