Keeping GoMeddo secure: how we're responding to Salesforce's new security requirements

At GoMeddo, security is not an afterthought. It's built into how we develop, maintain, and evolve our product. So when Salesforce recently announced mandatory security requirements for all AppExchange partners, we got to work immediately. Here's what's happening, why it matters, and what we're doing about it.

‍
What Salesforce is requiring

Salesforce is raising the security bar for all Connected Apps (CAs) and External Client Apps (ECAs) used in AppExchange partner applications. These changes are mandatory for any partner app running in more than two customer production orgs, and they must be implemented by May 11, 2026. Failure to comply could result in a partner application being de-listed from the AppExchange or having its interoperation with Salesforce services suspended.

‍

The headline requirements are enabling PKCE (Proof Key for Code Exchange) and Refresh Token Rotation across all Connected Apps and External Client Apps. Two additional requirements, Idle Refresh Token TTL and a Refresh Token IP Range Allow list, are expected to become configurable around April 13, 2026, and must also be in place before the deadline.

‍

These aren't bureaucratic checkboxes. PKCE is an important protection against authorization code interception attacks, and Refresh Token Rotation ensures that tokens can't be silently reused if they're ever compromised. Together, they significantly strengthen the OAuth flow that underpins how GoMeddo interacts with Salesforce on behalf of our customers.

‍
What GoMeddo is doing

GoMeddo’s team reviewed the requirements carefully and now have a clear plan in place. Here's a summary of the changes we're making.

‍

First, we're updating our Connected Apps to have PKCE and Refresh Token Rotation enabled by default. This ensures that every customer using GoMeddo benefits from these protections without needing to take any action themselves.

‍

Second, once Salesforce makes the relevant settings available (expected around April 13), we'll configure our apps to properly handle Idle Refresh Token TTL and the Refresh Token IP Range Allow list. These settings give finer-grained control over how and where refresh tokens can be used, further reducing the attack surface.

‍

Third, and perhaps most significantly from a technical standpoint, we're using this moment to accelerate our migration from First Generation (1GP) packages to Second Generation (2GP) packages.

‍

This is a meaningful architectural shift. Second Generation packages are better aligned with modern Salesforce platform standards, and they support External Client Apps natively.

‍

Moving to ECAs means we're not just meeting today's requirements but positioning GoMeddo to meet future security requirements more easily as the Salesforce platform continues to evolve.

‍
What this means for you as a customer

The short answer is: nothing, for now. The updates are being handled entirely on our side, and our goal is for this transition to be completely seamless.

‍
It is recommended to update to the latest versions of our packages though, to make use of these latest security additions and new features.

‍

We believe in transparency. While we don't anticipate any immediate action on your end, the migration to Second Generation packages is a meaningful platform change, and at some point down the road it is likely that we will need to ask customers to take specific steps as part of that transition.

‍

When that moment comes, we will reach out proactively with clear instructions, plenty of lead time and support to help make this transition seamless.

‍
Why This Matters

It's worth stepping back and acknowledging why Salesforce is doing this. The AppExchange ecosystem is trusted by hundreds of thousands of businesses around the world.

‍

Maintaining that trust requires constant vigilance, and the threat landscape around OAuth and token-based authentication has grown more sophisticated over time. These new requirements reflect current best practices in application security, and we're fully aligned with the intent behind them.

‍

For GoMeddo, this is also an opportunity. The move to 2GP packages and ECAs isn't just compliance work. It's a foundation for a more robust, maintainable, and future-proof integration with Salesforce, which ultimately means a better and more secure experience for the teams that rely on GoMeddo every day.

‍

We'll keep you updated as we progress through these changes. As always, if you have questions, don't hesitate to reach out to our support team.