Definition
Key Pair is an administrative capability in Salesforce that gives admins control over a specific aspect of org configuration. It is part of the toolkit administrators use to keep Salesforce aligned with organizational policies and processes.
Real-World Example
the system admin at BrightEdge Solutions uses Key Pair to control how users interact with Salesforce data and features. After configuring Key Pair in the sandbox and validating it with key stakeholders, they roll it out to production. User adoption improves because the interface now matches how teams actually work.
Why Key Pair Matters
A Key Pair in Salesforce consists of a public key and a private key used together for secure authentication and encrypted communication between Salesforce and external systems. The most common use case is configuring JWT (JSON Web Token) bearer flow for server-to-server integrations, where the private key signs the authentication request and the external system verifies it using the corresponding public key stored as a certificate. Key Pairs are managed in Setup under Certificate and Key Management, where administrators can generate self-signed certificates or upload CA-signed certificates. This public/private key infrastructure replaces less secure authentication methods like storing usernames and passwords in integration configurations.
As organizations build more integrations and adopt API-first architectures, Key Pair management becomes a critical security practice. Each integration that uses certificate-based authentication requires its own Key Pair with defined ownership, rotation schedule, and expiration monitoring. The consequences of poor Key Pair management include integration outages when certificates expire unexpectedly, security vulnerabilities from shared private keys across multiple integrations, and audit failures from lack of certificate inventory documentation. Organizations should maintain a certificate registry tracking every Key Pair's purpose, expiration date, responsible owner, and rotation history to prevent the all-too-common scenario of an integration breaking at 2 AM because a certificate expired without anyone knowing.
How Organizations Use Key Pair
- CloudSync Integrations — CloudSync Integrations uses a Key Pair to configure JWT bearer flow authentication for their nightly data sync between Salesforce and AWS. The private key signs each authentication request, and AWS verifies it using the public certificate uploaded to their IAM service. This eliminates the need to store a Salesforce username and password in the AWS environment, and the integration runs unattended every night without human intervention.
- VerifyPro Identity — VerifyPro Identity uses Key Pairs to establish mutual TLS (mTLS) authentication between Salesforce and their identity verification API. Both systems present certificates during the handshake, ensuring that each side verifies the other's identity before exchanging sensitive personal data. Their security team rotates the Key Pair annually and maintains a 30-day overlap period where both old and new certificates are valid to prevent integration downtime during rotation.
- DataBridge Analytics — DataBridge Analytics manages 12 different integrations, each with its own Key Pair and certificate. They maintain a certificate registry spreadsheet that tracks each Key Pair's name, purpose, creation date, expiration date, and responsible team. An automated alert fires 60 days before any certificate expires, giving the integration team ample time to generate a new Key Pair and coordinate the update with external partners.