Salesforce API Access Control Security Update – Impact on Provar Connections
Introduction
On August 27th 2025, the Google Threat Intelligence Group reported that a criminal group used stolen OAuth tokens from a third-party sales AI tool to access Salesforce customer instances between August 8th and August 18th. More than 700 organizations may have been affected, with attackers seeking sensitive credentials such as AWS keys and VPN access.
Please refer to this article for more information: https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
In response to the cyber-attacks, around August 20th Salesforce emailed all customers to inform them that during early September Salesforce will be rolling out a number of changes to improve the security of Connected Apps and API access.
What is Changing from Salesforce
During early September 2025, Salesforce will implement enhanced security controls, including the API Access Control feature, which impacts how API access is granted to third-party applications, putting more control in the hands of the Salesforce administrator to decide who should have API access and for what resources.
Customers will be able to raise a case with Salesforce to add the feature to their org, which will be disabled by default. The feature can then be enabled to provide additional security.
Impact on Provar Connections
Provar Automation provides two mechanisms to connect to a Salesforce org and access its APIs:
- OAuth: This is the recommended method. The customer creates a Connected App in the org and creates an OAuth connection in Provar Automation. OAuth is then used to retrieve an Access Token, which can then be used to access API resources. The customer administrator has full control over who can access what resources.
- Username-Password: A username and password connection is created in Provar. These credentials are then used to make a SOAP login() call to retrieve a Session Id that can then be used to access APIs and resources. Any user with access to the Salesforce org and the API Enabled permission assigned can then access the org’s APIs and resources.
Although the OAuth option is more secure, we provided the Username-Password option to simplify test automation in lower level environments that typically use Developer Sandboxes, and therefore do not contain customer data by default, unlike higher level environments that use Full or Partial Copy Sandboxes containing customer data.
If customers enable the API Access Control feature, the Username-Password connection will no longer function as the SOAP login() option will be disabled in the Salesforce org.
Provar Recommendations
If you enable Salesforce’s new API Access Control feature, follow these Provar-recommended steps to keep your testing running smoothly:
1. Switch to OAuth Connections
- Reconfigure all Salesforce connections in Provar to use OAuth (Web flow, JWT) instead of Username-Password.
2. Create a Dedicated Connected App for Provar
- Set up a Connected App in your Salesforce org specifically for Provar.
- Assign the required OAuth scopes (see documentation).
- Grant access only to authorized users, such as an Automation Test User.
- Use this user to create the OAuth connection in Provar to connect to the org. See detailed documentation for configuration: Provar OAuth Connection Setup
3. Plan the Migration Before Enabling API Access Control
- Audit existing Provar connections to identify any Username-Password connections.
- Replace all Username-Password connections with OAuth-based connections.
- Test OAuth-based connections across all environments when API Access Control is enabled.
Conclusion
By proactively migrating to OAuth-based connections and creating dedicated connected apps, Provar users can ensure uninterrupted automation, maintain compliance with Salesforce’s strengthened security policies, and continue to confidently test across all environments. Planning and executing these updates before enabling API Access Control will minimize disruption and maintain operational continuity.
- Home
- Get Started with V2
- Using Provar
- Understanding Provar’s Use of AI Service for Test Automation
- Provar Automation
- Creating a New Test Project
- Import Test Project from a File
- Import Test Project from a Remote Repository
- Import Test Project from Local Repository
- Commit a Local Test Project to Source Control
- Salesforce API Testing
- Behavior-Driven Development
- Consolidating Multiple Test Execution Reports
- Creating Test Cases
- Custom Table Mapping
- Functions
- Debugging Tests
- Defining a Namespace Prefix on a Connection
- Defining Proxy Settings
- Environment Management
- Exporting Test Projects
- Exporting Test Cases into a PDF
- Japanese Language Support
- Override Auto-Retry for Test Step
- Customize Browser Driver Location
- Mapping and Executing the Lightning Article Editor in Provar
- Managing Test Steps
- Namespace Org Testing
- NitroX
- Provar Test Builder
- ProvarDX
- Refresh and Recompile
- Reintroduction of CLI license Check
- Reload Org Cache
- Reporting
- Running Tests
- Searching Provar with Find Usages
- Secrets Management and Encryption
- Setup and Teardown Test Cases
- Tags and Service Level Agreements (SLAs)
- Test Cycles
- Test Plans
- Testing Browser – Chrome Headless
- Testing Browser Options
- Tooltip Testing
- Using the Test Palette
- Using Custom APIs
- Callable Tests
- Data-Driven Testing
- Page Objects
- Block Locator Strategies
- Introduction to XPaths
- Creating an XPath
- JavaScript Locator Support
- Label Locator Strategies
- Maintaining Page Objects
- Mapping Non-Salesforce Fields
- Page Object Operations
- ProvarX™
- Refresh and Reselect Field Locators in Test Builder
- Using Java Method Annotations for Custom Objects
- Applications Testing
- Database Testing
- Document Testing
- Email Testing
- Email Testing in Automation
- Email Testing Examples
- Gmail Connection in Automation with App Password
- App Configuration for Microsoft Connection in MS Portal for OAuth 2.0
- OAuth 2.0 Microsoft Exchange Email Connection
- Support for Existing MS OAuth Email Connection
- OAuth 2.0 MS Graph Email Connection
- Create a Connection for Office 365 GCC High
- Mobile Testing
- OrchestraCMS Testing
- Salesforce CPQ Testing
- ServiceMax Testing
- Skuid Testing
- Vlocity API Testing
- Webservices Testing
- DevOps with V2
- Introduction to Provar DevOps
- Introduction to Test Scheduling
- Apache Ant
- Configuration for Sending Emails via the Automation Command Line Interface
- Continuous Integration
- AutoRABIT Salesforce DevOps in Provar Test
- Azure DevOps
- Running a Provar CI Task in Azure DevOps Pipelines
- Configuring the Automation Secrets Password in Microsoft Azure Pipelines
- Parallel Execution in Microsoft Azure Pipelines using Multiple build.xml Files
- Parallel Execution in Microsoft Azure Pipelines using Targets
- Parallel Execution in Microsoft Azure Pipelines using Test Plans
- Bitbucket Pipelines
- CircleCI
- Copado
- Docker
- Flosum
- Gearset
- GitHub Actions
- Integrating GitHub Actions CI to Run Automation CI Task
- Remote Trigger in GitHub Actions
- Parameterization using Environment Variables in GitHub Actions
- Parallel Execution in GitHub Actions using Multiple build.xml Files
- Parallel Execution in GitHub Actions using Targets
- Parallel Execution in GitHub Actions using Test Plan
- Parallel Execution in GitHub Actions using Job Matrix
- GitLab Continuous Integration
- Travis CI
- Jenkins
- Execution Environment Security Configuration
- Provar Jenkins Plugin
- Parallel Execution
- Running Provar on Linux
- Reporting
- Salesforce DX
- Git
- Version Control
- Salesforce Testing
- Recommended Practices
- Salesforce API Access Control Security Update – Impact on Provar Connections
- Salesforce Connection Best Practices
- Improve Your Metadata Performance
- Java 21 Upgrade
- Testing Best Practices
- Automation Planning
- Supported Testing Phases
- Provar Naming Standards
- Test Case Design
- Create records via API
- Avoid using static values
- Abort Unused Test Sessions/Runs
- Avoid Metadata performance issues
- Increase auto-retry waits for steps using a global variable
- Create different page objects for different pages
- The Best Ways to Change Callable Test Case Locations
- Working with the .testProject file and .secrets file
- Best practices for the .provarCaches folder
- Best practices for .pageObject files
- Testing Best Practices
- Troubleshooting with V2
- How to Use Keytool Command for Importing Certificates
- Browsers
- Configurations and Permissions
- Add Permissions to Edit Provar.ini File
- Configure Provar UI in High Resolution
- Enable Prompt to Choose Workspace
- Increase System Memory for Provar
- Refresh Org Cache Manually
- Show Hidden Provar Files on Mac
- Java Version Mismatch Error
- Unable to create test cases, test suites, etc… from the Test Project Navigation sidebar
- Connections
- DevOps with V2
- Error Messages
- Provar Manager 3.0 Install Error Resolution
- Provar Manager Test Case Upload Resolution
- Administrator has Blocked Access to Client
- JavascriptException: Javascript Error
- Resolving Failed to Create ChromeDriver Error
- Resolving Jenkins License Missing Error
- Resolving Metadata Timeout Errors
- Test Execution Fails – Firefox Not Installed
- Selenium 4 Upgrade
- Licensing and Installation
- Memory
- Test Builder
- V2 Release Notes