Moving 2 million records daily is a large-volume, batch-oriented requirement. Salesforce callouts or outbound messages cannot sustain that throughput because of governor and concurrency limits. Salesforce’s own integration-patterns guide recommends using an off-platform ETL or middleware to bulk-extract data from Salesforce, stage it, and then load it behind the firewall. Staging removes the traffic from the platform, allows tuning and retry logic, and avoids real-time limits, satisfying the “one-way, not real-time” constraint.

1. Salesforce Architects. “Integration Patterns and Practices”

Summer ’23

§4.2 “Batch Data Synchronization”

pp. 40-44: recommends ETL/middleware for “hundreds of thousands to millions of records” when near-real-time is not needed.

2. Salesforce Developers. “Bulk API 2.0 Developer Guide”

v57.0

Introduction: Bulk API “is optimized for loading or deleting large data sets into Salesforce

” not for export.

3. Salesforce Developers. “Apex Developer Guide”

Winter ’24

Limits > Callout Limits: “An org can have up to 10 concurrent long-running callouts (longer than 5 seconds).”

The requirement is for an external system with a CometD client to receive immediate notifications of record changes from Salesforce. The Salesforce Streaming API is designed for this exact purpose, using the Bayeux protocol and a CometD implementation to push events to subscribers in near real-time. A PushTopic is a specific type of streaming event that monitors record changes (create, update, delete) based on a defined SOQL query. Creating a PushTopic on the Opportunity object allows the affiliate's CometD client to subscribe to a specific channel and receive immediate notifications whenever an Opportunity record is updated, directly meeting the requirements.

1. Salesforce Streaming API Developer Guide

"PushTopic Events": "Use PushTopic events to send notifications for record changes (creations

updates

deletions

and undeletes) that match a SOQL query that you define. A PushTopic is a sObject that contains the criteria of the events you want to listen to

such as a SOQL query and the record operations to notify on."

2. Salesforce Streaming API Developer Guide

"Subscribing to Channels": "Streaming API uses the Bayeux protocol. Clients subscribe to channels and receive event notifications from the server through a long-held connection... Salesforce offers a Java client library and a JavaScript client library (CometD) that implement the Bayeux protocol and handle the connection for you."

3. Salesforce Integration Patterns and Practices

"Event-Based Integration Styles": This document contrasts polling with event-based patterns

highlighting that event-based approaches like the Streaming API are superior for near real-time notifications. The "Fire-and-Forget" pattern

implemented via PushTopics

is described as a mechanism where the source system (Salesforce) publishes an event and doesn't wait for a response

which is ideal for this scenario.

4. Salesforce SOAP API Developer Guide

"getUpdated()": The documentation describes getUpdated() as a method to retrieve the list of records that have been updated during a specified time period. This confirms it is a polling mechanism

not a real-time push notification service.

The core issue is a concurrency conflict, where multiple processes attempt to update the same record simultaneously, causing errors. Recommendation A directly addresses this by introducing a coordinating middleware layer. This layer can manage the delivery of requests using patterns like message queuing with exclusive consumers, ensuring only one process handles a specific payment request at a time, thus eliminating update conflicts.

To improve the SLA, the system must be resilient. Recommendation C introduces idempotency, a critical principle for reliable systems. By ensuring the Payment System processes a unique request only once, it allows for safe retries (a common technique to handle transient errors) without the risk of duplicate payments. This combination of coordination and idempotency creates a robust and reliable system.

1. Hohpe

G.

& Woolf

B. (2003). Enterprise Integration Patterns: Designing

Building

and Deploying Messaging Solutions. Addison-Wesley.

For A (Coordination): The "Message Broker" pattern describes a central component that decouples destinations from each other

enabling coordination and routing of messages to appropriate consumers. (Chapter 5: Messaging Routing

pp. 136-141).

For C (Idempotency): The "Idempotent Receiver" pattern is explicitly designed to handle duplicate messages safely

which is essential for systems that use retries to achieve reliability. The pattern states the receiver must be able to "safely receive the same message multiple times." (Chapter 10: Messaging Endpoints

pp. 433-436).

2. Kleppmann

M. (2017). Designing Data-Intensive Applications: The Big Ideas Behind Reliable

Scalable

and Maintainable Systems. O'Reilly Media.

For A (Coordination): Chapter 9

"Consistency and Consensus

" discusses the necessity of coordination mechanisms (e.g.

locking

transactions) to prevent data corruption from concurrent writes

which is the exact problem described.

For C (Idempotency): Chapter 11

"Stream Processing

" in the section on "Fault Tolerance

" explains that idempotency is a fundamental requirement for achieving exactly-once processing semantics

which is necessary for reliable systems like payment processors to meet their SLAs.

The scenario describes a synchronous, real-time interaction where a support agent requires an immediate response to complete a task ("on the spot"). The most appropriate error handling mechanism is for the client system making the API call to handle connection issues or error responses directly from the web service. This "Request and Reply" pattern ensures that if the external verification service is down or returns an error, the failure is caught immediately and a precise error message can be displayed to the agent. This allows the agent to inform the customer and take appropriate action without undue delay.

1. Salesforce Architects

Integration Patterns and Practices Guide. This guide details the Remote Process Invocation—Request and Reply pattern. It states

"The calling process blocks and waits for the response from the remote process." The guide's section on error handling for this pattern emphasizes that the calling application is responsible for handling faults and exceptions returned by the remote service

which directly supports option B. (This is a foundational Salesforce architect document).

2. Salesforce Architects

Architect's Guide to Asynchronous Processing (Trailhead Module). This guide differentiates synchronous and asynchronous processing. The "on the spot" requirement clearly aligns with a synchronous transaction where the user waits for a response

making asynchronous patterns like "fire and forget" (Option D) inappropriate for the primary interaction.

3. Hohpe

G.

& Woolf

B. (2003). Enterprise Integration Patterns: Designing

Building

and Deploying Messaging Solutions. Addison-Wesley. In Chapter 6

this foundational text discusses the "Request-Reply" pattern

noting that the requester blocks until it receives the reply message. It also covers exception handling

where faults from the replier must be managed by the requester

aligning perfectly with the logic in option B.

The User Interface (UI) API is specifically designed for building native mobile applications and custom web applications that require the look and feel of the Salesforce Lightning Experience. It is the only API that provides both data and the necessary metadata (such as layouts, themes, and field-level details) in a single, streamlined response. This allows the custom UI to automatically adapt to administrative changes made within the Salesforce org, ensuring a consistent user experience without requiring code changes in the mobile app.

1. Salesforce Developer Documentation

User Interface API Developer Guide

"Get Started with User Interface API": "User Interface API is the API for building Salesforce UI. To build a Salesforce-like UI

you need more than data—you need metadata... UI API gives you data and metadata in a single response. It’s the key to building a native mobile app or a custom web app that feels like the Salesforce you know and love."

2. Salesforce Developer Documentation

"Which API Should I Use?": This guide explicitly recommends the UI API for the use case: "Build a native mobile app or a custom web app that has the Salesforce look and feel." It contrasts this with the REST API

which is recommended for general data integration.

3. Salesforce Developer Documentation

REST API Developer Guide

"Introduction": The guide defines the REST API's purpose as providing "a powerful

convenient

and simple REST-based web services interface for interacting with Salesforce." This interaction is focused on data records

not UI metadata.

4. Salesforce Developer Documentation

Streaming API Developer Guide

"Streaming API": This document states

"Use Streaming API to receive notifications for changes to Salesforce data that match a SOQL query you define." This confirms its purpose is event-based

not UI construction.

The core requirement is to update a field that the user cannot edit due to Field Level Security (FLS). Standard API calls, such as the standard REST API (Option C) or SOAP API (Option A), execute in the context of the authenticated user and respect all their permissions, including FLS. Therefore, any attempt to update the read-only geolocation field using these standard APIs would fail.

The correct solution is to create a custom Apex REST service (Option D). By default, Apex code runs in system mode, which bypasses object and field-level security. This allows the Apex method to update the field programmatically, even though the user does not have the direct permission to do so, thus satisfying the requirement.

1. Salesforce Developer Documentation

Apex Developer Guide

"Enforcing Object and Field Permissions": "By default

Apex code runs in system context... Apex code has access to all objects and fields—object permissions

field-level security

sharing rules aren’t applied for the current user." This directly supports why an Apex-based solution (Option D) is necessary to bypass the FLS restriction.

2. Salesforce Developer Documentation

Apex Developer Guide

"Exposing Apex Classes as REST Web Services": This document describes the mechanism for creating custom REST endpoints using Apex (@RestResource annotation)

which is the technical implementation for Option D.

3. Salesforce REST API Developer Guide

"Introduction > Security Considerations": "Access to resources is controlled by the user’s profile and permission sets." This confirms that standard REST API calls (Option C) are bound by user permissions

making them unsuitable for this scenario.

The question requires identifying the specific REST API composite resource designed for bulk updates that accommodates up to 200 records in a single API call. The SObject Collections resource is explicitly designed for this purpose. It allows for the creation, update, or deletion of up to 200 records of the same SObject type in one request, which directly addresses the need to reduce API calls through bulk operations. While the scenario mentions multiple object types (Account, Contact), the SObject Collections resource would be used for each object type (e.g., one call for Accounts, one for Contacts), still drastically reducing the total number of API calls compared to individual updates. The "200 records" limit is a defining characteristic of this specific resource.

1. Salesforce REST API Developer Guide

"Composite Resources": This section introduces the family of composite resources. It lists SObject Collections as a specific resource type for bulk operations on records.

Reference: Salesforce REST API Developer Guide

Chapter: "Composite Resources".

2. Salesforce REST API Developer Guide

"SObject Collections": This documentation explicitly states the capability of the SObject Collections resource.

Reference: Salesforce REST API Developer Guide

Section: "SObject Collections". It states

"Update up to 200 records in a single request... All records must be of the same sObject type."

3. Salesforce REST API Developer Guide

"SObject Tree": This documentation clarifies the purpose of the SObject Tree resource.

Reference: Salesforce REST API Developer Guide

Section: "SObject Tree". It states

"Creates one or more sObject trees with root records of the specified type." This confirms it is for creation

not updates.

4. Salesforce REST API Developer Guide

"Composite": This documentation describes the general Composite resource.

Reference: Salesforce REST API Developer Guide

Section: "Composite". It specifies the limit: "You can have up to 25 subrequests in a single call." This highlights its role as an orchestrator

distinct from the record-specific limit of SObject Collections.

This scenario requires a real-time, scalable, and decoupled integration to send business event data to an external analytics system. Platform Events are the ideal Salesforce feature for this, creating a durable event stream that external subscribers can consume in real-time.

Option C correctly addresses the events initiated by a customer creating a Case (e.g., for an exchange or cancellation). An Apex trigger on the Case object is the standard mechanism to react to record creation and can publish a Platform Event to the event bus.

Option D correctly addresses the events initiated by a service representative clicking a specific UI element. The most direct way to capture this user interaction is via the custom Apex controller backing the UI element (e.g., a Lightning Web Component), which can then publish the corresponding Platform Event.

1. Platform Events Developer Guide: "Use platform events to connect business processes in Salesforce and external apps through the exchange of real-time event data...Publish event messages from Salesforce apps using declarative tools or programmatically with Apex or APIs. Subscribe to platform events in Salesforce using Apex triggers or in an external app..." This supports using Platform Events for real-time integration with external systems.

2. Apex Developer Guide

"Triggers" section: "Triggers enable you to perform custom actions before or after events to records in Salesforce

such as insertions

updates

or deletions." This confirms a trigger is the correct tool to react to the creation of a Case (Option C).

3. Apex Developer Guide

"Publish Platform Events" section: "To publish event messages

you call the EventBus.publish method... You can call this method in Apex code that you expose as a custom action in a Lightning component

for example." This directly supports using an Apex controller to publish an event from a UI action (Option D).

4. Salesforce Well-Architected - Event-Driven Architectures: This framework advocates for event-driven patterns for asynchronous processing and system integration. It states

"Decoupling systems using events allows them to evolve independently... This pattern is ideal for broadcasting state changes to many interested systems." This validates the architectural choice of Platform Events over point-to-point callouts or outbound messages.

Named Credentials are Salesforce’s prescribed mechanism for outbound callouts because the endpoint URL, user name, password, OAuth token, and refresh token are stored in a secure, non-exportable secret store that is never exposed in Apex or the UI.

If a secret must be kept inside the org rather than supplied at run time, an Encrypted Custom Field protects it by encrypting the value at rest; only users with the “View Encrypted Data” permission can see the clear text, and the value is masked in reports, list views, and the API for all other users.

Protected Custom Metadata Types and Protected Custom Settings either cannot be used in an unmanaged package or do not provide encryption, so they do not meet the stated requirement.

1. Salesforce Apex Developer Guide

Spring ’24

“Named Credentials”

pp. 1319-1321: “Credentials are stored securely and aren’t exposed in Apex...use for callouts requiring user name/password or OAuth tokens.”

2. Salesforce Help & Training

article “Define a Named Credential” (Knowledge ID 000335420)

section “Security Considerations”: “The authentication parameters you enter are encrypted and can’t be retrieved through the UI or API.”

3. Salesforce Shield Platform Encryption Implementation Guide

Winter ’24

“Encrypted Custom Fields”

pp. 27-29: “Data is encrypted at rest…only users with View Encrypted Data can see the clear value; others see masked data.”

4. Salesforce Developer Guide

“Protected Custom Metadata Types”

Summer ’23

p. 8: “Protection applies only in managed packages; unlocked or unmanaged packages don’t support protected records.”

5. Salesforce Developer Guide

“Custom Settings Overview”

Summer ’23

p. 2: “Custom setting data is exposed via the user interface and APIs and isn’t encrypted.”

The requirement is for a near real-time feed of student registrations from Salesforce to an external learning system, using Salesforce events. The Streaming API is specifically designed for this purpose. It enables external clients to subscribe to a channel on the Salesforce event bus and receive notifications, such as Platform Events, in near real-time. When a student registration event is published in Salesforce, the Streaming API pushes the event data to the subscribed learning system, fulfilling the requirement efficiently without the need for continuous polling.

1. Salesforce Platform Events Developer Guide

"Subscribe to Platform Events": "External apps subscribe to events using CometD... An external app can subscribe to platform events in Salesforce using the Streaming API. The subscription process is the same as for other Streaming API events

such as PushTopic events or generic streaming events."

2. Salesforce Streaming API Developer Guide

"Streaming API Overview": "Use Streaming API to receive near-real-time streams of data from the Salesforce platform... Streaming API is useful when you want notifications to be pushed from the server to the client based on criteria that you define." The guide explicitly lists Platform Events as a supported event type for subscription.

3. Salesforce Architect Documentation

"Integration Patterns and Practices"

Page 13

"Remote Process Invocation—Request and Reply" vs. "Fire and Forget": This document contrasts request-reply patterns (typical of REST/SOAP) with event-based

fire-and-forget patterns. The scenario requires an event-based pattern

for which the Streaming API is the primary tool for external subscribers. The document states

"Platform events can be consumed by an external system via Streaming API (CometD)."