Salesforce integration

Kernel connects to Salesforce via secure OAuth, reading standard objects and writing only to Kernel fields with a minimal permission set.

What It Is

Kernel’s Salesforce integration lets Kernel read core CRM objects and write back Kernel-specific fields. The connection uses a standard OAuth 2.0 flow via the Kernel SF Connected App, and access is scoped to an integration user with a minimal Permission Set.

At a glance

  • A Salesforce admin installs the Kernel package and opens the Kernel SF Connected App.

  • In that app, they create an Integration User and authorize Kernel via OAuth.

  • Kernel stores a secure refresh token and uses short-lived access tokens for API calls.

  • Kernel reads standard objects and only writes to Kernel-designated fields.

Data fields

  • Kernel either (a) provides a CSV of fields to add, or (b) installs an unlocked package that adds them.

  • Kernel only writes to those Kernel fields; master data is not altered.

What gets installed

  • Kernel Lightning App with a Kernel Setup tab

    • Authorize Kernel (OAuth)

    • Create Integration User (one click, admin only)

    • Status panels

  • Connected App (OAuth 2.0 Authorization Code + Refresh Token)

  • Permission Set (baseline read + optional Kernel-field write)

  • LWC + Apex to drive setup and status

Data access

Object
Read
View-All
Edit

Account

✓ (All or select fields)

✓ (All or select fields)

✓ (Kernel fields)

Lead*

✓ (All or select fields)

✓ (All or select fields)

✓ (Kernel fields)

Contact

✓ (All or select fields)

✓ (All or select fields)

Opportunity

✓ (All or select fields)

✓ (All or select fields)

Task/Activity

✓ (All or select fields)

✓ (All or select fields)

SystemUser

✓ (Limited fields)

*Required only if you don’t use Accounts.

The integration user is not used to merge accounts. Merging accounts required Modify All access to Accounts and all associated objects. Users authorize access in Kernel's UI to complete merging actions.

Security model

  • Auth: Salesforce OAuth 2.0 (Authorization Code with Refresh Token).

  • Tokens: Refresh token is stored in Kernel’s secrets manager; access tokens are short-lived (≤ 15 min).

  • Scopes: api, refresh_token, plus OpenID basic profile scopes for user identity.

  • IP & session: Uses Salesforce’s standard session security. You may keep your org’s default IP restrictions.

  • Revocation: Revoke by deactivating the Integration User or revoking the Connected App token in Salesforce. Kernel also supports revocation via the portal.

Runtime behavior

  • Reads are batched; writes (to Kernel fields) use Bulk API 2.0 (up to 500 records/batch).

  • A 100k-Account org typically consumes < 1% of daily API quota for nightly updates.

  • Fail-safe design: Kernel retries transient API errors and surfaces status in the portal.

FAQs

How does Kernel authenticate? Through a Salesforce Connected App using OAuth 2.0 (Authorization Code + Refresh Token). A one-time authorization under the Integration User issues a refresh token; Kernel exchanges it for short-lived access tokens.

Who creates the Integration User? An admin creates it directly inside the Kernel Lightning App (one click). No separate Kernel admin login is required.

Can we restrict permissions? Yes. Use the Permission Set editor in the Kernel portal to save a custom policy per customer. If no custom policy is saved, Kernel assigns the default policy.

How do we revoke access? Deactivate the Integration User or revoke the app’s token in Salesforce Setup → Connected Apps → OAuth Usage. You can also click Revoke in the Kernel portal.

Is data encrypted? Yes. OAuth transport uses TLS 1.2+. Secrets are stored in a secrets manager; access tokens are ephemeral.

How do we avoid row locks during writes? Kernel batches updates and can schedule sync windows (e.g., nights/weekends). Coordinate heavy internal jobs to avoid overlap.

See also

  • Salesforce Connected App — Setup Guide

PreviousFAQNextPackage Installation Guide

Last updated