+ Start a Discussion

Client ID Security?


I am working on a Salesforce App which I am hoping will meet Aloha requirements, so it can run in Group and Professional edition.

My app integrates with an external website which means it will have to work with the Salesforce API. From what I understand, if it passes the security review, I can get a Client ID which will be used for the external site to call the Salesforce API.

My question is, does this Client ID need to be protected from customers? The reason I ask is the external sites code will be installed by the customer and is written in PHP meaning the source code will be visible. Since the Client ID would have to be in the code, it would be visible by the customer. Is this a security issue, or does it even matter since the Client ID is specific to my app?


Thanks for any help.



I don't think the force.com platform works the way you're referring to. There's no ClientID that is created. The only unique ID your app has is a namespace. Each installation of your app will have the same namespace, and the only way you can call into the app from an exernal site is with a username and password or OAuth authentication from each installed instance. You can also use the running user's session if it's going to be an interactive experience with the external site.


Hope this helps,



Hi Chuck,

I'm referring to the API Token which Salesforce can issue you if you pass their security review, as referenced in the "API Access" section of this page: http://wiki.developerforce.com/page/Designing_an_Application_for_Group_and_Professional_Edition


They refer to it as a Client ID. It allows you to make API calls in Professional and Group edition where users aren't typically allowed to use the API. 

Just wondering what the security ramications are if it's visible by a customer.


Ah, thanks for the info. I've only designed for EE installations, so wasn't aware of this functionality. Sounds like it's more of a general requirement that you should follow in your app to prevent someone in your client orgs from making API calls without paying for the higher editions.


From the doc: You cannot use the ClientID with the AJAX Toolkit in custom JavaScript, S-controls or anywhere in your app where the value can be exposed to the end customer