Salesforce Static IPs

No.

QuotaGuard solves the IP Allowlist requirement, per Salesforce's current position.

The other four controls (PKCE, Refresh Token Rotation, 30-day Idle Timeout, and IP Monitoring) are application-layer changes you implement in your own code or via Salesforce Setup.

QuotaGuard handles the network-layer requirement only.

We recommend reading Salesforce's official documentation on PKCE and RTR alongside setting up your static IPs.

Salesforce's Refresh Token IP Allowlist UI is documented for External Client Apps Manager only.

If your integration is still on a legacy 1GP-packaged Connected App, contact your Salesforce account team to confirm the IP registration path before configuring QuotaGuard.

The QuotaGuard side of the setup is the same in either case (a static IP pair is the prerequisite), but the Salesforce-side UI for adding the IPs to the allowlist is currently ECA-only.

Some ISVs are migrating to ECA via the full migration path or shipping a sidecar 2GP package containing only an ECA. Our support team can help you understand the QuotaGuard side once your Salesforce path is clear.

Probably not.

JWT Bearer flow integrations don't issue refresh tokens, so the Refresh Token IP Allowlist requirement is structurally inapplicable.

If your entire Salesforce integration is JWT Bearer (server-to-server with no user-context refresh tokens), you don't need a static IP for May 11 2026 compliance.

If you're running a mixed flow architecture where some paths use authorization code with refresh tokens, those paths still need the static IP.

Salesforce has indicated that the IP Allowlist requirement is not applicable to public-facing mobile applications, since mobile clients connect from arbitrary consumer IPs.

QuotaGuard's static IP solution is for ISV server-to-server integrations, not mobile clients.

If your AppExchange listing is exclusively mobile, you don't need a static IP for May 11 compliance.

QuotaGuard Static is the Builder's Choice for most Salesforce ISVs, focused on flexibility, speed, and securing standard OAuth API connections.

QuotaGuard Shield is the Buyer's Choice for ISVs handling regulated customer data through their AppExchange integration.

Shield offers end-to-end security with SSL Passthrough and an architecture designed specifically to meet strict HIPAA and PCI compliance requirements.

For the May 11 2026 IP allowlist requirement alone, Static is sufficient.

Shield becomes the right choice when your integration handles PHI, payment card data, or other regulated workloads.

Provision a load-balanced pair of static IPs from your QuotaGuard dashboard.

Add the QUOTAGUARDSTATIC_URL environment variable to your application infrastructure (Heroku, AWS Lambda, Render, Fly.io, or your platform of choice).

Configure your HTTP client or OAuth library to route requests to api.salesforce.com through the QuotaGuard proxy.

Then add both QuotaGuard IPs to your External Client App's Refresh Token IP Allowlist in Salesforce Setup.

Total setup time is roughly 2 minutes for the QuotaGuard configuration plus the time required to update the Salesforce allowlist.

No. Your static IP addresses stay the same through plan upgrades and downgrades.

This means you don't need to update your Salesforce IP allowlist or contact your customers when you change plans, which is critical during the May 11 mandate transition when stable infrastructure is at a premium.

Our No Hard Stops policy means we keep processing your requests even if you exceed your plan's bandwidth limit.

Refresh token redemptions, OAuth flows, and customer-facing API traffic continue uninterrupted while we contact you about an upgrade.

AppExchange listings can have unpredictable traffic spikes during Security Review re-submissions, customer onboarding waves, or marketing pushes, and QuotaGuard absorbs them.

No.

QuotaGuard plans are month-to-month with no minimum commitment or cancellation fees.

You can sign up, configure your IPs, and adjust your plan as your AppExchange listing scales.