Salesforce Connected App to ECA: What the May 11, 2026 Deadline Actually Requires (and What It Doesn’t)

Salesforce’s May 11 2026 mandate reflects a broader industry shift toward tighter OAuth safeguards, as platform providers tighten the attack surface of third‑party integrations. By requiring PKCE, Refresh Token Rotation, a 30‑day idle timeout, and static IP allowlists, Salesforce aims to prevent token interception, credential reuse, and unauthorized token redemption. For ISVs, these controls are not optional settings but enforceable security policies that intersect directly with product architecture, token storage design, and network topology. The deadline compresses what would normally be a multi‑quarter migration into a single development sprint, raising the stakes for engineering teams that must audit every Connected App and External Client App across all partner orgs.

Technically, PKCE only impacts authorization‑code flows, while Refresh Token Rotation applies solely to flows that issue refresh tokens. JWT Bearer integrations, common in server‑to‑server scenarios, are exempt from RTR, but any flow that does issue a refresh token must now store the new token atomically and guard against concurrent writes—a requirement that often uncovers hidden race conditions in legacy token caches. The 30‑day idle timeout forces ISVs to implement heartbeat or scheduled refresh mechanisms for integrations that may sit dormant, and the static egress IP requirement adds a networking layer of complexity, demanding precise coordination with Salesforce support to register and transition IP ranges without disrupting active customers.

ISVs have three practical paths: a lightweight hot‑fix that toggles PKCE and RTR on existing Connected Apps, a full External Client App migration that introduces a new consumer key and re‑authentication workflow, or a side‑car 2GP package that isolates the ECA metadata while preserving the original 1GP core. The side‑car approach decouples compliance from a full platform migration, allowing teams to meet the deadline without overhauling their packaging strategy. Companies should prioritize inventorying all OAuth flows, implementing token‑rotation logic, and establishing static egress before committing to a larger migration. Partnering with specialists—such as Beyond The Cloud—can accelerate discovery, code changes, and security‑review submissions, ensuring the deadline is met without sacrificing roadmap velocity.