Secure Salesforce integrations by digitally signing the payload with a trusted private key when the external system doesn't support HTTP-basic authentication

Imagine Salesforce exchanging data with an external system that just doesn’t bother with HTTP-basic authentication. No user names, no passwords, nothing that looks like a login prompt. In that world, how do you prove the message is really from you and that it hasn’t been tampered with on the way? The short answer: sign the payload with a trusted private key. That approach—digital signatures—fits the bill far better than the other options.

Here’s the thing about digital signatures

When you digitally sign a payload, you use a private key that only you (the trusted sender) possess. The recipient then uses your public key to verify two crucial things: the message is genuinely from you, and it hasn’t changed since you signed it. This is non-repudiation in action—the sender can’t later dispute sending the message because the signature proves it came from the signer who holds the private key.

This works even if the other party doesn’t support HTTP-basic authentication. There are several moving parts, but the idea is simple: the signature ties the data to the creator, and the public key gives everyone a way to check that claim. In practice, we lean on a PKI (public key infrastructure) that handles key generation, distribution, and trust. Think of it like a trusted passport system for data: the private key is the passport stamp you keep private, and the public key is the stamp you share so others can verify you really own that passport.

Why not the other options?

Option B: Include a validated secret passphrase in the payload

A shared secret might feel easy at first, but it’s a risky choice here. If the message is intercepted, the secret could be exposed. Repositories, logs, or network traces can leak secrets. Even if the secret is encrypted in transit, it’s still a credential that, once stolen, could be reused by someone pretending to be you. In machine-to-machine talks, credentials should not travel with the payload in a way that makes them easy to exfiltrate. Digital signatures avoid this creeping risk by not sharing any secret that proves identity on every call.

Option C: Base64 encode the data to prevent visibility

Base64 is not encryption. It merely encodes bytes into a different representation. Anyone who captures the message can decode it in seconds. It gives you no assurance about who sent it or whether the content was altered. If you’re aiming to protect data in transit or verify integrity, base64 is a smoke-and-mirrors trick at best. You’d need real encryption or a signature on top of it to do any meaningful authentication or integrity checking.

Option D: Utilize a 3rd-party SSO solution for session authentication

Single Sign-On is fantastic for human users logging into applications. It introduces smoother access control across apps. But for a direct, machine-to-machine integration where the external system doesn’t support HTTP-basic authentication, SSO often adds friction instead of clarity. SSO centers on user sessions and authentication context, not on signing the exact payload or guaranteeing its integrity for automated service-to-service messages. In short, it’s a workaround for user access, not a robust mechanism for proving data authenticity in transit between two services.

A practical pathway with digital signatures

1. Set up a strong key pair and a trusted certificate

Generate an asymmetric key pair (private and public keys) and have the public key certified by a trusted Certificate Authority (CA). The certificate helps the recipient verify that the public key really belongs to you. It’s a small, invisible trust layer that makes verification straightforward.

2. Sign the payload with your private key

When Salesforce (or any sender) creates a message, it computes a digital signature over the payload. You can sign the entire payload or a digest (a fixed-size summary) of it. The signature travels with the payload, often in a header or alongside the message body.

3. Send the message with the signature (and, ideally, the certificate)

Attach the signature and enough metadata for the recipient to verify it. Some teams include the certificate or a Key Identifier (Key ID) so the recipient knows which public key to fetch or pin. Using a standard format like JSON Web Signature (JWS) or XML Signature can help keep things interoperable.

4. Verify on the receiving side

The external system uses your public key to check the signature. If the data matches the signed digest and the certificate checks out (not expired or revoked), the recipient gains confidence that the payload came from you and wasn’t altered.

5. Manage keys with care

Keys don’t stay pristine forever. Rotate them on a schedule, and have a revocation process in case a private key is compromised. Store private keys in secure vaults or hardware security modules (HSMs) so they’re protected from theft or tampering. In the cloud, managed services like AWS KMS, Google Cloud KMS, or Azure Key Vault can help with rotation and access control.

A few practical notes for Salesforce teams

• How to attach a signature in a Salesforce-to-external-system flow

You can generate a signature within Salesforce using your private key and include it in a standard header (for example, a custom X-Signature header) or inside the payload, depending on what your receiving system expects. If you’re adopting a JSON payload, a JSON Web Signature (JWS) approach is a natural fit, especially since Salesforce can handle JSON fairly smoothly.

• How the external system validates

The recipient should be prepared to parse the signature, fetch or reference your public key (from the certificate), and verify the signature against the payload. They should also check the certificate’s validity window and revocation status. In practice, this means a small amount of PKI plumbing, but it pays off with strong trust.

• Keeping things fast and reliable

Security is essential, but so is reliability. Make signature verification a lightweight step in the receiving workflow. A microservice could do it, or the gateway could handle it before routing the payload to downstream systems. And yes, you can absolutely layer in TLS for transport protection to guard data in transit in addition to the payload’s own signature.

A simple metaphor to anchor the concept

Think of a sealed letter with a wax seal. The seal proves who sent it, and the imprint on the wax shows if someone tampered with the letter. The private key is your private seal, the public key is the stamp the world trusts, and the signature is the wax seal itself on the letter’s message. Even if the letter travels through a busy city of networks, the recipient can verify it’s truly yours and that the contents haven’t been changed.

Balancing act: authenticity, integrity, and security

Digital signatures give you three big wins:

• Authentication: the recipient can confirm the sender’s identity.

• Integrity: the content hasn’t been altered since signing.

• Non-repudiation: the sender can’t easily deny having sent the message.

If you’re building integrations where the external system can’t handle basic credentials, this approach keeps your data authentic without leaking credentials into the wire. It also avoids relying on what could be a brittle or transient shared secret.

A few tangents that sometimes matter (and why they don’t derail the main point)

• You might wonder about encryption for confidentiality. Digital signing and encryption aren’t mutually exclusive. In practice, you can sign the payload and also encrypt it, but many integrations lean on TLS for transport protection and sign-only the payload for integrity and authenticity. It’s a layered approach, not a single trick.

• Some teams worry about key management. Yes, keeping private keys secure is vital. The good news: modern vaults and key management services make this practical, with access controls, auditing, and rotation baked in.

• Others consider SSO for automation. It’s a brilliant tool for human access control, not a universal fix for service-to-service authentication. It’s perfectly fine to use SSO in human-in-the-loop parts of your workflow, but for machine-to-machine messages, a signature-based approach delivers clearer guarantees.

Wrapping it up

When Salesforce needs to talk to an external system that doesn’t support HTTP-basic authentication, the most robust route is to digitally sign the payload with a trusted private key. It’s a thoughtful, standards-aligned way to prove who sent the data and that it arrived untouched. The public key, certified by a trusted authority, gives partners a clear way to verify signatures. This method protects sensitive information, reduces exposure from leaked credentials, and establishes a dependable baseline for data integrity in a world where not all systems speak the same security language.

If you’re exploring these patterns, you’ll find the ecosystem is friendly to standards like JWS or XML Signature, and you’ll hear plenty of real-world tales about PKI, certificates, and key rotation. The core idea remains simple: sign the message so the recipient can trust it without needing to juggle user credentials. In a landscape full of moving parts, that clarity is a quiet, powerful ally.