Appnigma

Integrating Third-Party APIs in a Salesforce AppExchange App: Methods, Limits, and Security Review (2026)

Salesforce

Jun 30, 2026

4 min read

Integrating Third-Party APIs in a Salesforce AppExchange App: Methods, Limits, and Security Review (2026)

For an AppExchange app, the integration method you pick has to clear two bars: it has to work within Salesforce's callout governor limits, and it has to pass the security review.

Use Named Credentials for authenticated callouts so secrets are never hardcoded, declare every endpoint, and store any partner secrets in protected custom metadata. Below is each method and the limits and review rules that decide it.

Most integration guides are written for one-off org work. A managed package is different: your code runs in someone else's org, so credential handling and endpoint declaration aren't optional — they're what the review checks.

The integration methods, and when each fits

MethodBest useAuthApex neededCallout limits applyReview-friendliness
Apex REST/SOAP calloutCustom request/response logicYou implement (use Named Cred)YesYesMedium — depends on secret storage
Named + External CredentialsAuthenticated callouts, OAuthManaged by SalesforceOptionalYesHigh — preferred pattern
External ServicesLow-code Flow actions from an OpenAPI schemaNamed CredentialNoYesHigh — declarative
External Objects (Salesforce Connect / OData)Large, read-heavy external datasetsPer data sourceNoNo (own limits)High — no data copied
Platform EventsAsync, event-driven, decoupledPub/Sub APIOptionalN/AMedium–High

Named Credentials (split into Named Credential + External Credential since Winter '23) let Salesforce manage the OAuth token lifecycle and encrypt secrets, and you reference them in Apex as callout:My_Named_Credential/path. External Services turns an OpenAPI 2.0 or 3.0 schema into invocable actions usable in Flow with no Apex. External Objects (OData 2.0/4.0/4.01) surface external data as __x objects without copying it into the org.

The callout governor limits

These are hard platform limits, verified in the Apex Developer Guide (Salesforce):

LimitValue
Max callouts per Apex transaction100
Default callout timeout10 seconds
Configurable timeout range1 ms – 120,000 ms
Max cumulative callout timeout per transaction120 seconds
Callout after pending DML/async/emailNot allowed
Developer Edition concurrent callouts20

The one that bites in production: you can't make a callout after an uncommitted DML in the same transaction. Make callouts first, or move them into a @future(callout=true) method, a Queueable, or a Batch job.

What the security review checks for external callouts

This is where managed packages fail, and where generic integration guides go silent. The review specifically looks at:

  • Secret storage. Hardcoded secrets are an automatic fail. Approved storage: Protected Custom Metadata (for partner-owned secrets), Protected Custom Settings (for subscriber-owned secrets), Named/External Credentials, or an encrypted custom object with the key held in protected metadata.

  • Endpoint declaration. Every outbound host must be declared — Remote Site Settings for unauthenticated calls, Named Credentials for authenticated ones. Undeclared callouts are blocked at runtime and flagged.

  • Transport security. HTTPS required; protocol security must stay on.

  • Data handling. CRUD and field-level security enforced on data you read or write, and no secrets or stack traces in logs.

Salesforce runs this with static analysis (Checkmarx, Code Analyzer/PMD), dynamic scanning (OWASP ZAP, Burp), and manual review.

Frequently Asked Questions

How many API callouts can one Apex transaction make?

Up to 100 callouts per transaction.

What is the default and maximum callout timeout in Apex?

The default is 10 seconds. You can set it per callout from 1 ms up to 120,000 ms (120 seconds), and the cumulative timeout per transaction is capped at 120 seconds.

Why can't I make a callout after a DML statement, and how do I fix it?

Salesforce blocks callouts when there's uncommitted DML in the same transaction. Make the callout before any DML, or move it into an async context (@future(callout=true), Queueable, or Batch).

Should I use Remote Site Settings or Named Credentials?

Named Credentials for authenticated endpoints — Salesforce manages the token and encrypts the secret. Remote Site Settings cover unauthenticated hosts. Named Credentials also remove the need for a separate Remote Site Setting for that host.

How must an AppExchange app store API keys to pass the security review?

Never hardcoded. Use Protected Custom Metadata (partner-owned secrets), Protected Custom Settings (subscriber-owned), Named/External Credentials, or an encrypted custom object with the key in protected metadata.

What's the difference between External Services, Apex callouts, and External Objects?

Apex callouts give full programmatic control. External Services generates low-code Flow actions from an OpenAPI schema. External Objects surface large external datasets as records without copying data into Salesforce.

Do Named Credentials remove the need for Remote Site Settings?

Yes — for the host covered by the Named Credential, you don't need a separate Remote Site Setting.

How do I handle OAuth in a managed package without hardcoding secrets?

Use Named Credentials with External Credentials so Salesforce stores and refreshes the token. For partner-owned API keys, use Protected Custom Metadata.

Key Takeaway

In a Salesforce AppExchange (managed package) app, choose the integration method by use case: Apex callouts for custom logic, Named Credentials for authenticated OAuth callouts (the preferred pattern), External Services for low-code Flow actions, External Objects for large read-heavy datasets, and Platform Events for async. Apex allows 100 callouts per transaction, a 10-second default timeout (max 120 seconds), and no callout after pending DML. The security review fails hardcoded secrets — store them in Protected Custom Metadata, Protected Custom Settings, or Named Credentials — and requires every endpoint declared via Remote Site Settings or Named Credentials.

Sources

Ready to transform your Salesforce experience?

Start exploring the Salesforce Exchange today and discover apps that can take your CRM efficiency to the next level.

decorative section tag

Blog and News

Our Recent Updates