Authentication & Security
Suger connects to your Salesforce org via the OAuth 2.0 Authorization Code flow with PKCE (RFC 7636). The Suger External Client App is configured for compliance with Salesforce’s May 2026 security mandate.
What Suger never sees
- Your Salesforce user’s password. The user authenticates directly with Salesforce; only an authorization code is returned to Suger.
- No static API key or long-lived bearer token for your org. Every API call uses a short-lived access token.
- Suger’s client secret stays on Suger’s backend and is never exposed to the browser.
Mandate-compliant authentication
The Suger External Client App enforces the four security controls required by Salesforce’s May 2026 mandate. These are configured at the app level and travel with the managed package install — you don’t configure them per-org.
| Control | What it does |
|---|---|
| PKCE (RFC 7636) | The browser-side authorization code is bound to a one-time code_verifier held only by Suger’s backend. A stolen authorization code cannot be redeemed without it. |
| Refresh Token Rotation | Every refresh issues a new RT and invalidates the prior one. A leaked RT becomes useless on first reuse, and Salesforce detects reuse and revokes the entire grant. |
| Idle TTL: 30 days | A refresh token unused for 30 days is automatically revoked. Suger’s 30-minute cron keeps the timer well under this limit. |
| IP Allowlist | Refresh requests are only accepted from Suger’s published NAT egress IPs. Contact support for the current list. |
Authorization flow (first-time connect)
- Browser redirect to Salesforce with a PKCE
code_challengeand signed state. - User consent at Salesforce (SSO/MFA per your org policy).
- Authorization code returned to Suger’s callback.
- Server-side token exchange with
code_verifier, returning an access token and refresh token. Neither passes through the browser. - Credentials stored in AWS Secrets Manager (KMS-encrypted, IAM-scoped).
Automatic refresh
Access tokens are ~2 hours. Before they expire (3-minute safety buffer), Suger exchanges the refresh token for a new pair. A cross-pod distributed lock serializes refreshes per integration so concurrent refreshes never trip RTR reuse detection. The rotated credentials are written to AWS Secrets Manager and read-after-write consistency is verified before the lock is released.
Token storage
| Credential | Storage | Encryption |
|---|---|---|
| Access token, refresh token, client secret | AWS Secrets Manager | AES-256 via AWS KMS |
| Instance URL, expiration, username | Application database | Provider-managed at rest |
IAM-scoped access, CloudTrail-audited reads. No standing employee access.
Scopes and least privilege
Suger requests only the OAuth scopes needed for features you’ve opted into. Inside your Salesforce org, the Integration User’s Profile and Permission Sets are the authoritative access boundary — they apply regardless of OAuth scope. See Permission Sets.
Required OAuth policy settings (admin)
The Suger External Client App ships with mandate-compliant defaults. The settings below are the ones your admin still controls. Open them at Setup → External Client App Manager → Suger → Policies tab → Edit.
| Setting | Required value | Why |
|---|---|---|
| Permitted Users | Admin approved users are pre-authorized or All users may self-authorize | With pre-authorized, you must list the Integration User’s profile or permission set under Selected Profiles/Permission Sets, otherwise OAuth fails with “Not approved for access”. |
| IP Relaxation | Relax IP restrictions or allowlist Suger’s egress IPs | If you Enforce IP restrictions, add Suger’s egress IPs to Profile → Login IP Ranges and (if your org enforces it) Network Access → Trusted IP Ranges. |
| High Assurance Session Required | Off | An MFA-verified session can’t be satisfied by a server-to-server integration. |
| Selected Profiles / Permission Sets | Must include the Integration User’s profile or an assigned permission set | Only enforced when Permitted Users = Admin approved. |
Tightening these on a live integration may require reconnecting via Suger Console → Integrations → Salesforce → Connect Now.
Transport security
All Suger ↔ Salesforce traffic — authorize, callback, /token, introspect, REST — uses TLS 1.2 or higher.
Revocation and deletion
- Revoke in Salesforce: invalidates all tokens; Suger’s next call is rejected.
- Delete in Suger Console: removes the AWS Secrets Manager secret; no further calls to your org.
See the Salesforce Integration Setup Guide for step-by-step removal instructions.
Summary
| Property | Value |
|---|---|
| OAuth flow | Authorization Code + PKCE (RFC 6749, RFC 7636) |
| Refresh Token Rotation | Enforced |
| Idle TTL | 30 days |
| IP allowlist | Enforced (Suger egress IPs) |
| Access token lifetime | ~2h (per your Session Policy) |
| Credential storage | AWS Secrets Manager (KMS, IAM, CloudTrail) |
| Transport | TLS 1.2+ |
| Access boundary | Profile + Permission Sets on the Integration User |
| Revocation | Immediate, from either side |