Definition
Named Credentials in Salesforce provide a secure, centralized way to store endpoint URLs and authentication settings for external services. Instead of hardcoding endpoints and credentials in Apex, Flows, or integrations, you reference a Named Credential which manages both the endpoint and the authentication scheme.
Key components
Named Credentials consist of:
- Label/Name — the identifier referenced by callouts (for example,
callout:My_Named_Cred). - URL — the external service base URL (e.g., https://api.example.com).
- Authentication Protocol — such as OAuth 2.0, Password Authentication, AWS Signature Version 4, or “No Authentication”.
- Identity Type — Named Principal (single identity) or Per User (individual user identity).
Why use Named Credentials?
They simplify and secure integrations with external systems. Benefits include:
- Centralized credential and endpoint management — update in one place without changing code.
- Improved security — credentials are stored and managed by the platform, reducing exposure in source code or metadata.
- Simpler Apex and Flow callouts — use the
callout:prefix instead of building authentication headers manually. - Avoid Remote Site Settings — when using Named Credentials, you typically do not need to create a Remote Site Setting for the endpoint.
- Support for multiple auth flows — OAuth, JWT, basic username/password, and AWS signature help integrate with many service types.
Typical use cases
Named Credentials are used when Salesforce must call external APIs from:
- Apex (HTTP callouts)
- Flows and Process Builder (via HTTP Callout actions or External Services)
- Platform events and integrations
- External Services and API schema registration
Example: Apex HTTP callout using Named Credentials
With a Named Credential named My_CRM that points to https://api.example.com you can do:
HttpRequest req = new HttpRequest();
req.setEndpoint('callout:My_CRM/v1/accounts');
req.setMethod('GET');
Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody());
Identity Type: Named Principal vs Per User
Named Principal uses a single shared identity for all requests — good for system-to-system integrations. Per User delegates the callout as the running user and is useful when the external system needs to enforce user-specific access.
Authentication options
Salesforce supports multiple authentication options for Named Credentials, including:
- OAuth 2.0 (web server, JWT bearer, username-password where supported)
- Username and password (with optional named certificate)
- AWS Signature Version 4 (for AWS service integration)
- No Authentication — for public endpoints
Best practices
- Use Named Credentials to avoid storing secrets in code or custom settings.
- Prefer OAuth or JWT flows over password-based auth for better security and token management.
- Use Named Principal for automated system integration and Per User when auditability or user context is required.
- Rotate credentials and monitor access via setup audit logs and connected app reports.
Troubleshooting tips
If authentication fails, check:
- Connected App configuration and OAuth scopes (for OAuth flows).
- Certificate validity (if using certificates/JWT).
- Endpoint URL correctness and that the remote server accepts the configured auth method.
- Salesforce debug logs for Apex callouts to view request/response details.
Summary
Named Credentials are a secure, maintainable way to manage endpoints and authentication for external callouts in Salesforce. They streamline Apex and Flow callouts, centralize credentials, and support multiple authentication flows — making integrations safer and easier to manage.