How to Secure your App, Data & APIs with Salesforce Connected Apps | Best Practices

Are you a Salesforce partner or ISV developer looking to connect your external platform to Salesforce securely or already have an app but want to make sure it's secure? In this deep-dive tutorial, I'll guide you through everything you need to know about Salesforce Connected Apps, focusing on robust security practices for API integration.

Join me as we explore how to establish a secure connection for pushing and pulling data using the JWT Bearer Flow for server-to-server authentication. I'll not only cover the theory but also walk you through a practical implementation, complete with a custom helper tool built to make the process easier (and add some fun confettis to your day!). We'll discuss critical security concepts like the Principle of Least Privilege and explain the right way to package your solution for distribution.

💡 WHAT YOU'LL LEARN
A clear definition of Salesforce Connected Apps and their role in API integration.
How to implement the OAuth 2.0 JWT Bearer Flow for secure server-to-server communication.
Why applying the Principle of Least Privilege with granular scopes is critical for your org's security.
A step-by-step walkthrough of creating and configuring a Connected App in Salesforce.
How to use Permission Sets and Custom Connected App Handlers to enforce fine-grained access control.
Key considerations for packaging your Connected App as a partner or ISV, including security review implications.

🕒 VIDEO CHAPTERS
00:00 - Introduction
00:10 - Agenda
00:28 - What Are Connected Apps?
00:59 - Security Best Practices
02:09 - Generating Certificates
02:39 - JWT Connected App Creation Demo
04:23 - The Principle of Least Privilege (Why to Avoid 'full_access')
04:57 - Risks of Overly Permissive Scopes
06:14 - Choosing the Right Scopes
08:05 - Testing with the Salesforce Postman Collection
08:43 - Demo: JWT Bearer Bridge Helper App
10:56 - Controlling Access with Permission Sets
13:02 - Advanced Security with a Custom Handler
14:25 - Packaging Your Connected App
15:27 - Wrap-up & What's Next


🔗 RESOURCES
JWT Bearer Bridge Helper App: https://github.com/AIspeaksAI/jwt-bea...
Salesforce Postman Collection: https://www.postman.com/salesforce-de...
Official Connected Apps Documentation: https://help.salesforce.com/s/article...
Agentforce: https://salesforce.com/agentforce
AgentExchange: https://salesforce.com/agentforce/age...

🙏 CREDITS
Claude Code, Gemini, Nano Banana & Veo3

Thanks for watching! If you found this guide helpful, please hit the like button, subscribe for more Salesforce developer content, and ring the notification bell so you don't miss the upcoming External Client Apps video!