Skip to main content

Discover What’s New with Integration for Winter '26

Learning Objectives

After completing this unit, you’ll be able to:

  • Identify integration options with MuleSoft for Flow.
  • Apply secure practices for access token transmission.
  • Design integrations that exchange binary files with External Services.
  • Configure OAuth 2.0 client credentials flow with external authentication.
  • Implement credential rotation for external client apps.

Streamline External System Integration with MuleSoft for Flow: Integration

Integrations don’t have to be heavy lifts. With MuleSoft for Flow: Integration, you connect Salesforce to external systems without writing code. Use third-party connectors to speed delivery, reduce maintenance, and keep integrations simple.

Here are a few key capabilities of connectors.

Capabilities

What You Do

Example

Trigger

Start a flow when data changes in another system.

You create a new Contact in NetSuite, and the flow creates a Lead in Salesforce.

Action

Send or retrieve data between Salesforce and another system.

You create an Order in Salesforce, and the flow creates a Sales Order in NetSuite.

Field Mapping

Align Salesforce fields with external fields.

You map fields directly in the flow to keep data accurate.

Manage every connection from the Connections tab in the Automation Lightning app. From there, check authorization settings, review metadata, and reuse connections across flows without repeating setup.

When you need Salesforce to react to events in another system, you design an External System Change-Triggered Flow. You tell Salesforce which system to poll, watch for changes, and run the flow when something new happens. That’s event-driven automation—simple and in your control.

Note

Share the Manage Integration Connections permission only with the people who need it. That way, your team keeps control of external endpoints while protecting security.

Keep Access Tokens Out of Query Strings

Passing sensitive information in a URL is risky. Starting this release, Salesforce blocks GET requests to the single access endpoint if the request includes an access token in the query string. This change closes a common security gap and helps you follow best practices for protecting data.

Send the access token in the Authorization header.

For example: 

GET /services/oauth2/singleaccess HTTP/1.1
Host: mydomain.my.salesforce.com
Authorization: Bearer <access token>

If you’re making a POST request, you can still send the token in the header or in the request body. Either way, you keep tokens out of the browser address bar and out of logs.

Note

Review your existing integrations now. If any of them pass tokens in a URL, update them before they break.

Upload and Download Files with External Services

External Services now goes beyond text-based data. You can upload or download binary files—like images or PDFs—directly to and from external systems. This gives you more flexibility when your integration involves documents, media, or other non-text formats.

Here’s how you set it up.

  • Register an external service with a PUT or GET operation in the OpenAPI spec.
  • Salesforce creates an invocable action you use in Flow or Apex.
  • Upload files as ContentDocument objects, or download external files as ContentDocument objects.

This expansion makes it easier to integrate with document management systems or apps that store media assets, without building custom code.

Note

Be mindful of system limits when working with large files. Use ContentDocument for efficient storage and keep payload sizes under control.

Simplify Integrations with External Auth Identity Providers

Some identity providers need extra details—like an audience parameter—when they issue tokens. Previously, you wrote custom Apex code to handle those requests. Now you can configure everything with clicks.

External auth identity providers fully support the OAuth 2.0 client credentials flow. When you set up the provider, you choose Client Credentials Flow as the authentication type. Then you add any custom request parameters—such as audience—directly in setup. Salesforce stores the client credentials securely, so you avoid manual management.

When you create an external credential linked to the provider, select Client Credentials Flow Managed by External Auth Provider. That way, the system handles the token exchange—or handshake—for you.

Note

Use external auth identity providers when you connect Salesforce to APIs that require specific parameters. This keeps your integrations secure and maintainable.

Stage and Rotate External Client App Credentials

Long-lived credentials create security risks. To keep external client apps safe, you now stage and rotate credentials through the API instead of relying on static keys.

Here’s what you can do with the API.

  • Retrieve the client app ID from the OAuth Usage endpoint.
  • Stage new credentials with a POST request.
  • Rotate credentials with a PATCH request.
  • Delete credentials when they’re no longer needed.

This feature brings lifecycle management to your connected apps. By rotating secrets regularly, you reduce exposure and align with modern security practices. This also opens the door for automation, so you design integrations that stay secure without adding manual work.

Note

Automate credential rotation on a schedule. This keeps integrations running smoothly while lowering risk from outdated or compromised keys.

Summary

In this unit, you explored new ways to strengthen integrations with MuleSoft for Flow connectors, safer token handling, binary file support, easier OAuth setup, and credential rotation.

Resources

Condividi il tuo feedback su Trailhead dalla Guida di Salesforce.

Conoscere la tua esperienza su Trailhead è importante per noi. Ora puoi accedere al modulo per l'invio di feedback in qualsiasi momento dal sito della Guida di Salesforce.

Scopri di più Continua a condividere il tuo feedback