--- audience: admin category: support contentType: guide description: Salesforce OAuth security updates including PKCE and Refresh Token Rotation. Understand timing, impact, and preparation steps. displayName: Salesforce OAuth Security Preparation section: support seoDescription: Salesforce OAuth changes including PKCE and refresh token rotation. Learn timing, partner impact, and preparation steps. seoTitle: Prepare for Salesforce OAuth Security Enhancements (May 2026) tags: salesforce,oauth,pkce,refresh token rotation,security template: page.peb title: Prepare for Salesforce OAuth Security Enhancements chatWelcomeMessage: "Can I answer any questions about the connection refresh on Fri May 1st?" --- # Prepare for Salesforce OAuth Security Enhancements Salesforce is rolling out [required OAuth security enhancements](https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/secure_code_ac_eca.htm) for connected applications across the ecosystem. iDialogue is preparing our connected app configuration to align with those platform requirements. These updates improve the security of your integration and ensure continued compatibility with Salesforce. This is part of a broader Salesforce security program affecting connected app partners and AppExchange providers across the ecosystem. ## FAQ ### What is happening? Salesforce is requiring all AppExchange partners, including iDialogue, to enable enhanced security measures to further protect customer connections and align with updated platform security requirements. ### When should I take action? You should plan to take action starting Friday, May 1, 2026 after the iDialogue security update is enabled at 12pm PT. We recommend completing the reconnect during the 72-hour window that follows. ### What is the recommended deadline? The recommended window is Friday, May 1 through Sunday, May 3, 2026. Completing the reconnect in that window is intended to avoid disruption at the start of business on Monday, May 4, 2026. ### How long will this take? Once logged into Salesforce, this reconnect process should take less than 2 minutes to complete. ### What do I need to do? Open the "iDialogue Admin" app in Salesforce, go to the **Quick Start** tab, and click **Connect to iDialogue**. This establishes a new connection using the updated security policy. ### Why is this needed if my connection still appears active? Existing connections may transition on different schedules based on token refresh timing. Completing the reconnect during the recommended window helps avoid an unexpected interruption once Salesforce applies the updated policy to your connection. ### Do I need to upgrade the package? No package upgrade is required for this change. ------------------------------------------------------------------------ ## Timeline of Changes ### Friday April 24, 2026 --- Refresh Token Rotation (RTR) and Related Controls - Enabled at **12:00 PM PT** - No action required - Existing integrations should continue to function normally - Static IP enforcement of the originating connection will also be enabled - A 30-day timeout for unused refresh tokens will also be enabled - We will be on-call throughout the weekend to monitor This rollout enables RTR, static IP enforcement of the originating connection, and a 30-day timeout for unused refresh tokens. Because iDialogue implements a daily heartbeat service to maintain active connections, we do not anticipate customer connections timing out. ------------------------------------------------------------------------ ### Friday May 1, 2026 --- Planned PKCE Enablement - Planned enablement at **12:00 PM PT** - This change is part of Salesforce's broader connected app security program affecting partners across the ecosystem - iDialogue is enabling this update ahead of Salesforce's broader **Monday May 11, 2026** deadline - Existing connections are expected to transition over time - All customers should complete a one-time reconnect through the iDialogue "Quick Start" tab After iDialogue enables PKCE on Friday May 1, 2026, connections established prior to this change will require a one-time reconnect. That timing can vary depending on when the next refresh happens (between 1-1400 hours since last refresh). ![Quick Start screen](/assets/img/product/quick_start_connect.png) - *1) Open the "iDialogue Admin" app and go to the "Quick Start" tab.* - *2) Click "Connect to iDialogue" and follow the instructions to enable an authorized Salesforce user to re-establish the iDialogue connection.* ------------------------------------------------------------------------ ## Connection Transition Timing Each Salesforce connection refreshes on its own schedule. After PKCE is enabled: - Existing connections do not all transition at once - The next refresh may occur anywhere between **1 hour and \~1400 hours (≈60 days)** - At that point, Salesforce may require the connection to be re-established under the updated security policy - If that happens, a one-time reconnect restores the connection This means transition timing is **not immediate or uniform across all orgs**. ------------------------------------------------------------------------ ## Recommended Action To make the transition smoother, we recommend reviewing this guidance and planning a proactive reconnect after the Friday May 1 enablement, subject to any updated guidance from Salesforce. ### Starting Friday May 1 at 1:00 PM PT: 1. Open the iDialogue app in Salesforce 2. Navigate to the **Quick Start** tab 3. Click **"Connect to iDialogue"** This will establish a new connection using the updated security policies. If Salesforce publishes revised transition guidance, we may adjust this recommended timing or action. ------------------------------------------------------------------------ ## Expected Impact - No immediate service interruption is expected at the time of cutover - Existing connections may continue until their next scheduled token refresh - Some orgs may need a one-time reconnect after the May 1 enablement - Similar preparation work is underway across Salesforce partners because these platform requirements apply broadly across the ecosystem ------------------------------------------------------------------------ ## Package Upgrade (Optional) No package upgrade is required for this change. We are also using this security update to accelerate our 1GP to 2GP package migration, along with a new External Client App (ECA) for more granular configuration and control. That broader launch is planned for Q3 2026. However, this is a good opportunity to upgrade to the latest version of the iDialogue package to ensure: - Latest features - Updated security handling - Ongoing compatibility with Salesforce changes ------------------------------------------------------------------------ ## Why This Is Happening Salesforce is enforcing new OAuth security controls: - **PKCE (Proof Key for Code Exchange)** prevents authorization code interception - **Refresh Token Rotation** reduces token replay risk These controls are required for AppExchange compliance. All Salesforce partners with connected applications are implementing the same family of policy updates. ------------------------------------------------------------------------ ## Support If you experience issues reconnecting: support@idialogue.app *Dates, rollout sequencing, and recommended customer actions reflect our current implementation plan and may change as Salesforce publishes additional guidance. This page will be updated as that guidance becomes available.*