Enable User External Credentials

Tokens for named credential callouts are encrypted and stored in the User External Credential object. Any user performing an authenticated callout needs profile- or permission set-based access to user external credentials. Most standard permission sets and profiles have access to the User External Credentials object by default. For the guest user profile, and for some custom permission sets and profiles, you must assign User External Credentials object permissions manually.

Required Editions

Available in: Salesforce Classic (not available in all orgs) and Lightning Experience

Available in: all editions

Permission sets available in: Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

User Permissions Needed
To edit permission sets and user profiles:	Manage Profiles and Permission Sets

Keep these considerations in mind when you enable user external credentials.

For the guest user profile, and for some custom permission sets and profiles, enabling user external credentials is the last step to create a named credential. For an overview of all of the steps required to configure a named credential, see Create Named Credentials and External Credentials.
It’s not necessary to enable user credentials every time you create an external credential. You enable access to user external credentials one time for each custom permission set or profile.
You can grant guest user profiles read access to the user external credential and provide access to make callouts using named credentials. You can give guest user profiles access to user external credentials only when the external credential uses a named principal.

Configure access to the User External Credentials object.

From Setup, in the Quick Find box, enter Permission Sets, and then select Permission Sets or enter Profiles, and then select Profiles.
Click the permission set or profile for which you want to enable user external credentials.
Take one of these steps.
- For a permission set, under Apps, click Object Settings, and then click User External Credentials.
- For a profile, scroll to Standard Object Permissions and then select User External Credentials.
  We also support profiles associated with guest users.
Select the user external credential access that you want to give this permission set or user profile.
Save the settings.

You can’t manipulate tokens in user external credentials directly. For example, you can’t read them out or change them. You can, however, access user external credentials through the ConnectApi interface, just as you would with named credentials and external credentials.

As an example, use deleteCredential to remove a user external credential and its associated tokens when an employee leaves a company. You provide the developer name of the external credential and the principal name and type associated with your credentials (the user external credential), and deleteCredential deletes all user external credentials for that principal.

String externalCredential = 'SampleExternalCredential';
String principalName = 'Principal';
ConnectApi.CredentialPrincipalType principalType = ConnectApi.CredentialPrincipalType.NamedPrincipal;

ConnectApi.NamedCredentials.deleteCredential(externalCredential, principalName, principalType);

Did this article solve your issue?

Let us know so we can improve!

Enable User External Credentials

Required Editions

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List

Product Area

Feature Impact

Edition

Experience

Enable User External Credentials

Required Editions