What You Need to Know About Salesforce’s External Client Apps to Enhance Security

Which OAuth flows are actually secure for Salesforce integrations? Learn from Salesforce security expert, Samarth Ahuja as he breaks down the security levels of every OAuth flow from web server flow (high security) to deprecated username password flow, explaining when to use JWT bearer flow versus client credentials flow for machine-to-machine integrations. Samarth provides a comprehensive deep dive into Salesforce's External Client Apps (ECAs), the modern replacement for connected apps, with live demonstrations showing how to create and configure ECAs with proper security settings. Learn critical integration best practices including principle of least privilege, IP whitelisting strategies, OAuth scope management, credential rotation schedules, protecting PII in APIs, leveraging named credentials, and monitoring token usage to catch compromises early—essential knowledge for any Salesforce professional managing secure integrations. #salesforce #salesforceapex #salesforceadmin #salesforcedeveloper #salesforcedevelopers #securitybreach Timecodes 00:00 - Introduction & Housekeeping 04:36 - Meet Samarth Ahuja 06:16 - Last Week's Recap 06:46 - Hot Off the Press: Allow Any API Client Postponement 08:20 - Today's Topic Introduction 09:46 - OAuth Flows Security Overview 11:51 - Client Credentials Flow Explained 12:52 - JWT Bearer Flow vs Client Credentials 14:01 - Device Flow & Deprecated Username Password Flow 15:13 - What Are External Client Apps (ECAs)? 17:26 - Why ECAs Are Better Than Connected Apps 20:24 - Live Demo: Creating an External Client App 22:49 - Configuring OAuth Settings & Scopes 26:09 - Managing Client Credentials Flow 29:10 - Monitoring OAuth Usage & Token Access 31:24 - ECA Metadata Structure for Developers 34:51 - Connected Apps vs External Client Apps Comparison 37:15 - Integration Security Best Practices 39:35 - IP Whitelisting & Session Policies 43:03 - Protecting Sensitive Data in APIs 44:07 - Named Credentials & Token Monitoring 46:05 - IP Restriction Deep Dive Discussion 51:50 - Salesforce Ben Hack Challenge Announcement 54:08 - Q&A: JWT vs Client Credentials 56:13 - Q&A: Fallback Mechanisms & Token Refresh 🔔 Subscribe to EzProtect - For Salesforce Best Practices here    / @mattmeyers-cta   📚Learn More About Virus Scanning in Salesforce ➡️ https://www.ezprotect.io 📚Are you actively choosing to put your Salesforce data at risk? https://go.ezprotect.io/salesforce-da... 📆 Book a time to talk with us https://ezprotect.io/schedule ----------------SOCIAL--------------- ✅ Twitter:   / ezprotect   ✅ Instagram:   / ezprotect.co   ✅ LinkedIn:   / matt-meyers-cta