Discover What’s New with Integration for Winter '26
Learning Objectives
After completing this unit, you’ll be able to:
- Identify integration options with MuleSoft for Flow.
- Apply secure practices for access token transmission.
- Design integrations that exchange binary files with External Services.
- Configure OAuth 2.0 client credentials flow with external authentication.
- Implement credential rotation for external client apps.
Streamline External System Integration with MuleSoft for Flow: Integration
Integrations don’t have to be heavy lifts. With MuleSoft for Flow: Integration, you connect Salesforce to external systems without writing code. Use third-party connectors to speed delivery, reduce maintenance, and keep integrations simple.
Here are a few key capabilities of connectors.
Capabilities | What You Do | Example |
|---|---|---|
Trigger | Start a flow when data changes in another system. | You create a new Contact in NetSuite, and the flow creates a Lead in Salesforce. |
Action | Send or retrieve data between Salesforce and another system. | You create an Order in Salesforce, and the flow creates a Sales Order in NetSuite. |
Field Mapping | Align Salesforce fields with external fields. | You map fields directly in the flow to keep data accurate. |
Manage every connection from the Connections tab in the Automation Lightning app. From there, check authorization settings, review metadata, and reuse connections across flows without repeating setup.
When you need Salesforce to react to events in another system, you design an External System Change-Triggered Flow. You tell Salesforce which system to poll, watch for changes, and run the flow when something new happens. That’s event-driven automation—simple and in your control.
Share the Manage Integration Connections permission only with the people who need it. That way, your team keeps control of external endpoints while protecting security.
Keep Access Tokens Out of Query Strings
Passing sensitive information in a URL is risky. Starting this release, Salesforce blocks GET requests to the single access endpoint if the request includes an access token in the query string. This change closes a common security gap and helps you follow best practices for protecting data.
Send the access token in the Authorization header.
For example:
GET /services/oauth2/singleaccess HTTP/1.1 Host: mydomain.my.salesforce.com Authorization: Bearer <access token> |
|---|
If you’re making a POST request, you can still send the token in the header or in the request body. Either way, you keep tokens out of the browser address bar and out of logs.
Review your existing integrations now. If any of them pass tokens in a URL, update them before they break.
Upload and Download Files with External Services
External Services now goes beyond text-based data. You can upload or download binary files—like images or PDFs—directly to and from external systems. This gives you more flexibility when your integration involves documents, media, or other non-text formats.
Here’s how you set it up.
- Register an external service with a PUT or GET operation in the OpenAPI spec.
- Salesforce creates an invocable action you use in Flow or Apex.
- Upload files as ContentDocument objects, or download external files as ContentDocument objects.
This expansion makes it easier to integrate with document management systems or apps that store media assets, without building custom code.
Be mindful of system limits when working with large files. Use ContentDocument for efficient storage and keep payload sizes under control.
Simplify Integrations with External Auth Identity Providers
Some identity providers need extra details—like an audience parameter—when they issue tokens. Previously, you wrote custom Apex code to handle those requests. Now you can configure everything with clicks.
External auth identity providers fully support the OAuth 2.0 client credentials flow. When you set up the provider, you choose Client Credentials Flow as the authentication type. Then you add any custom request parameters—such as audience—directly in setup. Salesforce stores the client credentials securely, so you avoid manual management.
When you create an external credential linked to the provider, select Client Credentials Flow Managed by External Auth Provider. That way, the system handles the token exchange—or handshake—for you.
Use external auth identity providers when you connect Salesforce to APIs that require specific parameters. This keeps your integrations secure and maintainable.
Stage and Rotate External Client App Credentials
Long-lived credentials create security risks. To keep external client apps safe, you now stage and rotate credentials through the API instead of relying on static keys.
Here’s what you can do with the API.
- Retrieve the client app ID from the OAuth Usage endpoint.
- Stage new credentials with a POST request.
- Rotate credentials with a PATCH request.
- Delete credentials when they’re no longer needed.
This feature brings lifecycle management to your connected apps. By rotating secrets regularly, you reduce exposure and align with modern security practices. This also opens the door for automation, so you design integrations that stay secure without adding manual work.
Automate credential rotation on a schedule. This keeps integrations running smoothly while lowering risk from outdated or compromised keys.
Summary
In this unit, you explored new ways to strengthen integrations with MuleSoft for Flow connectors, safer token handling, binary file support, easier OAuth setup, and credential rotation.
Resources
- Salesforce Help: MuleSoft for Flow: Integration Connectors
- Salesforce Help: NetSuite Connector
- Salesforce Help: Streamline External System Integration with MuleSoft for Flow: Integration
- Salesforce Help: GET Requests with Access Tokens in the URL Query String Are Blocked for the Single Access Endpoint
- Salesforce Help: Upload and Download Files with External Services Binary File Support
- Salesforce Help: Simplify Integrations with External Auth Identity Provider Support for Client Credentials
- Salesforce Help: Stage and Rotate External Client App Credentials