The question is a bit of a mouthful. This has to do with the various Salesforce APIs - I want to try to use the web server flow as it will mostly be service to Salesforce communication that happens automatically. My question is - if a particular user is the one who initially authenticates - how tied is the authentication to that user?

Meaning, if that user changes their password or has their account closed - will that affect the service's access token?

I guess the heart of this question is - what is the best way to authenticate a 3rd party service with an org for automated communication? I'd prefer it not be tied to specific users if possible.

Attribution to: Ryan Elkins

Possible Suggestion/Solution #1

All access to the Force.com APIs is in the context of a user, so you should create an 'integration user' with the least amount of privilege necessary for the task at hand (for example, you can set the user as 'API only'). Depending on which API (SOAP or REST) you're planning on using, your app should authenticate with the integration user's credentials using either the SOAP login() or OAuth Username/Password flow to get a session ID (aka access token) with which you can call APIs.

Since you will be storing credentials for the integration user, follow best practice and don't write them into source code - keep them instead in environment variables or similar configuration.

Lastly, you will need to balance the convenience of getting a new session ID/access token for each interaction with Force.com (at the cost of an additional round-trip to login.salesforce.com) versus the complexity of dealing with an exception arising from an expired session if you decide to keep the token around.

Attribution to: metadaddy
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/1569