SFDC Lessons / Beyond The Cloud (Salesforce dev collective)

Salesforce Connected App to ECA: What the May 11, 2026 Deadline Actually Requires (and What It Doesn’t)

Salesforce has set a hard May 11 2026 deadline for all ISV‑owned Connected Apps and External Client Apps to adopt four OAuth security controls—PKCE, Refresh Token Rotation, a 30‑day idle timeout, and a static IP allowlist. Compliance can be achieved with a simple toggle hot‑fix or by migrating to an External Client App, and Salesforce even permits a side‑car 2GP package to avoid a full 1GP‑to‑2GP migration. ISVs must update their code to handle PKCE handshakes, persist rotated refresh tokens, and possibly add heartbeat services for idle integrations. Failure to meet the deadline triggers AppExchange de‑listing and suspension of interoperation with Salesforce.