Tuesday, April 8, 2025

How to securely configure and use API keys and secrets in Salesforce Apex classes

To securely configure and use API keys and secrets in Salesforce Apex classes, leverage Custom Metadata Types with protected visibility, or Named Credentials for external service integration, ensuring sensitive data is not hardcoded

 1. Custom Metadata Types (for general secrets):

  • Create a Custom Metadata Type:
    Define a new custom metadata type to store your API keys and other secrets.
Mark as Protected:
  • Set the visibility of the custom metadata type to "Protected" to restrict access. 
Store Secrets:
  • Create records within the custom metadata type and store your API keys and other secrets in the fields. 
Access in Apex:
  • Query the custom metadata records in your Apex code using Metadata.get()Metadata.getAll() or SOQL to retrieve the secrets. 
  • Example:
// Retrieve API key from Custom Metadata Custom_Metadata_Type__mdt[] records = [SELECT Value__c
FROM Custom_Metadata_Type__mdt WHERE DeveloperName = 'MyApiKey']; String apiKey = records[0].Value__c;

2. Named Credentials (for external service authentication):
  • Define Named Credential: Create a named credential to represent the external service you're interacting with.
  • Specify Authentication Protocol: Choose the appropriate authentication protocol (e.g., API Key, OAuth).
  • Store API Key: Store the API key as an authorization parameter or in a custom header within the named credential.
  • Use in Apex: Use the named credential in your Apex code to make HTTP calls to the external service.
  • Example: 
// Make an HTTP request using a named credential HttpRequest req = new HttpRequest(); req.setEndpoint('https://example.com/api'); req.setMethod('GET'); req.setHeader('X-API-Key', NamedCredential.getApiKey()); // Access API key from named credential HTTPResponse res = new Http().send(req);

3. Best Practices:
  • Never Hardcode Secrets: Avoid storing API keys and other secrets directly in your Apex code. 
  • Use Environment Variables (for Managed Packages): If you're building a managed package, consider storing secrets in environment variables during the build process and injecting them into the package metadata. 
  • Secure Storage: Use the platform's built-in features for secure storage, such as protected custom metadata and named credentials. 
  • Principle of Least Privilege: Grant only the necessary permissions to access the secrets. 
  • Regularly Rotate Secrets: Periodically rotate your API keys and other secrets to minimize the risk of exposure. 
  • Avoid Displaying Secrets to Users: Never display secrets to users in the UI or logs. 

Reference:

[1] https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_storing_sensitive_data.htm
[2] https://salesforce.stackexchange.com/questions/359105/best-practices-for-storing-api-key
[3] https://trailhead.salesforce.com/content/learn/modules/secure-secrets-storage/protect-secrets-using-platform-features




Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)