Create a Named Credential in Setup specifying the endpoint URL, authentication protocol (OAuth or Password), and identity type
In Apex, construct an HttpRequest and set the endpoint to callout:NamedCredentialName/relative/path
Salesforce automatically injects the authentication header at runtime based on the Named Credential configuration
For per-user credentials set Identity Type to Named Principal or Per User and ensure the user has an Auth Provider linked
Test the callout in an Apex test by mocking HttpCalloutMock since Named Credential callouts are also blocked in test context
Rotate secrets in Setup without any code change; the Named Credential reference in Apex remains stable
Known gotchas
Named Credentials using Per User identity require each Salesforce user to individually authenticate to the external system before the callout will succeed for that user
The callout: protocol prefix is required in the endpoint string; omitting it causes Salesforce to treat the value as a literal URL and bypass the credential injection
External Credentials (the newer model introduced alongside Named Credentials v2) use a different Setup path and have separate principal and permission set configuration
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp