Rethinking Salesforce Integration Architecture: The Leap to External Client Apps
Summary
External Client Apps (ECAs) provide a significant evolution over traditional Connected Apps by enabling packageable, scalable, and more secure OAuth integrations in Salesforce. By delegating configuration and secret management to a dedicated DevHub, ECAs allow better separation of duties and centralized management of OAuth credentials across multiple orgs, improving governance and operational efficiency. This architecture reduces administrative overhead, supports automated key rotation, and enhances security through controlled secret exposure and audit logging. Salesforce teams can leverage ECAs to streamline multi-org integrations, implement stricter security controls, and automate deployment processes for external API connections.
Takeaways
- Use a dedicated DevHub to centrally manage ECAs across multiple orgs for better governance.
- Separate ECA configuration and user access management to align with enterprise security best practices.
- Automate key rotation and ECA deployment using the Metadata API and CI/CD pipelines.
- Packaged ECAs enable reuse in sandboxes without exposing client secrets, improving security.
- Enable controlled exposure and audit logging of consumer secrets via MFA and API settings.
A practical take on why External Client Apps are more than just Connected Apps 2.0 — Unlocking packageability that reshapes how we can architect for security, governance, and scale When I first started working with External Client Apps (ECAs) I was a bit confused: They seem identical to Connected Apps (CAs), have exactly the same fields, same screens. It seemed they are just Connected Apps with the Lightning Layout applied to the UI… But when you start looking under the hood they actually consist of five types of metadata, some packable, some not. They are designed with " packaging in mind " and that comes with the not much talked about ability to adopt some new API and Secret Management strategies. I don't want to rewrite the documentation in this article, as it is not that vague, but I do want to describe some of key aspects I wish I had when I started migrating my CAs to ECAs.