Set Up Credential Exchange

  • Updated on Sep 17, 2025
  • Published on Sep 3, 2025
  • 1 minute(s) read
Prev Next

MindCloud Embedded handles end users providing their credentials through our SDK modal. For example, in a Salesforce integration, we'll ask your end user for their Salesforce credentials, not for their credentials to your application.

So how does the Salesforce integration interact with your application if we don't ask the end user for your application's credentials? This is where credential exchange comes in.

How It Works

Whenever we run a workflow, MindCloud calls your exchange endpoint to retrieve your application's credentials for that end user. We'll pass:

  • integrationId

  • installationId

  • endUserId

This endpoint is created by your developers and can be implemented however you prefer, as long as it returns the necessary credentials for MindCloud to run the workflow.

Setup Steps

  1. Navigate to the Embedded tab and click on Set Up Credential Exchange. This will open the Credential Exchange modal.

  2. Create an Exchange Endpoint in your system: You need to specify an endpoint URL that MindCloud will call. When a workflow runs, we will send a POST request to this endpoint.

    Example request from MindCloud to your endpoint:

    curl -X POST https://your-api.com/credential-exchange \
     -H "Content-Type: application/json" \
     -H "X-Signature: <signature_hash>" \
     -d '{
       "integrationId": "int_abc123",
       "installationId": "install_xyz789",
       "endUserId": "enduser_456def"
     }'

    Your endpoint must return a valid credential that allows MindCloud to access your system's routes on behalf of that specific end user.

    If, for example, your application needs an api key for authentication, you would need to return:

    {
    "apiKey": "your_api_key"
}

    The exact data you need to return is specified inside the Credential Exchange modal.

  3. Optional Security: Enable Request Verification with a Signing Secret

    Provide a shared signing secret in the MindCloud dashboard. This secret will be used to sign all requests from MindCloud to your exchange endpoint.

    1. You generate and provide a signing secret (a random string) in the Credential Exchange modal

    2. MindCloud uses this secret to create an X-Signature header with every request

    3. The signature is created by hashing {timestamp}\n{method}\n{path} using SHA256 with your shared secret

    4. On your server, use the same shared secret to verify the signature matches, confirming the request genuinely came from MindCloud

Next steps: