Securely Manage User Context in Agentforce Using Pre-Chat Variables
Summary
This article explains how to securely manage user context variables in Agentforce using the Messaging for In-App and Web pre-chat API. It addresses the risk of client-side tampering with user context data and demonstrates a server-side encryption and hashing pattern to protect sensitive information such as user IDs. Salesforce teams can implement an OMNI flow with an invocable Apex method to decrypt and validate pre-chat variables, enhancing security when passing user data to agents. The approach reduces risks of impersonation and data exposure while integrating well with existing Agentforce configurations.
Takeaways
- Encrypt and hash sensitive pre-chat variables on the server before sending to the client.
- Use an OMNI flow with invocable Apex to decrypt and validate context data securely.
- Keep shared secrets and salts confidential and never expose them client-side.
- Map decrypted variables to custom fields on the MessagingSession record for agent use.
- Implement robust secret management practices across Salesforce and external portals.
A deep dive into the set up of user context variables using “Messaging for In-App and Web” with Agentforce There are a lot of examples of Agentforce implementations that require the agent to know who they are talking to. You want your agent to give accurate responses that apply to the user. Whether the response changes based on a user’s location, their purchase history or any other type of relevant data, we will have to pass the user and context data to the agent securely. The way this is done in the Messaging for In-App and Web ( MIAW ) is to pass context variables through the Pre-Chat API . Just before the chat opens you can pass data like: The page the user was on when the chat was opened, the breadcrumb path the user followed or other customer behaviour on the site or app you require. Note: I’ll be focussing on the Web Part, but the same principle applies if you use the iOS or Android SDKs.