named-credentials-setup
Named Credentials and External Credentials configuration for secure outbound callouts: per-user vs per-org authentication, legacy vs enhanced Named Credentials, external credential principal types (Named Principal, Per User, Anonymous), OAuth 2.0 and JWT flows, and credential deployment. NOT for callout code patterns, Apex HTTP implementation, or OAuth server-side flow debugging.
Best use case
named-credentials-setup is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Named Credentials and External Credentials configuration for secure outbound callouts: per-user vs per-org authentication, legacy vs enhanced Named Credentials, external credential principal types (Named Principal, Per User, Anonymous), OAuth 2.0 and JWT flows, and credential deployment. NOT for callout code patterns, Apex HTTP implementation, or OAuth server-side flow debugging.
Teams using named-credentials-setup should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/named-credentials-setup/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How named-credentials-setup Compares
| Feature / Agent | named-credentials-setup | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Named Credentials and External Credentials configuration for secure outbound callouts: per-user vs per-org authentication, legacy vs enhanced Named Credentials, external credential principal types (Named Principal, Per User, Anonymous), OAuth 2.0 and JWT flows, and credential deployment. NOT for callout code patterns, Apex HTTP implementation, or OAuth server-side flow debugging.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Named Credentials Setup
This skill activates when a practitioner needs to configure Named Credentials or External Credentials for secure Salesforce outbound callouts — covering the full setup lifecycle from choosing principal type through deployment. It does not cover the Apex callout code that uses the credential once it exists.
---
## Before Starting
Gather this context before working on anything in this domain:
- **Enhanced vs Legacy:** Determine which model the org is using. Winter '23 introduced Enhanced Named Credentials (split into Named Credential + External Credential). Legacy Named Credentials are still supported but deprecated in favor of the enhanced model. New orgs default to enhanced.
- **Auth type:** Confirm whether the external service requires OAuth 2.0 (Authorization Code or Client Credentials), basic auth (username + password), JWT, AWS Signature V4, or a custom header formula. This determines the External Credential protocol.
- **Scope:** Confirm whether all users share one set of credentials (Named Principal) or each user authenticates individually (Per User). Per-user requires each user to complete an OAuth flow and adds user education overhead.
- **Deployment:** Named Credential and External Credential metadata structures (endpoint URL, protocol, principal type) are deployable via Metadata API. The actual credentials (passwords, tokens, secrets) are stored in Salesforce's encrypted vault and are NOT exported or deployed — they must be re-entered in each org.
- **Limits:** Legacy Named Credentials: 200 per org. Enhanced Named Credentials and External Credentials have separate limits; check current release notes for exact counts. Per-org limit enforcement is real and should be factored into multi-integration architectures.
---
## Core Concepts
### Enhanced Named Credentials: Endpoint + Auth Are Separated
Since Winter '23, Salesforce splits the configuration into two records:
- **Named Credential** — holds the endpoint URL and a reference to an External Credential. This is what Apex references with `callout:NamedCredentialName`.
- **External Credential** — holds the authentication configuration: protocol, principal type, OAuth settings, custom headers, or JWT configuration.
One External Credential can back multiple Named Credentials pointing to different paths on the same service. This is a significant architecture win over legacy credentials where each endpoint-auth pair was one record.
**Legacy Named Credentials** combined URL + auth in a single record. They still work in existing orgs but Salesforce strongly recommends migrating to enhanced. In Apex, both models use the same `callout:Name` syntax.
### External Credential Principal Types
The principal type controls which identity is used for the callout:
| Principal Type | Who authenticates | Credential storage |
|---|---|---|
| **Named Principal** | The org (all users share one credential) | One secret stored org-wide |
| **Per User** | Each Salesforce user authenticates individually | One credential per user, stored against their user record |
| **Anonymous** | No authentication sent | No credentials required |
**Named Principal** is the right default for server-to-server integrations (e.g., background jobs calling an external API with a service account). **Per User** is correct when the external service enforces user-level access control and needs to act on behalf of the individual (e.g., a user accessing their own Google Drive data).
**Permission Sets control access to principals.** Assign a Permission Set to an External Credential principal to restrict which users can make callouts through it. Without a permission set assignment, users cannot execute callouts even if the credential is correctly configured.
### OAuth 2.0 Flows in External Credentials
Salesforce supports several OAuth 2.0 grant types:
- **Authorization Code** — used for Per User principals where Salesforce redirects the user to the external identity provider. The callback URL must be `https://{yourDomain}/services/authcallback/{ExternalCredentialDeveloperName}`. Users complete the flow under User Settings > Authentication Settings for External Systems.
- **Client Credentials** — used for Named Principal (org-wide) where Salesforce exchanges a client ID + secret for a bearer token. No user interaction required.
- **JWT Bearer** — Salesforce signs a JWT using a stored certificate (configured under Certificate and Key Management) and presents it to the token endpoint. No user secret needed if the external IdP trusts the certificate.
Token refresh is handled automatically by Salesforce once the initial token is obtained.
### Credential Vault and Deployment Boundaries
Salesforce stores all credential secrets (passwords, client secrets, access tokens) in an encrypted vault. This has two important consequences:
1. **Secrets are not readable via SOQL, REST API, or Apex.** You can write to the vault (by entering the credential in Setup) but you cannot read back the stored value. This is by design.
2. **Metadata API deployment does NOT carry secrets.** Deploying Named Credential metadata to a sandbox or production moves the structural configuration only. An admin must re-enter actual credential values post-deployment. Document this in runbooks.
---
## Common Patterns
### Mode 1: Create a New Named Credential (Enhanced Model)
**When to use:** Any new integration in an org on Winter '23+ (or any org being migrated from legacy).
**How it works:**
1. **Setup > Named Credentials > External Credentials > New**
- Developer Name: use kebab-case or snake_case consistently (e.g., `MyServiceExtCred`)
- Label: human-readable name for Setup UI
- Protocol: select the auth type (OAuth 2.0, Password, JWT, AWS Signature V4, Custom)
- If OAuth 2.0: enter Authorization Endpoint URL, Token Endpoint URL, Client ID, Client Secret, Scope, and select the grant type
- Add a Principal: set principal type (Named Principal / Per User / Anonymous), give it a name
2. **Assign Permission Sets to the Principal**
- Under the principal, add the Permission Sets whose users should be allowed to call out
- Without this, callouts fail silently with an authentication error
3. **Setup > Named Credentials > Named Credentials > New**
- URL: the base URL of the external service (e.g., `https://api.example.com/v1`)
- External Credential: select the External Credential created above
- Allow Formulas in HTTP Header / Body: enable only if the credential uses formula-based merge fields
4. **In Apex:** `req.setEndpoint('callout:MyNamedCredential/resource');`
5. **Validate:** Make a test callout from Apex (Developer Console or test class) and confirm HTTP 200 response. Check Setup > Named Credentials for the OAuth token status if using OAuth flows.
**Why not hard-coded URLs with stored credentials:** Hard-coded endpoints bypass Salesforce's allowed callout endpoint enforcement, expose credentials in Apex or Custom Settings readable by any user with SOQL access, and require code deployments to rotate credentials.
---
### Mode 2: Audit or Review Existing Named Credentials
**When to use:** Pre-release review, security audit, or assessing org credential hygiene.
**How it works:**
1. Run the bundled checker: `python3 scripts/check_named_credentials.py --manifest-dir path/to/metadata`
2. In Setup, navigate to Named Credentials and note which are legacy (no linked External Credential) vs enhanced.
3. For each Enhanced credential, verify:
- Principal type matches the integration pattern (Named Principal for service-to-service, Per User for user-delegated)
- Permission Sets are assigned to each principal (empty principal = credential accessible to nobody or everybody depending on version)
- OAuth callback URL is registered in the external IdP's allowed redirect URIs
- Custom header formulas do not embed literal secrets (use merge field syntax instead)
4. For legacy credentials: assess migration priority. Legacy credentials cannot use Per User principals or formula-based custom headers.
---
### Mode 3: Troubleshoot Authentication Failures
**When to use:** Callouts returning 401 Unauthorized or generic "System.CalloutException: Unauthorized".
**How it works:**
1. **Check Permission Set assignment:** The most common cause of 401 errors is a missing Permission Set on the External Credential principal. Navigate to External Credentials > [record] > Principals and confirm the calling user's Profile or Permission Set is listed.
2. **Per-user flow not completed:** If using Per User principal, the individual user must have authorized the external system via User Settings > Authentication Settings for External Systems. If the authorization is missing, Salesforce cannot attach a token to the callout.
3. **OAuth token expired and not refreshing:** Check if the external IdP requires offline_access scope (or equivalent) for refresh tokens. Without a refresh token, Salesforce cannot renew silently and users must re-authorize.
4. **Callback URL mismatch:** For Authorization Code flow, confirm the callback URL in the external IdP matches exactly: `https://{yourMyDomain}.my.salesforce.com/services/authcallback/{ExternalCredentialDeveloperName}`. Case sensitivity and trailing slashes can cause failures.
5. **JWT certificate not trusted:** If using JWT Bearer, confirm the certificate in Salesforce's Certificate and Key Management matches the public key registered with the external IdP.
6. **Named Credential URL path double-slash:** Appending a path to the Named Credential endpoint in Apex can produce `//` if the base URL ends with `/` and the path starts with `/`. Always strip the trailing slash from the Named Credential URL.
---
## Decision Guidance
| Situation | Recommended Approach | Reason |
|---|---|---|
| Server-to-server background integration (batch, platform events) | Named Principal + Client Credentials OAuth or Password | No user in context; org-wide credential is correct |
| User-delegated external service (user's own account on external system) | Per User + Authorization Code OAuth | Service acts on behalf of the individual user |
| Public API with no authentication required | Anonymous principal | No credential management overhead |
| Service-to-service with mTLS or signed JWT | Named Principal + JWT Bearer | Certificate-based auth with no shared secret |
| Multiple endpoints on same service with same auth | One External Credential, multiple Named Credentials | External Credential is reusable across Named Credentials |
| Legacy Named Credential migration | Create parallel Enhanced NC, test, deprecate legacy | Enhanced model required for Per User and formula headers |
| Credential rotation in production | Update credential value in Setup UI; no deployment needed | Vault is separate from metadata; no code change required |
---
## Recommended Workflow
Step-by-step instructions for an AI agent or practitioner activating this skill:
1. Gather context — confirm the org edition, relevant objects, and current configuration state
2. Review official sources — check the references in this skill's well-architected.md before making changes
3. Implement or advise — apply the patterns from Core Concepts and Common Patterns sections above
4. Validate — run the skill's checker script and verify against the Review Checklist below
5. Document — record any deviations from standard patterns and update the template if needed
---
## Review Checklist
Run through these before marking a Named Credential setup complete:
- [ ] External Credential record has a principal with the correct type (Named Principal / Per User / Anonymous)
- [ ] Permission Set(s) are assigned to the External Credential principal
- [ ] For OAuth 2.0 Authorization Code: callback URL registered in external IdP's allowed redirect list
- [ ] For OAuth 2.0 Client Credentials or JWT: token endpoint tested and credential values entered
- [ ] Named Credential URL does not end with a trailing slash
- [ ] Allow Formulas in HTTP Header/Body is only enabled when formula-based merge fields are actively used
- [ ] For Per User: affected users notified to complete authorization under User Settings
- [ ] Deployment runbook documents that credential secrets must be re-entered post-deployment
- [ ] Test callout executed and HTTP 200 confirmed
- [ ] Legacy Named Credentials in scope of this project flagged for migration backlog
---
## Salesforce-Specific Gotchas
Non-obvious platform behaviors that cause real production problems:
1. **Permission Set assignment is mandatory, not optional** — Even if an External Credential principal is correctly configured, no user can make callouts through it until at least one Permission Set is explicitly assigned to that principal. The error thrown is a generic auth failure that does not mention Permission Sets. This is the single most common cause of "it was set up correctly but still fails" support tickets.
2. **Deployment does not carry credential secrets** — Metadata API moves the Named Credential and External Credential structure (URL, protocol, principal type, scope) but not the vault-stored values (passwords, client secrets, access tokens). Post-deployment steps in a runbook must instruct an admin to re-enter these values. Forgetting this causes integrations to silently fail in target orgs.
3. **Legacy Named Credential formula merge fields use a different namespace** — Legacy credentials use `{!$Credential.NamedCredentialName.UserName}` syntax. Enhanced External Credentials use `{!$Credential.ExternalCredentialName.FieldName}`. Mixing the two syntaxes when migrating is a source of callout formula failures that are hard to diagnose because the merge field silently resolves to empty rather than throwing an error.
---
## Output Artifacts
| Artifact | Description |
|---|---|
| External Credential record | Auth configuration: protocol, principal type, OAuth/JWT settings, permission set assignments |
| Named Credential record | Endpoint URL + reference to External Credential; the identifier used in Apex callout strings |
| Permission Set assignment | Links user population to External Credential principal, controlling callout access |
| Deployment runbook note | Documents that credential secrets must be re-entered manually post-deployment |
| Checker report | Output of `scripts/check_named_credentials.py` listing structural issues in metadata |
---
## Related Skills
- `callouts-and-http-integrations` (apex) — Apex code patterns for making HTTP callouts using Named Credentials, including error handling and retry logic
- `connected-apps-and-auth` (admin) — OAuth Connected App setup on the Salesforce side; often a prerequisite when Salesforce itself is the OAuth server
- `apex-managed-sharing` (apex) — Not directly related but referenced when integration user permission design intersects with record sharing rulesRelated Skills
shield-kms-byok-setup
Configure Shield Platform Encryption with customer-supplied (BYOK) or customer-held (Cache-Only Key Service) tenant secrets, rotate them, and recover. NOT for Classic Encryption or field masking.
slack-salesforce-integration-setup
Use this skill when setting up or troubleshooting the Salesforce for Slack managed app — including connecting a Salesforce org to a Slack workspace, configuring the three-party admin handshake, linking Slack channels to Salesforce records, enabling record preview sharing, and managing org-level limits. Triggers on: Salesforce for Slack app not connecting, Slack org connection setup, Salesforce record sharing in Slack, Slack workspace admin approval, connecting Salesforce to Slack. NOT for building custom Slack apps or Slack bots (separate development platform), not for Slack Workflow Builder Salesforce connector (use slack-workflow-builder skill), not for Flow-based Slack messaging (use flow-for-slack skill).
salesforce-maps-setup
Use when configuring Salesforce Maps (formerly MapAnything) — territory planning, route optimization, live tracking, geo-grid visualizations, and check-in/check-out workflows for Sales or Service field reps not on Field Service. Covers package installation order (Maps + Maps Advanced + Maps Routing/Live Tracking add-ons), the MapsTerritoryPlan / MapsAdvancedRoute / MapsLayer object family, base-data syncs (Geocoding and Routing services), and integration with Sales and Service Cloud records. Triggers: 'Salesforce Maps setup', 'MapAnything migration', 'territory planning by polygon', 'route optimization for sales reps', 'live tracking field reps', 'plot accounts on a map', 'check-in to the closest account'. NOT for Field Service Lightning territory and scheduling (use admin/fsl-scheduling-optimization-design and data/fsl-territory-data-setup) — Maps and FSL are different products. NOT for Consumer Goods Cloud retail visit planning (use admin/consumer-goods-cloud-setup) — RoutePlan/Visit objects are CG-specific. NOT for Tableau / CRM Analytics geo charts.
private-connect-setup
Configure Private Connect between Salesforce and AWS/Azure for traffic to stay on private networks. NOT for standard internet callouts.
net-zero-cloud-setup
Use this skill when configuring Salesforce Net Zero Cloud — including Scope 1/2/3 emission source modeling via the StnryAssetCrbnFtprnt / VehicleAssetCrbnFtprnt / Scope3CrbnFtprnt object families, emission factor library setup (EmssnFctr / EmssnFctrSet), DPE-driven carbon calculation jobs, supplier engagement scoring, and CSRD / ESRS / TCFD disclosure pack mapping. Triggers on: Net Zero Cloud setup, Sustainability Cloud carbon accounting, Scope 1 2 3 emissions Salesforce, emission factor library, supplier engagement Net Zero, ESG disclosure pack mapping. NOT for ESG content scoring (use Marketing Cloud), NOT for general financial reporting (use Accounting Subledger), NOT for energy-only utility billing (use Energy & Utilities Cloud).
manufacturing-cloud-setup
Use this skill when configuring Salesforce Manufacturing Cloud — including Sales Agreement setup, Account-Based Forecasting (ABF) recalc jobs, run-rate management, Rebate Management programs, channel inventory tracking via Channel Revenue Management, and Group Membership / OrderItem-to-SalesAgreement reconciliation. Triggers on: Manufacturing Cloud setup, Sales Agreement Salesforce, account-based forecast recalculation, run rate manufacturing, rebate program setup, channel revenue management. NOT for general Sales Cloud opportunity-to-order flow (use standard Opportunity / Order), NOT for Field Service install-base management (use FSL skills), NOT for Automotive Cloud dealer modeling (use automotive-cloud-setup).
loyalty-management-setup
Use this skill when setting up or extending Salesforce Loyalty Management — including program and currency creation, tier group design, qualifying vs. non-qualifying point currency separation, DPE batch job activation, partner loyalty configuration, and member portal setup on Experience Cloud. Triggers on: Loyalty Management setup, loyalty tier setup Salesforce, qualifying points vs redemption points, DPE batch job for loyalty, partner loyalty program Salesforce, loyalty member portal. NOT for Marketing Cloud engagement program design (separate product), not for B2B loyalty via Sales Cloud (standard opportunity, not loyalty program), not for general Experience Cloud site setup (use experience-cloud-setup skill).
automotive-cloud-setup
Use this skill when setting up or extending Salesforce Automotive Cloud — including the Vehicle / VehicleDefinition data model, dealer-OEM relationship modeling via AccountAccountRelation, ActionableEvent orchestration for service campaigns and recalls, FinancialAccount lifecycle for retail-credit deals, and DriverQualification / WarrantyTerm extensions. Triggers on: Automotive Cloud setup, Salesforce Automotive Cloud data model, Vehicle vs VehicleDefinition, dealer hierarchy AccountAccountRelation, Automotive Cloud actionable events, recall campaign Salesforce. NOT for general Sales Cloud opportunity work on a vehicle product (use standard Opportunity), NOT for Manufacturing Cloud sales agreements (use manufacturing-cloud-setup), NOT for Field Service vehicle inventory (use FSL skills).
fsl-territory-data-setup
Use this skill when bulk loading Service Territory data: boundary polygons, ServiceTerritoryMember assignments, OperatingHours, TimeSlots, and territory hierarchy setup. Trigger keywords: service territory bulk load, KML polygon import FSL, ServiceTerritoryMember migration, OperatingHours data setup, PolygonUtils Apex. NOT for Enterprise Territory Management (ETM/Account Territories), admin-level territory configuration UI, or scheduling policy setup.
mixed-dml-and-setup-objects
Use when encountering or preventing MIXED_DML_OPERATION errors caused by DML on setup objects (User, UserRole, PermissionSet, Group, GroupMember) in the same transaction as non-setup objects. Triggers: 'MIXED_DML_OPERATION', 'setup object DML error', 'cannot insert User and Account together', 'System.runAs mixed DML', '@future setup object workaround'. NOT for general async Apex patterns — see async-apex. NOT for test data factory structure — see test-data-factory-patterns.
apex-test-setup-patterns
@TestSetup method semantics: one-time creation per test class, isolation behavior, @TestVisible, System.runAs, Test.startTest/stopTest governor reset, mixed-DML boundaries. NOT for building a test data factory (use test-data-factory-patterns). NOT for mocking callouts (use apex-http-callout-mocking).
apex-named-credentials-patterns
Use when writing Apex that calls out to external endpoints via Named Credentials, working with custom header formula tokens ({!$Credential.OAuthToken}), querying per-user auth state through the UserExternalCredential SObject, or diagnosing why Named Credential callouts fail. Trigger keywords: 'callout: prefix', 'named credential header formula', 'UserExternalCredential', 'External Credential per-user principal', 'Named Credential oauth token apex'. NOT for Named Credential setup in the Salesforce Setup UI — use integration/named-credentials-setup. NOT for general HTTP callout mechanics (HttpRequest, HttpResponse, mock patterns) — use integration/callouts-and-http-integrations.