FAQ-000470 - Custom Settings and Configuration Security / Package Development and Managed Package Considerations

Custom metadata cannot be modified from within a managed package using the Metadata API with session IDs. This approach violates security requirements and isn't supported. Managed packages should use supported methods like Custom Settings or Platform Events for configuration changes that need to happen at runtime. It is secure and supported to access protected custom metadata records from within a managed package. Protected custom metadata ensures that sensitive data isn't exposed to subscribers or other packages, and it's specifically designed for secure storage and access within the managed package.

The original answer contains a major security violation by suggesting the use of session IDs with the Metadata API from within managed packages. This directly conflicts with multiple security rules that prohibit unauthorized use of session IDs in managed package code. The recommended approach (using Metadata API with session IDs) is both unsupported by Salesforce and flagged by security scanners as a critical violation. The answer needed to be corrected to remove this dangerous recommendation while preserving the accurate information about protected custom metadata access. The related security rules are: AvoidApiSessionId - relates to the FAQ's discussion of "using the Metadata API with a session ID" which this rule specifically flags as problematic; AvoidUnauthorizedApiSessionIdInApex - directly applies to the FAQ's suggestion of obtaining and using "customer's session ID" in managed package code; AvoidUnauthorizedGetSessionIdInApex - relates to the FAQ's implied approach of obtaining session IDs for API calls within managed packages.