+ Start a Discussion
Steve BrownSteve Brown 

Storing OAuth Info in Apex



We have an Apex app that will make occasional web service calls to our own web site. We use OAuth to authenticate the SF user against our provider. In order to successfully make the call from SF to us, our Apex app needs to know the consumer key and secret required to create and sign the request.


We need to store the consumer key and secret somewhere in SF, but it needs to be protected. Ideally, we would like these values to be shipped with our managed package so our customers do not need to manually enter the key and secret into Salesforce.


Is there a best practice to include sensitive information, particular the OAuth consumer key and secret, in a SF managed package? If not, what are the alternatives?






Use a custom setting to save the Auth token, refresh token, etc:



Set it to "Protected" and type of "List".  


They are effectively custom objects with a crappier UI, but better security as Protected ones can only be seen by your code in a managed package.  You can access them without a query too with .getInstance(<name>)


I used the userID as the "Name" for mine as I'll never have more than 1 oAuth token for the same person for mine.  

Steve BrownSteve Brown

Thanks for your response. We believe the custom setting is the way to go, but the documentation says that you can't package data in the custom setting. This leads me to believe that some action is required to populate the setting AFTER the package is installed.


Obviously we don't want to give out the consumer key and secret; we prefer to keep them secret in the app. So how do we get the setting populated?


Or is it possible that the documentation is incorrect and we CAN populate a custom setting and include that in our managed package?






Since the consumer key/secret are different for each customer, wouldn't you want to populate them after sign up?  I haven't used oAuth 1 (I'm using 2.0), and my flow is something like:

1) Customer installs app

2) They click a button on my vfp page, which takes them to the consumer app, which has my app key in the param

3) They log in & approve access

4) Redirect URL lands back on my VF page with a param saying it worked

5) Server side, I make an api call using my app key + that success key

6) Consumer API returns the oAuth token & refresh token for this user, which I assume is analogous to an oAuth 1 consumer key/secret.

7) I store those in a custom setting with the userId as the Name of the setting for easy retrieval later


I use the oAuth token for all future API calls. 


Nothing is prepackaged for me except my hard coded app key, and I'll probably make that a 1 way input in case I need to change the key later due to governor limits & lack of subdomain support from that 3rd party company

Steve BrownSteve Brown



We're using OAuth 1.0a, and our web service is the provider, and our Apex app is the consumer. Our Apex app needs the consumer key to make the calls, and the consumer secret to sign the Authorization header for each API call.


So is there a best practice for populating the consumer key & consumer secret without requiring the SF admin to have to enter it by hand?


I hope this adds some context.






I don't understand how oauth 1 works well enough to advise here.


I'm guessing at whatever point you get the consumer key & secret, there's probably a way to add them to a protected custom setting without any copy & paste.  If you first get them on the provider side, perhaps you could use a button in Force.com to grab the info & write to the custom setting. 


Cory KlattCory Klatt

Did you ever find a solution?  We are looking to do the same thing.  We are using OAUTH2 and we require the Consumer Key and Secret which is generated for us by Salesforce.com when we created our Connect App.  The problem is, there doesn't appear to be a secure way to get the Consumer Key / Secret into our managed package.