service-account-credential-rotation

Use when designing credential rotation for integration users, connected apps, named credentials, and OAuth client secrets in Salesforce. Covers rotation cadence, zero-downtime handover, secret storage, and detection of stale credentials. Triggers: 'rotate integration user password', 'connected app secret rotation', 'named credential rotation', 'stale service account', 'zero downtime secret rotation'. NOT for end-user password policies.

Best use case

service-account-credential-rotation is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when designing credential rotation for integration users, connected apps, named credentials, and OAuth client secrets in Salesforce. Covers rotation cadence, zero-downtime handover, secret storage, and detection of stale credentials. Triggers: 'rotate integration user password', 'connected app secret rotation', 'named credential rotation', 'stale service account', 'zero downtime secret rotation'. NOT for end-user password policies.

Teams using service-account-credential-rotation should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/service-account-credential-rotation/SKILL.md --create-dirs "https://raw.githubusercontent.com/PranavNagrecha/AwesomeSalesforceSkills/main/skills/security/service-account-credential-rotation/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/service-account-credential-rotation/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How service-account-credential-rotation Compares

Feature / Agentservice-account-credential-rotationStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when designing credential rotation for integration users, connected apps, named credentials, and OAuth client secrets in Salesforce. Covers rotation cadence, zero-downtime handover, secret storage, and detection of stale credentials. Triggers: 'rotate integration user password', 'connected app secret rotation', 'named credential rotation', 'stale service account', 'zero downtime secret rotation'. NOT for end-user password policies.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Service Account Credential Rotation

Service account credentials are the forgotten middle layer of Salesforce security. Employees rotate passwords under MFA policy, connected apps rotate on explicit action, but "the integration user" often gets a password on day one of an integration and keeps it until a compliance audit forces a change years later. Similarly, connected app client secrets, JWT signing certs, and named credential OAuth tokens all have their own rotation story that no single team owns.

A workable rotation program has four parts: an inventory, a cadence, a zero-downtime pattern per credential type, and a stale-credential detector. Without the inventory, the other three are guesses.

Salesforce offers primitives for each credential type: integration user passwords (standard user policy), connected app client secrets (rotate via setup), JWT (replace cert), named credentials (refresh via setup or via a schedule). The patterns differ because the failure mode of a mid-rotation failure differs.

---

## Before Starting

- Inventory service accounts, connected apps, JWT certs, and named credentials.
- Identify consumer integrations for each — who breaks if this credential is rotated incorrectly?
- Confirm secret storage (vault, secret manager, SIEM) for each consumer.
- Confirm downtime tolerance per integration.

## Core Concepts

### Credential Types And Their Rotation Mechanics

| Credential | Rotation Mechanic | Zero-Downtime? |
|---|---|---|
| Integration user password | Setup > User > Reset | No — simultaneous cutover |
| Connected App client secret | Setup > Connected Apps > rotate | Yes — previous+current grace window supported |
| JWT signing certificate | Replace cert on connected app | Yes — dual-cert grace window |
| Named credential OAuth token | Re-auth flow or manual refresh | Yes — token refresh handles it |
| API user session ID | Re-login | Yes — sessions auto-refresh |

### Zero-Downtime Patterns

1. **Dual-credential grace window** — both old and new valid during a window; consumers roll forward.
2. **Atomic cutover with coordination** — used when grace windows are unavailable; requires a downtime slot.
3. **Auto-refresh** — OAuth handles token rotation automatically; only the refresh-token-grant path needs care.

### Rotation Cadence

Industry baselines:
- Integration user passwords: 90 days (aggressive), 180 days (typical).
- Connected app client secrets: 180 days.
- JWT signing certs: annual, with 90-day advance notice.
- Named credential tokens: automatic via OAuth refresh.

Cadence is policy; enforcement is code.

### Stale-Credential Detection

Build a detector that lists:
- User records with `LastPasswordChangeDate` > policy threshold.
- Connected apps with secret age > threshold.
- Certs approaching expiry.
- Named credentials that have not issued a callout in > 30 days (possibly unused).

---

## Common Patterns

### Pattern 1: Dual-Credential Grace Window

New credential issued; consumers switch over during a configured window; old credential revoked at window close. The only safe pattern for integration user passwords if the consumer system supports it (most do not — most need a coordinated cutover).

### Pattern 2: JWT Bearer With Dual Cert

Connected app supports two signing certs. Add the new cert, consumers switch signing key, old cert removed. Zero downtime.

### Pattern 3: Scheduled Rotation Job

An Apex Scheduled Job identifies credentials aging past policy and opens a rotation ticket (via a Case, a Flow, or an external ticketing webhook). Enforces cadence without relying on manual calendaring.

### Pattern 4: Named Credential With Per-User OAuth

Per-user OAuth names credential refresh is handled by the platform on 401 responses. The rotation "job" is user re-auth on a schedule.

### Pattern 5: Secret-Vault-First Storage

Consumer systems never store Salesforce credentials; they retrieve from a vault (HashiCorp, AWS Secrets Manager) on startup. Rotation updates the vault; consumers pick up on next read or reload.

---

## Decision Guidance

| Situation | Recommended Approach | Reason |
|---|---|---|
| Integration user password, consumer can handle cutover | Dual-credential window if supported, else coordinated cutover | Minimize downtime |
| Connected app secret, many consumers | Dual-credential grace window | Native support |
| JWT cert renewal | Dual cert handover | Zero downtime |
| Named credential (OAuth) | Auto-refresh; schedule re-auth if refresh-token-grant lifecycle requires | Platform handles |
| Consumer stores credential in code | Move to vault before rotating | Eliminates hardcoded credentials |

## Review Checklist

- [ ] Inventory is current.
- [ ] Cadence is documented per credential type.
- [ ] Zero-downtime runbook exists per type.
- [ ] Stale-credential detector is scheduled.
- [ ] Vault or equivalent secret store used for every credential.
- [ ] Post-rotation verification step exists per integration.

## Recommended Workflow

1. Inventory all service accounts, connected apps, certs, and named credentials.
2. Classify each by consumer set and downtime tolerance.
3. Set cadence per type and write the runbook.
4. Implement the stale-credential detector as a Scheduled Job.
5. Run a pilot rotation with coordination and verification.
6. Monitor and alert on failed post-rotation health checks.

---

## Salesforce-Specific Gotchas

1. Integration user password expiry can be set to "Never" — a common anti-pattern.
2. Rotating a client secret immediately invalidates every consumer using the old one; grace window must be explicit.
3. JWT connected apps can hold up to a limited number of certs; plan the handover slot.
4. Named credentials with refresh tokens silently invalidate if the user's password changes.
5. Removing a connected app user session does not revoke active OAuth tokens.

## Proactive Triggers

- Integration user with `PasswordNeverExpires = true` → Flag Critical.
- Connected app secret last rotated > 365 days → Flag High.
- JWT cert expires < 90 days → Flag High.
- Named credential not invoked in 90 days → Flag Medium.
- Consumer storing credential in source code → Flag Critical.

## Output Artifacts

| Artifact | Description |
|---|---|
| Credential inventory | Per account/app/cert, consumer list, storage location |
| Rotation runbook | Type-by-type zero-downtime instructions |
| Stale-credential detector | Scheduled job definition |

## Related Skills

- `security/oauth-token-management` — token lifecycle.
- `security/api-only-user-hardening` — integration user baseline.
- `integration/named-credentials-setup` — named credential design.
- `devops/pipeline-secrets-management` — pipeline-side storage.

Related Skills

wire-service-patterns

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing or reviewing Lightning Web Components that use `@wire`, Lightning Data Service, UI API, or the GraphQL wire adapter, especially for reactive parameters, cache behavior, and refresh strategy. Triggers: 'wire service', 'refreshApex', 'reactive parameter', 'getRecord', 'wire vs imperative Apex'. NOT for component communication or generic lifecycle issues when data provisioning is not the main concern.

named-credentials-setup

8
from PranavNagrecha/AwesomeSalesforceSkills

Named Credentials and External Credentials configuration for secure outbound callouts: per-user vs per-org authentication, legacy vs enhanced Named Credentials, external credential principal types (Named Principal, Per User, Anonymous), OAuth 2.0 and JWT flows, and credential deployment. NOT for callout code patterns, Apex HTTP implementation, or OAuth server-side flow debugging.

service-metrics-data-model

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing or reporting on Salesforce Service Cloud service metrics — covers the Case, Entitlement, and CaseMilestone object model, MTTR derivation via BusinessHours.diff(), IsViolated semantics, and ElapsedTimeInMins field usage for SLA reporting. Trigger keywords: MTTR, mean time to resolve, case milestone, entitlement SLA, IsViolated, CaseMilestone, first response time, resolution time, service KPI. NOT for CRM Analytics (Tableau CRM / Einstein Analytics) dashboards or Field Service Lightning work order metrics.

service-data-archival

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when Service Cloud orgs are consuming excessive data or file storage due to Case-related records, or when compliance requirements demand structured retention and deletion of case history. Trigger keywords: EmailMessage bloat, Email-to-Case storage, ContentDocument archival, case attachment cleanup, compliance retention policy, service storage optimization. NOT for generic data archival across non-Service objects — use data-archival-strategies instead. NOT for CPQ, Sales Cloud, or FSL record archival. NOT for purging custom object data unrelated to Cases.

person-accounts

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when enabling, configuring, or troubleshooting Person Accounts in a Salesforce org — includes B2C data model design, IsPersonAccount flag handling, Account-Contact behavior differences, reporting impact, migration planning, and integration requirements. NOT for standard B2B Account/Contact modeling. NOT for managing business accounts that share an org with Person Accounts.

financial-account-migration

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when bulk-migrating financial account data into Salesforce FSC — including FinancialAccount, FinancialHolding, FinancialAccountRole, FinancialAccountTransaction, and balance history records. Trigger keywords: ETL load FSC, migrate holdings, bulk insert financial accounts, data migration rollup lock, FinancialAccountBalance import. NOT for financial account configuration or FSC data model reference.

duplicate-rule-person-account-edge-cases

8
from PranavNagrecha/AwesomeSalesforceSkills

When and how to author Duplicate Rules and Matching Rules in B2C / Person Account orgs without breaking lead conversion, cross-object matching, or PII hygiene. Covers PA's dual-record (001/003) shape, PersonEmail vs Contact.Email, multi-phone normalization, IsPersonAccount filtering, RecordType filtering for PA, and Lead-to-PA convert. NOT for B2B duplicate management — see data/duplicate-management. NOT for Data.com / Lightning Data — see integration/data-com.

service-cloud-architecture

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing a Service Cloud solution end-to-end: channel strategy (phone, email, chat, messaging, social), routing model (queue-based vs skills-based Omni-Channel), knowledge strategy, entitlement and SLA enforcement, Einstein Bot / Agentforce deflection, and integration points. Triggers: service cloud architecture, case routing design, omni-channel strategy, contact center design, channel strategy, knowledge deflection, service console architecture. NOT for individual feature configuration (use admin/case-management), NOT for Einstein Bot conversation design (use agentforce/einstein-bot-architecture), NOT for telephony CTI implementation details.

multi-channel-service-architecture

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing a unified multi-channel service strategy spanning phone (Service Cloud Voice), email (Email-to-Case), chat (Messaging for In-App/Web), social, and SMS with Omni-Channel routing. Triggers: channel prioritization, unified routing across channels, service channel migration, multi-channel capacity planning. NOT for individual channel setup or configuration — see service-cloud-architecture for single-channel implementation details.

service-cloud-rest-api

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when integrating with Salesforce Service Cloud REST APIs — specifically the Knowledge REST API (/knowledgeManagement/ for authoring, /support/knowledgeWithSEO/ for guest retrieval) and the Messaging for In-App and Web (MIAW) Enhanced Chat API. Trigger keywords: Knowledge article retrieval, data category filtering, URL-name lookup, Enhanced Chat API, legacy Chat REST API migration. NOT for generic REST API callouts from Apex (use apex__http-callouts), NOT for Salesforce REST API CRUD on standard objects, NOT for Einstein Bot configuration.

fsl-service-report-templates

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when designing, generating, or troubleshooting Field Service service report templates — covers the createServiceReport REST action (API v40.0+), ServiceReportLayout configuration, DigitalSignature capture, Document Builder (Winter '25+) with conditional logic via Flow, and PDF storage as ContentDocument/ContentVersion. NOT for quote templates, custom Visualforce pages, or Experience Cloud document generation.

apex-rest-services

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when building, reviewing, or debugging inbound Apex REST resources, request/response handling, status codes, versioned URL mappings, or JSON serialization in `@RestResource` classes. Triggers: 'Apex REST', '@RestResource', 'HttpGet/HttpPost', 'RestContext', 'versioned endpoint'. NOT for outbound HTTP callouts or standard Salesforce REST API usage as a consumer.