Salesforce Multi-Environment Setup
Overview
Configure Salesforce integrations across Developer, Sandbox, and Production orgs with environment-specific credentials, login URLs, and deployment promotion flows.
Prerequisites
- Production Salesforce org (Enterprise+ for Full sandbox)
- Salesforce CLI authenticated to all environments
- Secret management solution (Vault, AWS/GCP Secrets Manager)
Instructions
Step 1: Salesforce Environment Types
| Environment | Org Type | Login URL | Purpose | Data | |------------|---------|-----------|---------|------| | Development | Developer Edition or Scratch Org | login.salesforce.com | Local dev | Sample data | | QA | Developer Sandbox | test.salesforce.com | Testing | Subset of prod | | Staging | Full Sandbox | test.salesforce.com | Pre-prod validation | Copy of prod | | Production | Production Org | login.salesforce.com | Live traffic | Real data |
Step 2: Sandbox Types
| Sandbox Type | Data | Metadata | Refresh Interval | Use Case | |-------------|------|----------|-------------------|----------| | Developer | None | Copy of prod | 1 day | Feature development | | Developer Pro | None | Copy of prod | 1 day | Integration testing | | Partial Copy | Sampled | Copy of prod | 5 days | QA with realistic data | | Full | Full copy | Copy of prod | 29 days | Staging, UAT, load testing |
Step 3: Environment Configuration
// src/config/salesforce.ts
interface SalesforceEnvConfig {
loginUrl: string;
username: string;
apiVersion: string;
isSandbox: boolean;
}
const envConfigs: Record<string, SalesforceEnvConfig> = {
development: {
loginUrl: 'https://login.salesforce.com', // Or test.salesforce.com for sandbox
username: process.env.SF_USERNAME_DEV!,
apiVersion: '59.0',
isSandbox: false, // true if using a sandbox for dev
},
staging: {
loginUrl: 'https://test.salesforce.com', // ALL sandboxes use test.salesforce.com
username: process.env.SF_USERNAME_STAGING!,
apiVersion: '59.0',
isSandbox: true,
},
production: {
loginUrl: 'https://login.salesforce.com',
username: process.env.SF_USERNAME_PROD!,
apiVersion: '59.0',
isSandbox: false,
},
};
export function getSalesforceConfig(): SalesforceEnvConfig {
const env = process.env.NODE_ENV || 'development';
const config = envConfigs[env];
if (!config) throw new Error(`No Salesforce config for environment: ${env}`);
return config;
}
Step 4: Authenticate to Multiple Orgs
# Authenticate to each environment with aliases
sf org login web --alias sf-dev --instance-url https://login.salesforce.com
sf org login web --alias sf-staging --instance-url https://test.salesforce.com
sf org login web --alias sf-prod --instance-url https://login.salesforce.com
# For CI — use JWT (no browser needed)
sf org login jwt \
--client-id $SF_CLIENT_ID \
--jwt-key-file server.key \
--username ci-user@mycompany.com.staging \
--alias sf-staging \
--instance-url https://test.salesforce.com
# List all authenticated orgs
sf org list --all
# Set default org
sf config set target-org sf-dev
Step 5: Secret Management by Environment
# Local development — .env.local (git-ignored)
SF_LOGIN_URL=https://test.salesforce.com
SF_USERNAME=dev-user@mycompany.com.dev
SF_PASSWORD=devpassword
SF_SECURITY_TOKEN=devtoken
# CI/CD (GitHub Actions)
# Use environment-specific secrets:
# Settings > Environments > "staging" > Add secret SF_USERNAME
# Settings > Environments > "production" > Add secret SF_USERNAME (different value)
# Production (Vault / Secrets Manager)
# AWS:
aws secretsmanager get-secret-value --secret-id salesforce/production
# GCP:
gcloud secrets versions access latest --secret=sf-prod-credentials
# HashiCorp Vault:
vault kv get -field=password secret/salesforce/production
Step 6: Deployment Promotion Flow
# 1. Develop in scratch org or developer sandbox
sf project deploy start --target-org sf-dev
# 2. Run Apex tests in dev
sf apex run test --target-org sf-dev --result-format human
# 3. Deploy to staging sandbox
sf project deploy start --target-org sf-staging --test-level RunLocalTests
# 4. Run integration tests against staging
SF_LOGIN_URL=https://test.salesforce.com npm run test:integration
# 5. Deploy to production (requires test coverage)
sf project deploy start --target-org sf-prod --test-level RunLocalTests --wait 30
# Rollback if needed
sf project deploy cancel --target-org sf-prod
Step 7: Environment Guards
// Prevent destructive operations in production
function guardProductionOperation(operation: string): void {
const config = getSalesforceConfig();
if (!config.isSandbox && process.env.NODE_ENV === 'production') {
const blocked = ['deleteAllAccounts', 'truncateContacts', 'resetData'];
if (blocked.includes(operation)) {
throw new Error(`Operation '${operation}' blocked in production Salesforce org`);
}
}
}
// Prevent using production credentials in dev
function validateEnvironment(): void {
const config = getSalesforceConfig();
if (process.env.NODE_ENV === 'development' && !config.isSandbox) {
console.warn('WARNING: Development mode connected to production org!');
}
}
Output
- Multi-environment Salesforce configuration
- Sandbox types selected for each environment
- Credentials stored in platform-appropriate secrets manager
- Deployment promotion flow from dev to production
- Environment guards preventing accidental destructive operations
Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| INVALID_LOGIN in sandbox | Wrong login URL | Use test.salesforce.com for ALL sandboxes |
| Sandbox username format | Missing .sandbox suffix | Username format: user@company.com.sandboxname |
| Config merge fails | Wrong NODE_ENV | Verify environment variable |
| Production guard triggered | Destructive operation | Use sandbox for testing |
Resources
Next Steps
For observability setup, see salesforce-observability.