Security Updates to the "Outbound Message with Session ID"

Publish Date: Jan 15, 2026

Description

Original Publication Date - December 4, 2025
Updated - January 14, 2026

The update originally planned for the week of February 16 has been rescheduled for the week of February 23, 2026. You don’t need to take any action on the original date, and any changes that you have already made to prepare for this change can remain in place.

As part of our ongoing commitment to strengthening account security, Salesforce is removing the ability to send session IDs in Outbound Messages.

What does this mean?

There will no longer be a Send Session ID checkbox for customers to select
The IncludeSessionId flag in the API will be ignored and always set to FALSE
For existing outbound messages, session ID values will no longer be within the <sessionID></sessionID> element of outbound message payloads.

Previously, outbound messages could be configured to include a session ID, allowing external systems to make API calls back into Salesforce without requiring separate authentication.

Resolution

Actions Required:

Identify Affected Outbound Messages: Customers must review their Salesforce org to locate all outbound messages that are configured to send a session ID, along with their corresponding endpoints.
1. Admins can view their outbound messages through Setup> Quickfind: Outbound Messages and see which ones include a Session ID.
Update Recipient Endpoints to use OAuth-based authentication (OAuth 2.0) for a valid access token.
1. If the endpoint is internally owned:
  Customers will need to update the endpoint to perform a full authentication to Salesforce using OAuth 2.0 in order to obtain a valid access token.
  - For guidance on implementing secure authentication, refer to:
    - Authorize Apps with OAuth
    - Authenticate External Client Applications
2. If the endpoint is owned by a third-party vendor:
  Contact the vendor directly to ensure they update the integration to use full OAuth-based authentication with Salesforce.

Failure to update your org will result in the session ID no longer being sent, causing the endpoint to fail authentication and disrupting API calls and business processes. Use OAuth-based authentication to avoid service interruptions.

How can I get more information?

If you have any questions or require further assistance, contact your Salesforce account team or open a case with support through Salesforce Help.

Knowledge Article Number

005232763

Did this article solve your issue?

Let us know so we can improve!

Security Updates to the "Outbound Message with Session ID"

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List