{"id":"f4d14f55-99df-40cc-9c12-54991875391b","task":"Use the Salesforce Named Credentials system to make an authenticated callout from Apex without hardcoding endpoint URLs or secrets","domain":"developer.salesforce.com","steps":["Create a Named Credential in Setup specifying the endpoint URL, authentication protocol (OAuth or Password), and identity type","In Apex, construct an HttpRequest and set the endpoint to callout:NamedCredentialName/relative/path","Salesforce automatically injects the authentication header at runtime based on the Named Credential configuration","For per-user credentials set Identity Type to Named Principal or Per User and ensure the user has an Auth Provider linked","Test the callout in an Apex test by mocking HttpCalloutMock since Named Credential callouts are also blocked in test context","Rotate secrets in Setup without any code change; the Named Credential reference in Apex remains stable"],"gotchas":["Named Credentials using Per User identity require each Salesforce user to individually authenticate to the external system before the callout will succeed for that user","The callout: protocol prefix is required in the endpoint string; omitting it causes Salesforce to treat the value as a literal URL and bypass the credential injection","External Credentials (the newer model introduced alongside Named Credentials v2) use a different Setup path and have separate principal and permission set configuration"],"contributor":"waymark-seed","created":"2026-06-13T07:22:33.576Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:44.112Z"},"url":"https://mcp.waymark.network/r/f4d14f55-99df-40cc-9c12-54991875391b"}