+ Start a Discussion
Raj R.Raj R. 

what is the recommended way to store credentials when they are need for an apex class?

Hi,

FOr now we have hardcoded credentials that are used to connect to an external endpoint. We have to generate a customized body in json so we are unable to use named credentials and any other out of box way so we had to create an apex class. However we are storing the values in the code.

What is the recommended way to store and retrieve the credentials so that they are in a secure location outside of the apex code?
Best Answer chosen by Raj R.
bob_buzzardbob_buzzard
The most secure way to do this is to put your integration functionality into a managed package, that way even the system administrator can't access the credentials. There are various other mechanisms with varying degrees of security detailed in the Storing Sensitive Data document on developerforce:

https://developer.salesforce.com/page/Secure_Coding_Storing_Secrets

All Answers

bob_buzzardbob_buzzard
The most secure way to do this is to put your integration functionality into a managed package, that way even the system administrator can't access the credentials. There are various other mechanisms with varying degrees of security detailed in the Storing Sensitive Data document on developerforce:

https://developer.salesforce.com/page/Secure_Coding_Storing_Secrets
This was selected as the best answer
Raj R.Raj R.

Hi Bob,

Do you know if it is possible to generate a managed package without uploading it? We do not want this uploaded to the appexchange, but we wanted to create a managed package and then move it between our dev and prod orgs. Would that be possible? I have not seen anything about it so it would be needed.

The reason for not uploading it is because it is not fully ready to uploaded, but we want to manage it in such a way that we can store credentials safely and use it in code with the ability to move this functionality between orgs.

bob_buzzardbob_buzzard
You have to upload your package in order for it to be accessed from other orgs. You don't have to publish it though, in which case only someone with the link would be able to access it. These are typically referred to as private packages and I use them a lot.