Named Credentials Glossary

The Named Credentials Schema

These terms are commonly used with named credentials.

External Credential

An external credential encapsulates the details of how Salesforce authenticates to a remote system. It specifies the authentication protocol to be used, such as OAuth or AWS Signature v4, and the details needed for that protocol, such as an AWS region. It also holds a list of principals, which helps define which users can use the credential to make a callout. It can contain custom headers to provide further authentication parameters.

A callout references a named credential, which in turn links to an external credential.

Named Credential

A named credential specifies the URL of a callout endpoint and its required authentication parameters in one definition. Using a named credential as a callout endpoint obviates the need to hard-code a URL and authentication information into, for example, Apex code.

Named credentials come in three types:


The named credential includes an endpoint’s transport protocol as secured through transport layer security (TLS).


The named credential sends traffic through a private connection, bypassing the public internet.


A legacy named credential specifies the URL of a callout endpoint and its required authentication parameters in one definition.

Legacy named credentials are deprecated and will be discontinued in a future release.

Named Credentials

The phrase “named credentials” is used throughout the documentation to refer to the broader feature set and architecture described here, including, but not limited to, callouts, authentication management, and encrypted token storage.

Named Principal

The phrase “named principal” is used to describe a principal in which the same credential or authentication configuration is shared by all users in a given org. Named principal authentication contrasts with per-user authentication, which provides access control at the individual user level.


The actor that connects to the remote system via callout. The principal can be a single “service account” or “integration user,” or in a per-user scenario, an individual human user.

Principals are mapped in external credentials to a permission set, profile, or permission set group to grant a set of Salesforce users permission to use that principal in a callout. Other major public cloud providers, such as AWS, also use the term “principal” to refer to a system process or human user that takes action on a defined resource.

User External Credential

The user external credential object stores encrypted tokens used by named credentials, which are passed to an external system during a callout. Users need the appropriate level of access to this object so the tokens can be read from their secure storage and passed along.

Though the runtime behavior of named credentials reads the tokens from the user external credential object, there’s no access to this object’s records from SOQL, Apex, or the APIs. The tokens can be deleted programmatically using a special method in the Connect API.

Named credentials reference external credentials, which specify authentication protocols and authorization information. In turn, external credentials use user external credentials to store encrypted authentication tokens.