outbound-webhook-from-salesforce
Use when Salesforce must POST a webhook to a third-party endpoint after a record change — with signed payloads, retries, dead-lettering, rate limits, and idempotency. Covers design choice between Outbound Message, Flow HTTP Callout, Apex Queueable callout, and Event Relay. Does NOT cover inbound webhooks into Salesforce (see inbound-webhook or apex-rest-webhook).
Best use case
outbound-webhook-from-salesforce is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when Salesforce must POST a webhook to a third-party endpoint after a record change — with signed payloads, retries, dead-lettering, rate limits, and idempotency. Covers design choice between Outbound Message, Flow HTTP Callout, Apex Queueable callout, and Event Relay. Does NOT cover inbound webhooks into Salesforce (see inbound-webhook or apex-rest-webhook).
Teams using outbound-webhook-from-salesforce should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/outbound-webhook-from-salesforce/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How outbound-webhook-from-salesforce Compares
| Feature / Agent | outbound-webhook-from-salesforce | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when Salesforce must POST a webhook to a third-party endpoint after a record change — with signed payloads, retries, dead-lettering, rate limits, and idempotency. Covers design choice between Outbound Message, Flow HTTP Callout, Apex Queueable callout, and Event Relay. Does NOT cover inbound webhooks into Salesforce (see inbound-webhook or apex-rest-webhook).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Outbound Webhook From Salesforce
## Purpose
Salesforce has four viable ways to POST to an external endpoint on a
record change: legacy Outbound Messages, Flow HTTP Callout (the
`http_callouts` action), Apex Queueable with callout, and Event Relay via
AWS EventBridge plus a downstream dispatcher. Teams routinely pick the
wrong one — Outbound Messages for systems that care about auth modernity,
Flow HTTP Callout for volume it cannot handle, Apex when a lower-code
option exists. This skill gives a deterministic choice and a reference
pattern per option, including signing, retries, and dead-lettering.
## Recommended Workflow
1. **Identify trigger.** Record change, Platform Event, schedule, or
manual admin action.
2. **Classify volume and SLA.** Events/minute; acceptable max latency;
max data loss tolerance.
3. **Pick the mechanism.** Decision table below.
4. **Design the payload.** Versioned schema (`v1`), include a
correlation id, include minimal data (reference ids, not full records
unless necessary).
5. **Add signing.** HMAC-SHA256 signature header is the industry
baseline. Key rotation policy defined.
6. **Add retry + dead-letter.** Exponential backoff; cap attempts;
persist failures to a custom object for replay.
7. **Monitor.** Dashboard on success rate, latency, and DLQ depth.
## Mechanism Selection
| Mechanism | Good At | Avoid When |
|---|---|---|
| Outbound Message | Legacy bespoke receivers | You need OAuth, HMAC, or structured retry logic |
| Flow HTTP Callout | Low-volume, admin-owned integrations | High volume or complex payload shaping |
| Apex Queueable callout | Full control: retry, sign, shape | You want zero-code ownership |
| Event Relay (→ EventBridge → dispatcher) | AWS-backed fleets, fan-out | Single endpoint, low volume |
## Payload Shape
```
POST /webhook
Headers:
Content-Type: application/json
X-Signature: sha256=<hex hmac>
X-Timestamp: <unix>
X-Event-Id: <uuid> // idempotency key
X-Event-Type: OrderClosed.v1
Body:
{
"schemaVersion": "v1",
"occurredAt": "2026-04-23T12:00:00Z",
"resource": { "type": "Order", "id": "8015..." },
"change": { "from": "...", "to": "..." }
}
```
## Signing
- HMAC-SHA256 over `timestamp + "." + body` with a shared secret.
- Consumer must verify signature AND timestamp freshness (5-min window
prevents replay).
- Store secret in Named Credential External Credential (encrypted); never
in custom setting or code.
## Retry
- Retry on 5xx, 408, 429 (respect Retry-After).
- Do not retry 4xx (other than 408/429). Treat as permanent.
- Backoff: 30s, 2m, 10m, 1h, 6h, then dead-letter.
- Track attempt count on a custom object.
## Dead-Letter + Replay
- Custom object `WebhookDelivery__c`: status (Pending/Sent/Failed),
attempt count, last error, payload blob.
- Scheduled Apex sweeps Pending past backoff, re-enqueues.
- Admin UI to replay a specific failed delivery.
## Observability
- Log every attempt with duration and status.
- Platform Event or log on DLQ arrival; page oncall on rising DLQ.
- Correlation id threaded from triggering record → delivery → receiver.
## Anti-Patterns (see references/llm-anti-patterns.md)
- Outbound Message + bespoke SOAP receiver in 2026.
- Flow HTTP Callout without a retry / DLQ plan.
- Apex callout directly inside an after-save trigger (violates
mixed-DML/callout ordering).
- Full-record payloads (PII exposure).
## Official Sources Used
- Flow HTTP Callout Action — https://help.salesforce.com/s/articleView?id=sf.flow_ref_elements_action_http_callout.htm
- Apex Callouts — https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_callouts_http.htm
- Named Credentials + External Credential — https://help.salesforce.com/s/articleView?id=sf.named_credentials_about.htm
- Outbound Messages (legacy) — https://help.salesforce.com/s/articleView?id=sf.workflow_managing_outbound_messages.htm
- integration-pattern-selection — `standards/decision-trees/integration-pattern-selection.md`Related Skills
salesforce-shield-deployment
Roll out Shield (Platform Encryption + Event Monitoring + Field Audit Trail) end-to-end, sequencing feature enablement to avoid data lockout. NOT for Classic Encryption or general PE design.
ferpa-compliance-in-salesforce
Use this skill when implementing FERPA (Family Educational Rights and Privacy Act) compliance controls in Salesforce Education Cloud or Education Data Architecture (EDA): LearnerProfile FERPA boolean fields, directory information opt-out via FLS and Individual data privacy flags, ContactPointTypeConsent for parental and third-party disclosure, 45-day student records response window tracking, and consent workflow automation. Trigger keywords: FERPA, student records privacy, LearnerProfile, parental disclosure, directory information opt-out, education data privacy, student consent, education cloud compliance. NOT for GDPR/CCPA general data privacy (see gdpr-data-privacy skill), platform encryption at rest (see platform-encryption skill), or HIPAA health-data compliance.
industries-cpq-vs-salesforce-cpq
Use this skill when comparing Industries CPQ (formerly Vlocity CPQ) with Salesforce CPQ (Revenue Cloud managed package) — covering feature parity, decision criteria, migration paths, and coexistence patterns. Trigger keywords: Vlocity CPQ, Industries CPQ, Salesforce CPQ comparison, Revenue Cloud migration, CPQ selection, which CPQ to use. NOT for implementing, configuring, or debugging either CPQ product.
webhook-signature-verification
Accept inbound webhooks (Stripe, GitHub, Slack, partner) and verify HMAC signatures in Apex REST. NOT for outbound webhooks.
webhook-inbound-patterns
Use when implementing an inbound webhook receiver in Salesforce: routing via Apex REST and Salesforce Sites, authenticating webhook payloads via HMAC, ensuring idempotent processing, and handling the 5-second response window. NOT for outbound callouts from Salesforce to external systems (use callouts-and-http-integrations), NOT for general Apex REST service design (use apex-rest-services), NOT for platform events as inbound triggers.
tableau-salesforce-connector
Tableau ↔ Salesforce integration patterns: Tableau Salesforce connector, Tableau for Salesforce, CRM Analytics alternative, Data Cloud + Tableau, embedded Tableau dashboards. Choose between connector modes (live, extract, direct-to-Data-Cloud). NOT for CRM Analytics Studio (use crm-analytics-foundation). NOT for generic Tableau Server setup.
slack-salesforce-integration-setup
Use this skill when setting up or troubleshooting the Salesforce for Slack managed app — including connecting a Salesforce org to a Slack workspace, configuring the three-party admin handshake, linking Slack channels to Salesforce records, enabling record preview sharing, and managing org-level limits. Triggers on: Salesforce for Slack app not connecting, Slack org connection setup, Salesforce record sharing in Slack, Slack workspace admin approval, connecting Salesforce to Slack. NOT for building custom Slack apps or Slack bots (separate development platform), not for Slack Workflow Builder Salesforce connector (use slack-workflow-builder skill), not for Flow-based Slack messaging (use flow-for-slack skill).
salesforce-to-salesforce-integration
Use this skill to implement Salesforce-to-Salesforce integration patterns — covering the native S2S feature, API-based cross-org sync, Platform Event bridging, and Salesforce Connect Cross-Org adapter. Trigger keywords: Salesforce to Salesforce integration, cross-org data sharing, S2S feature, cross-org Platform Events, Salesforce Connect cross-org. NOT for multi-org strategy or architecture decisions (use architect/multi-org-strategy), single-org data sharing, or external (non-Salesforce) system integration.
salesforce-maps-setup
Use when configuring Salesforce Maps (formerly MapAnything) — territory planning, route optimization, live tracking, geo-grid visualizations, and check-in/check-out workflows for Sales or Service field reps not on Field Service. Covers package installation order (Maps + Maps Advanced + Maps Routing/Live Tracking add-ons), the MapsTerritoryPlan / MapsAdvancedRoute / MapsLayer object family, base-data syncs (Geocoding and Routing services), and integration with Sales and Service Cloud records. Triggers: 'Salesforce Maps setup', 'MapAnything migration', 'territory planning by polygon', 'route optimization for sales reps', 'live tracking field reps', 'plot accounts on a map', 'check-in to the closest account'. NOT for Field Service Lightning territory and scheduling (use admin/fsl-scheduling-optimization-design and data/fsl-territory-data-setup) — Maps and FSL are different products. NOT for Consumer Goods Cloud retail visit planning (use admin/consumer-goods-cloud-setup) — RoutePlan/Visit objects are CG-specific. NOT for Tableau / CRM Analytics geo charts.
salesforce-functions-replacement
Salesforce Functions is retired (EOL Jan 2025). This skill maps Functions workloads to replacements: Heroku (with Hyperforce), external containers, Apex (where viable), Agentforce Actions, external compute via Named Credentials. NOT for Lambda / Azure Functions tutorials. NOT for Apex @future replacement (use async-selection tree).
salesforce-data-pipeline-etl
Export large Salesforce datasets to a lakehouse via Bulk API 2.0, CDC streams, or Salesforce Data Pipelines. NOT for ad-hoc exports.
salesforce-connect-external-objects
Use when deciding whether Salesforce Connect and External Objects are the right fit for external data access, or when reviewing OData, cross-org, and custom adapter patterns, query limitations, and latency tradeoffs. Triggers: 'Salesforce Connect', 'External Objects', '__x', 'OData adapter', 'custom adapter'. NOT for ordinary ETL or replicated-data designs where the data should live inside Salesforce.