Upgrade a Named Credentials Managed Package

After your package is deployed, you can modify its metadata and reinstall it in the target org to deploy its changes. For example, you can update Apex classes and Lightning components. We recommend upgrading a managed package only to deploy small changes to the named credential configuration, such as an updated custom header.

In some cases, it doesn’t make sense to upgrade named credentials via a managed package. For example, if you update the authentication protocol that ensures secure communication between Salesforce and the external system, we recommend creating a new external credential in your development environment instead. Then, you can package the new external credential, deploy it across orgs, and update the existing named credential to use the new external credential.

Upgrading named credentials doesn’t overwrite or delete the populated principals. When you populated the access tokens in the external credential’s principal, Salesforce automatically stored the encrypted token in the User External Credentials object. The external credential’s Name field links the user external credential to the external credential.

Because user external credentials can’t be packaged, Salesforce retains the encrypted tokens when you upgrade named credentials in a managed package. And because you can’t change the name of the external credential when you upgrade named credentials in a managed package, the user external credential is still linked to the named credential. Users can still make authenticated callouts using the encrypted access tokens in the user external credential.