I recently built an invocable action that uses the Tooling API. I had been hoping to handle authentication automatically using SessionId, but this action needs to be able to work in background flows like record-change triggered flows, and there’s no obvious SessionId in those cases. So I ended up setting what I’ll call ‘proper’ authentication. This incorporates three elements: a Connected App, an Auth. Provider, and a Named Credential.
It’s a little counter-intuitive to have to set up this kind of authentication because we’re trying to use a Flow on an org to call other apis on the same org. Ideally, we’d be able to make that call directly. But some APIs like Tooling API treat even the calls from the same org as public incoming calls. That means we have to create this authorization to allow our flow actions to loop back into our own org.
The relationship between the different security entities has been discussed in some previous posts.
Here’s the approach I used.
1. The invocable action should be designed to take a Named Credential.
2. Start by creating a Connected App.
3. Add an Auth Provider.
4. Create a Named Credential that references the Auth Provider
5. Assign the Named Credential in Two Places
There are some new requirements for providing access to Named Credentials. You need to explicitly authorize a profile or permission set to use the Named Credential:
Additionally, you now need to create a personal setting for each Named Credential: