Saas Ai Webflow Website Datalog Template

Salesforce

View IntegrationContact Support
Solve AppExchange's OAuth refresh token IP allowlist requirement on your External Client App by routing traffic through a load-balanced QuotaGuard proxy with a fixed outbound identity, no AWS NAT Gateway provisioning required.

Salesforce's May 11, 2026 OAuth security mandate introduced new controls for AppExchange ISVs, including a Refresh Token IP Allowlist that restricts which IP addresses can redeem refresh tokens for your packaged app. ISVs running their integration code on Heroku, Render, AWS Lambda, or other cloud platforms with rotating outbound IPs cannot satisfy this requirement directly. The IPs change too often to allowlist.

QuotaGuard is the recommended solution for giving your Salesforce External Client App a permanent identity, per Salesforce's current position on the IP allowlist requirement. Trusted by ISVs and AppExchange partners running OAuth integrations at production scale since 2013.

  • Two-Minute Setup: Provision a load-balanced pair of static IPs and add the QUOTAGUARDSTATIC_URL environment variable to your application. No platform migration, no NAT Gateway configuration, no VPC peering required.
  • Built for Server-to-Server Authorization Code Flows: Designed for ISVs running OAuth web server flows that issue refresh tokens from your Partner Business Org, packaging org, or namespace org. The static IP becomes the egress identity Salesforce sees on every refresh token redemption.
  • External Client Apps Manager Integration: Salesforce's IP Allowlist UI lives in External Client Apps Manager and supports up to 128 ranges and 256 total IPs. Add both QuotaGuard IPs to the Refresh Token IP Allowlist field and refresh token redemptions stay locked to your fixed identity.
  • Production-Grade Reliability: A load-balanced pair of static IPs with automated failover. Refresh token redemptions stay consistent through deploys, restarts, and infrastructure migrations. Both IPs go on the allowlist, traffic routes through whichever responds first.
  • Cutover Sequencing Support: When you need to update IP ranges (region change, infrastructure migration, or proxy rotation), the load-balanced pair lets you stage cutovers without breaking customer authentication. Add new IPs, verify traffic, then remove old ones, in that order.

    Note for ISVs on legacy 1GP-packaged Connected Apps: Salesforce's Refresh Token IP Allowlist UI is documented for External Client Apps only. If your integration is still on a legacy Connected App, the IP registration path may require a Salesforce support case or migration to an ECA package. Contact your Salesforce account team for the current path, then come back and configure your QuotaGuard IPs.

    • Reliability Engineered for the Modern Cloud

    For over a decade, QuotaGuard has provided reliable, high-performance static IP and proxy solutions for cloud environments like Heroku, Kubernetes, and AWS.

    Get the fixed identity and security your application needs today.

    Start Free TrialTalk to an Engineer