**Article Regularly Updated **
This article is regularly updated. Latest material changes/updates appear at the top with timestamps. We recommend bookmarking this page. You will also receive email notifications as material updates are posted.
๐Latest Updates
[05/05/2026 11:00 AM] โ Article published. Initial guidance for v11.x customers.
A. What is happening?
Salesforce has issued a mandatory security directive requiring all apps on the AppExchange to implement new OAuth security standards โ specifically PKCE (Proof Key for Code Exchange) and Refresh Token Rotation โ across every Connected App and External Client App on its platform. This is not specific to Payments2us. Every ISV on the AppExchange is subject to the same requirements, with a hard enforcement deadline of May 11, 2026.
Salesforce issued the final enforcement advisory on April 29, 2026, giving the ISV community less than two weeks to implement what is a fundamental architectural change. Like many in the Salesforce partner community, we were given very little notice. Our engineering team mobilised immediately and has been working at full capacity since to build these mandated security changes into our upcoming release, which at this stage is anticipated to be Release 11.4 (note: release number subject to final confirmation).
At Payments2us, we take our obligations to Salesforce's security standards seriously. Where security is concerned, we do not wait โ we comply. Release 11.4 is being built specifically to ensure your org remains secure, compliant and fully operational beyond May 11.
B. Does this affect me?
Yes โ but not in the way you might expect. Because you are on v11.x, you are on a supported and current version of Payments2us. Our team is handling all of the technical code changes entirely on our end. This article is here to keep you informed and prepared.
That said, it is important to understand the stakes: if Release 11.4 is not successfully pushed to your org by May 11, Payments2us will cease to function in your environment โ including all payment processes and any business processes that depend on the application. This is why we are working urgently to ensure the release lands on every org by May 11.
C. What action do I need to take right now โ and what happens after Release 11.4?
As a customer on v11.x, you are in a better position than most. The technical work is entirely on our side, however there are a couple of things we want you to be aware of and prepare for so that when Release 11.4 lands, your org is back up and running as quickly as possible.
We are now expecting to push Release 11.4 on Monday May 11. When the push occurs, there will be a period of downtime for Payments2us in your org while the new security changes take effect. This is expected and temporary.
Here is what we are anticipating will need to happen on your side after the push:
-
Re-authorisation of the Payments2us app. Once Release 11.4 has landed in your org, your Salesforce Administrator will need to complete a re-authorisation step to reconnect Payments2us with your Salesforce org under the new security standards. This is a one-time process and we expect it to take no more than 10 minutes. Until this is completed, Payments2us will not be operational in your environment.
ย - How to prepare now. We recommend letting your Salesforce Administrator know this is coming. We will publish the full step-by-step re-authorisation process in this article on or before May 8 โ bookmark this page so your admin has it ready to go the moment the push lands. The sooner the re-authorisation is completed after the push, the sooner your org is back up and running.
Again, we will update this article with timestamped entries as things progress and will notify you by email when material updates are posted, including when the re-authorisation guide is live.
We do not anticipate any issues once re-authorisation is complete and expect business to continue as usual. Your payment processes, configurations and data should not be affected. That said, we ask that you stay close to this article and our email updates in the days following the push โ if anything unexpected arises, we will communicate it here immediately and work through it together with you.
D. What is happening on May 11?
As outlined above, May 11, 2026 is Salesforce's hard enforcement deadline and we are targeting this date for the Release 11.4 push to all v11.x orgs. We cannot confirm an exact time at this stage. What we can confirm is that when the push occurs, it is likely to be a rollout across Sandbox and Production environments. We may push to Sandbox a day or 2 prior, with Production following on May 11.
We want to be transparent: our normal protocol is to push to Sandbox first, giving customers at least 3-weeks testing time before Production push. On this occasion, the deadline Salesforce has given us left no room for a staged rollout. We are testing the release thoroughly on our end and our goal is for this transition to be as seamless as possible.
We will update this article and notify you by email as soon as we have a confirmed time for the push.
There are two important exceptions to be aware of:
If you have previously opted out of push updates, you will not automatically receive Release 11.4 โ and without it, Payments2us will cease to function in your org after May 11, which means your payment processes and any business processes that depend on Payments2us will stop working. Please email us immediately at support@payments2us.com to re-include yourself for push updates. Do not delay.
If your org is on v9.x or v10.x, this article is not intended for you until you have upgraded to the latest stable release on v11.x. We sent a separate and urgent email to those customers on May 4, 2026. If you did not receive it, please contact us at support@payments2us.com with urgency.
E. Will there be any disruption/downtime to my org?
There will be a period of unavoidable downtime on May 11 while the release takes effect. Once we initiate the push, Salesforce typically takes a couple of hours to propagate the release at org level. Once that is confirmed, your Salesforce Administrator will need to complete the re-authorisation process which we expect to take no more than 10 minutes. The combination of these two steps represents the total downtime window for Payments2us in your environment.
On or before May 8, we will send an email confirming the exact time we plan to initiate the push on May 11 โ we recommend sharing this with your Salesforce Administrator and any relevant stakeholders so they can plan accordingly. Please note that once we initiate the push, the propagation time at org level is managed by Salesforce and may vary, though in most cases this is a couple of hours.
Outside of this window, our goal is zero disruption. Release 11.4 is being built and tested specifically to land cleanly on all v11.x environments. We will communicate immediately via both this article and email if anything changes.
F. What is this security change about โ and why is Salesforce doing this?
In early 2025, a significant security breach affecting multiple Salesforce-connected applications exposed how vulnerable static, long-lived authentication tokens can be. Once compromised, those tokens gave attackers persistent access to customer Salesforce environments across hundreds of organisations.
In response, Salesforce has mandated two core security changes across its entire platform:
PKCE (Proof Key for Code Exchange) is a security extension to the OAuth login process. In simple terms, it ensures that even if an authorisation code is intercepted during login, it cannot be used by anyone other than the application that originally requested it. It makes the initial handshake between Payments2us and your Salesforce org significantly more secure.
Refresh Token Rotation (RTR) means that every time Payments2us silently refreshes its connection to your org in the background, the old token is immediately invalidated and replaced with a new one. Previously, a single token could be reused indefinitely โ meaning a stolen token was a permanent key. With rotation, a stolen token becomes useless almost immediately.
Together, these two changes represent a meaningful improvement in the security of your org's connection to Payments2us and to Salesforce as a platform. Release 11.4 will implement both in full.
G. Where can I read more about the technical requirements?
For further reading on the Salesforce mandate and how the broader ISV community is responding, the following articles may be helpful:
- Mandatory Security Updates for Connected Apps and ECAs
- Enabling PKCE for OAuth for Salesforce Apps
- Salesforce Help: Rotate Refresh Tokens
-
ISV Community Blog: Mandatory Security Requirements Overview (Aquiva Labs)
ย
H. I am on v11.0 and not on 11.1 or 11.2 โ what happens to Flows when Release 11.4 is pushed?
We introduced Flows in versions 11.1 and 11.2. If you are using or aware of this feature, you may be wondering whether the Release 11.4 push will automatically activate Flows in your org, disabling workflows. The short answer is NO.
Flows were deliberately rolled out in a turned-off state and will remain that way as part of the Release 11.4 upgrade. You do not need to take any action and nothing will change in your org with respect to Flows as a result of this push.ย
When you are ready to explore migrating from Workflows to Flows at a time of your choosing, please refer to our guide here: https://help.payments2us.com/en_US/workflows-optional/how-to-migrate-workflow-to-flow