FAQ-000516 - Custom Settings and Configuration Security / Public Custom Settings and Metadata Security Concerns

No, it's not acceptable to store API keys in **public Custom Metadata Types**, even if they're set by the end-user in the subscriber org. Public Custom Metadata Types are accessible and modifiable by other packages and untrusted code within the subscriber org, which creates a security risk. Instead, API keys should be stored securely using: - **Protected Custom Metadata** - **Protected Custom Settings** - **Named Credentials** (recommended for external API authentication) - Or encrypted in a custom object, with the encryption key stored securely in a protected location.

The existing answer covers the core security concern correctly but can be improved by adding Named Credentials as a recommended secure storage option. This aligns with modern Salesforce best practices for API authentication. The ApexSuggestUsingNamedCred rule is directly relevant because it recommends using Named Credentials for storing API credentials securely, which is exactly what this FAQ discusses. The FAQ specifically addresses storing 'API keys' for external API access, and Named Credentials are the preferred Salesforce-native solution for this use case. The rule serves to detect when developers are hardcoding credentials in Apex and suggests Named Credentials as the secure alternative, making it highly relevant to this FAQ's guidance on secure API key storage.