A Named Credential is a stored configuration for an external endpoint — URL, authentication method, and credentials — that Apex callouts and external services can reference by name without hard-coding the endpoint or the auth.
A Remote Site Setting is just a URL allowlist. You add https://api.thirdparty.com to Remote Site Settings, and Apex can then make HTTP callouts to that domain. But you still need to store credentials separately (in Custom Settings, Custom Metadata, or Apex code) and handle auth manually.
A Named Credential wraps both the allowlist and the credentials. You define:
- Endpoint URL (replaces Remote Site Setting).
- Authentication: Anonymous, Username/Password, OAuth 2.0, JWT Bearer, etc.
- Credentials, encrypted at rest.
- Optional: client certificate, custom HTTP headers, query params injected by default.
In Apex you reference it like req.setEndpoint('callout:My_Named_Credential/path') and Salesforce automatically attaches the auth header. No hard-coded credentials in code.
Why use it:
- Security — credentials are encrypted, not stored in code or Custom Metadata.
- Manageability — change a password or refresh OAuth token in one place.
- Per-User OAuth — for integrations where each Salesforce user maps to an external user, Named Credential supports per-user OAuth tokens.
- Deployment — Named Credentials are deployable via metadata API (the settings deploy; the actual passwords/tokens you re-enter in target).
Modern Salesforce strongly prefers Named Credentials over Remote Site Settings; new patterns should use them by default.