FAQ — Currency Updater & Salesforce Security Compliance (PKCE + RTR/JWT)

Is Currency Updater compliant with Salesforce’s latest security requirements?

Yes.

Currency Updater is compliant with Salesforce’s current security requirements for OAuth integrations, including the guidance described in the Enhanced Connected App (ECA) documentation:

https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/secure_code_ac_eca.htm

Although we currently use a standard Connected App (CA), our authentication model already implements the key security mechanisms required by Salesforce.

What authentication mechanisms does Currency Updater use?

Currency Updater uses a modern and secure OAuth architecture based on:

PKCE (Proof Key for Code Exchange)

  • Implemented in the OAuth Web Server Flow

  • Uses code_challenge (S256) and code_verifier

  • Protects against authorization code interception

  • No exposure of client secrets in browser-based flows

JWT Bearer Flow

  • Used for server-to-server authentication

  • Ideal for scheduled jobs and async processing

  • Removes dependency on stored refresh tokens

Why is PKCE important?

PKCE is a key requirement in Salesforce’s latest security guidance.

Currency Updater implements PKCE to:

  • Prevent authorization code interception attacks

  • Secure authentication flows initiated from LWC (browser context)

  • Avoid reliance on client secrets in distributed environments

This aligns with Salesforce recommendations for ISV applications.

Does Currency Updater rely on refresh tokens?

No, not as a primary mechanism.

While the OAuth flow may return a refresh token, Currency Updater is designed to:

  • Prefer JWT-based authentication for backend operations

  • Avoid reliance on long-lived refresh tokens

  • Reduce risk associated with token leakage or misuse

This approach is more secure and aligns with modern integration patterns.

How are credentials stored securely?

  • No client secrets or sensitive tokens are exposed in the browser (LWC)

  • Any required tokens are handled server-side in Apex

  • Sensitive data is stored in protected configuration (Custom Settings / Metadata)

  • No credentials are logged or exposed in URLs

Does the app depend on user sessions?

No.

Currency Updater does not rely on Salesforce session IDs, which:

  • Improves security

  • Avoids issues with session expiration

  • Enables stable async and scheduled processing

Authentication is handled via OAuth (PKCE) and JWT.

Does this affect existing customers?

No.

  • Existing configurations continue to work normally

  • PKCE is applied transparently during authentication

  • No action is required from customers

Does this impact your Heroku service?

No.

  • Authentication is handled between Salesforce (OAuth), LWC, and Apex

  • Heroku services do not manage OAuth credentials or tokens

  • This ensures separation of concerns and reduces security exposure

Is Currency Updater aligned with Salesforce’s future security direction?

Yes.

By implementing PKCE and JWT-based authentication on top of a Connected App, Currency Updater already aligns with:

  • Salesforce’s secure OAuth recommendations

  • ISV security review expectations

  • Future enforcement around secure authorization flows

Summary

Currency Updater uses a Connected App with:

  • PKCE-secured OAuth flows

  • JWT-based server authentication

  • No reliance on session IDs

  • Reduced dependency on refresh tokens

This provides a secure, scalable, and forward-compatible authentication model fully aligned with Salesforce security best practices.