Salesforce API Access Control Security Update – Impact on Provar Connections
Introduction
On August 27th 2025, the Google Threat Intelligence Group reported that a criminal group used stolen OAuth tokens from a third-party sales AI tool to access Salesforce customer instances between August 8th and August 18th. More than 700 organizations may have been affected, with attackers seeking sensitive credentials such as AWS keys and VPN access.
Please refer to this article for more information: https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
In response to the cyber-attacks, around August 20th Salesforce emailed all customers to inform them that during early September Salesforce will be rolling out a number of changes to improve the security of Connected Apps and API access.
What is Changing from Salesforce
During early September 2025, Salesforce will implement enhanced security controls, including the API Access Control feature, which impacts how API access is granted to third-party applications, putting more control in the hands of the Salesforce administrator to decide who should have API access and for what resources.
Customers will be able to raise a case with Salesforce to add the feature to their org, which will be disabled by default. The feature can then be enabled to provide additional security.
Impact on Provar Connections
Provar Automation provides two mechanisms to connect to a Salesforce org and access its APIs:
- OAuth: This is the recommended method. The customer creates a Connected App in the org and creates an OAuth connection in Provar Automation. OAuth is then used to retrieve an Access Token, which can then be used to access API resources. The customer administrator has full control over who can access what resources.
- Username-Password: A username and password connection is created in Provar. These credentials are then used to make a SOAP login() call to retrieve a Session Id that can then be used to access APIs and resources. Any user with access to the Salesforce org and the API Enabled permission assigned can then access the org’s APIs and resources.
Although the OAuth option is more secure, we provided the Username-Password option to simplify test automation in lower level environments that typically use Developer Sandboxes, and therefore do not contain customer data by default, unlike higher level environments that use Full or Partial Copy Sandboxes containing customer data.
If customers enable the API Access Control feature, the Username-Password connection will no longer function as the SOAP login() option will be disabled in the Salesforce org.
Provar Recommendations
If you enable Salesforce’s new API Access Control feature, follow these Provar-recommended steps to keep your testing running smoothly:
1. Switch to OAuth Connections
- Reconfigure all Salesforce connections in Provar to use OAuth (Web flow, JWT) instead of Username-Password.
2. Create a Dedicated Connected App for Provar
- Set up a Connected App in your Salesforce org specifically for Provar.
- Assign the required OAuth scopes (see documentation).
- Grant access only to authorized users, such as an Automation Test User.
- Use this user to create the OAuth connection in Provar to connect to the org. See detailed documentation for configuration: Provar OAuth Connection Setup
3. Plan the Migration Before Enabling API Access Control
- Audit existing Provar connections to identify any Username-Password connections.
- Replace all Username-Password connections with OAuth-based connections.
- Test OAuth-based connections across all environments when API Access Control is enabled.
Conclusion
By proactively migrating to OAuth-based connections and creating dedicated connected apps, Provar users can ensure uninterrupted automation, maintain compliance with Salesforce’s strengthened security policies, and continue to confidently test across all environments. Planning and executing these updates before enabling API Access Control will minimize disruption and maintain operational continuity.