Named Credentials are Salesforce’s prescribed mechanism for outbound callouts because the endpoint URL, user name, password, OAuth token, and refresh token are stored in a secure, non-exportable secret store that is never exposed in Apex or the UI.

If a secret must be kept inside the org rather than supplied at run time, an Encrypted Custom Field protects it by encrypting the value at rest; only users with the “View Encrypted Data” permission can see the clear text, and the value is masked in reports, list views, and the API for all other users.

Protected Custom Metadata Types and Protected Custom Settings either cannot be used in an unmanaged package or do not provide encryption, so they do not meet the stated requirement.

1. Salesforce Apex Developer Guide

Spring ’24

“Named Credentials”

pp. 1319-1321: “Credentials are stored securely and aren’t exposed in Apex...use for callouts requiring user name/password or OAuth tokens.”

2. Salesforce Help & Training

article “Define a Named Credential” (Knowledge ID 000335420)

section “Security Considerations”: “The authentication parameters you enter are encrypted and can’t be retrieved through the UI or API.”

3. Salesforce Shield Platform Encryption Implementation Guide

Winter ’24

“Encrypted Custom Fields”

pp. 27-29: “Data is encrypted at rest…only users with View Encrypted Data can see the clear value; others see masked data.”

4. Salesforce Developer Guide

“Protected Custom Metadata Types”

Summer ’23

p. 8: “Protection applies only in managed packages; unlocked or unmanaged packages don’t support protected records.”

5. Salesforce Developer Guide

“Custom Settings Overview”

Summer ’23

p. 2: “Custom setting data is exposed via the user interface and APIs and isn’t encrypted.”