What are Named Credentials, and what is their use of them?

Definition

Named Credentials in Salesforce provide a secure, centralized way to store endpoint URLs and authentication settings for external services. Instead of hardcoding endpoints and credentials in Apex, Flows, or integrations, you reference a Named Credential which manages both the endpoint and the authentication scheme.

Key components

Named Credentials consist of:

  • Label/Name — the identifier referenced by callouts (for example, callout:My_Named_Cred).
  • URL — the external service base URL (e.g., https://api.example.com).
  • Authentication Protocol — such as OAuth 2.0, Password Authentication, AWS Signature Version 4, or “No Authentication”.
  • Identity Type — Named Principal (single identity) or Per User (individual user identity).

Why use Named Credentials?

They simplify and secure integrations with external systems. Benefits include:

  • Centralized credential and endpoint management — update in one place without changing code.
  • Improved security — credentials are stored and managed by the platform, reducing exposure in source code or metadata.
  • Simpler Apex and Flow callouts — use the callout: prefix instead of building authentication headers manually.
  • Avoid Remote Site Settings — when using Named Credentials, you typically do not need to create a Remote Site Setting for the endpoint.
  • Support for multiple auth flows — OAuth, JWT, basic username/password, and AWS signature help integrate with many service types.

Typical use cases

Named Credentials are used when Salesforce must call external APIs from:

  • Apex (HTTP callouts)
  • Flows and Process Builder (via HTTP Callout actions or External Services)
  • Platform events and integrations
  • External Services and API schema registration

Example: Apex HTTP callout using Named Credentials

With a Named Credential named My_CRM that points to https://api.example.com you can do:


HttpRequest req = new HttpRequest();
req.setEndpoint('callout:My_CRM/v1/accounts');
req.setMethod('GET');
Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody());

Identity Type: Named Principal vs Per User

Named Principal uses a single shared identity for all requests — good for system-to-system integrations. Per User delegates the callout as the running user and is useful when the external system needs to enforce user-specific access.

Authentication options

Salesforce supports multiple authentication options for Named Credentials, including:

  • OAuth 2.0 (web server, JWT bearer, username-password where supported)
  • Username and password (with optional named certificate)
  • AWS Signature Version 4 (for AWS service integration)
  • No Authentication — for public endpoints

Best practices

  • Use Named Credentials to avoid storing secrets in code or custom settings.
  • Prefer OAuth or JWT flows over password-based auth for better security and token management.
  • Use Named Principal for automated system integration and Per User when auditability or user context is required.
  • Rotate credentials and monitor access via setup audit logs and connected app reports.

Troubleshooting tips

If authentication fails, check:

  • Connected App configuration and OAuth scopes (for OAuth flows).
  • Certificate validity (if using certificates/JWT).
  • Endpoint URL correctness and that the remote server accepts the configured auth method.
  • Salesforce debug logs for Apex callouts to view request/response details.

Summary

Named Credentials are a secure, maintainable way to manage endpoints and authentication for external callouts in Salesforce. They streamline Apex and Flow callouts, centralize credentials, and support multiple authentication flows — making integrations safer and easier to manage.