Important: The update originally planned for the week of February 16 has been rescheduled to the week of February 23, 2026. No action is required on the original date. Any changes already made to prepare for this update can remain in place.
What Is Changing with Outbound Messages?
As part of Salesforce's ongoing commitment to strengthening account security, Salesforce is removing the ability to send session IDs in Outbound Messages.
Previously, outbound messages could be configured to include a session ID, allowing external systems to make API calls back into Salesforce without requiring separate authentication.
After this change:
Required Actions Before the February 23, 2026 Deadline
Action 1: Identify Affected Outbound Messages
Review your Salesforce org to locate all outbound messages configured to send a session ID and their corresponding endpoints.
Admins can find affected outbound messages by going to Setup → Quick Find: Outbound Messages, then reviewing which messages include a Session ID.
Action 2a: Update Internally Owned Endpoints to OAuth 2.0
If the endpoint receiving the outbound message is internally owned, update it to use OAuth 2.0-based authentication to obtain a valid access token from Salesforce:
Action 2b: Contact Third-Party Vendors to Update Their Endpoints
If the endpoint is owned by a third-party vendor, contact the vendor directly to ensure they update their integration to use full OAuth 2.0-based authentication with Salesforce.
Failure to update your org will result in the session ID no longer being sent, causing the endpoint to fail authentication and disrupting API calls and business processes. Use OAuth-based authentication to avoid service interruptions.
How to Get More Information
If you have questions or require further assistance, contact your Salesforce account team or open a case through Salesforce Help.
005232763

We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.