function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Securing Cross Org Web Services

I'm working on creating a Managed Package that will be installed into our client's customers' orgs. In that package are classes that perform callouts back to our client's org. Do you have any recommendations on how to secure this web-service based communication between our client and our client's customers' orgs? 


Thanks in advance!




I had a similar requirement once. And after some research, I drilled into this solution : Creating a custom REST API class which has the core logic in the Main Org and accessing it using callouts from the client orgs using OAuth.


More information here :


Thanks for the response Vishal.


I have a custom Rest API class in the main org as you suggested.


Can you elaborate on the second part where the client orgs use OAuth and callouts to access it?


Here's what I'm thinking from what you posted (correct me where I'm wrong):

1)  Create a Connected App to get a Consumer Key and Consumer Secret

2)  Include a mechanism to the client to get them to go through the OAuth process, using the Consumer Secret and Key to get an Access Token/Session ID

3)  Once they have a Token/Session ID, do I point them to /services/apexrest/myNameSpace/myServiceName?


Yup, that's exactly what I had done. Created a App that would help the external user to connect to Salesforce using the consumer key and secret. Once he is through, he can then send requests to the custom REST methods.


This is an excellent link to get started with OAuth


Thanks again Vishal,


When I create an Access Token using credentials from the org where my Connected App resides all works fine.  However, when I try create an Access Token using credentials from an external org (like what the customers would be doing), I receive the following:


[ {
"message" : "Session expired or invalid",
"errorCode" : "INVALID_SESSION_ID"
} ]


Any ideas?