To let Apex or a Flow make a GET callout to an external API, set up the endpoint and its authentication in Setup first. The recommended path is a Named Credential, which registers a trusted destination and handles the auth header for you. Configure it once and every GET callout that targets it stays clean and packageable.
- Create the External Credential
In Setup, open Named Credentials and switch to the External Credentials tab. Add an external credential, choose the authentication protocol the API uses, such as OAuth 2.0 or a custom header, and add a principal that holds the actual secret or token.
- Create the Named Credential
On the Named Credentials tab, click New. Enter the base URL of the API, link the External Credential you just made, and keep the option to generate the authorization header enabled so the platform injects it on every call.
- Grant access through a permission set
Open the External Credential principal and add it to a permission set, then assign that permission set to the users or the integration user whose context will run the GET callout. Without this grant the callout fails on authentication.
- Reference it from your GET callout
In Apex, set the endpoint to callout:Your_Named_Credential plus the resource path and call setMethod('GET'). In Flow, point the External Service action at the same named endpoint. The platform resolves the URL and adds the auth header at run time.
The base endpoint of the external API, for example https://api.example.com. Resource paths get appended after the named-credential reference in your callout.
Set on the External Credential. Choose OAuth 2.0, JWT, AWS Signature, or a custom header to match what the target API requires.
When enabled, Salesforce builds and attaches the auth header automatically so your code never handles the token. Disable it only if you need to set the header yourself.
Controls which packaged or org namespaces may use the credential, which matters when the callout ships inside a managed package.
- A Named Credential endpoint bypasses Remote Site Settings, but a raw hard-coded URL does not. If you skip the Named Credential, add the host to Remote Site Settings or the callout is blocked.
- Forgetting to assign the External Credential principal to a permission set is the most common cause of a GET callout failing with an authentication error right after setup.
- Legacy Named Credentials still function but receive no new features. Build new ones on the External Credential model introduced in Winter '23.