Salesforce environment setup
Sandbox-first by default · we walk you through every step
Connecting Release Assurance is a short, guided process. You stay in control of access the whole way, and nothing is ever installed inside your org. Here's what's involved.
1. Sandbox-first by default
We connect to a Salesforce sandbox, not production. Production orgs are rejected at connect time by an org-type check — so a misconfiguration can't point us at live data. A full or partial sandbox that mirrors your real configuration gives the most faithful coverage.
2. A least-privilege automation user
You create a dedicated integration user for Release Assurance with the minimum permissions needed to exercise the workflows in scope — not an administrator. This keeps the blast radius small and makes access easy to review and revoke.
3. JWT authentication
We authenticate using the OAuth 2.0 JWT Bearer flow with a connected app and a per-environment signing key. No long-lived refresh tokens are stored on our side, and short-lived access tokens live in memory only.
4. A scoped permission set
We'll provide a permission set tailored to the objects, fields, and tabs your in-scope workflows touch. You assign it to the automation user — and nothing more.
5. Certificate revocation is the kill switch
Because access hinges on the JWT signing certificate, you can sever Release Assurance's access to your org instantly and unilaterally by revoking that certificate in Setup. No tickets, no waiting on us.