Skip to main content

Agentforce Logo

ZenGuard × Salesforce AgentForce Integration Guide

Equip your Salesforce agents with real-time security and compliance checks powered by ZenGuard — all without leaving their familiar AgentForce workspace.

This tutorial walks you through every step of the integration, from credential setup to Flow Builder logic, so your AI-driven interactions stay safe and on-policy.

Prerequisites

RequirementNotes
Salesforce editionEnterprise Edition or higher with AgentForce enabled
PermissionsSystem Administrator rights (to create credentials & flows)
ZenGuard accountAPI key with detect endpoint access
Skill levelComfortable with Salesforce Setup and Flow Builder

Tip
If you’ve never used Named Credentials and External Credentials before, scan Salesforce Help’s
Named And External Credentials” article first.

Overview of the Architecture

  1. Agent submits a message (or an AI assistant proposes one).
  2. Autolaunched Flow triggers and posts the text to ZenGuard Detect API via a Named Credential HTTP Callout.
  3. ZenGuard returns a JSON payload (e.g. indicating whether PII or policy violations are present), plus a sanitized version of the text.
  4. The Flow makes a decision based on is_detected. You might:
    • Block the reply and show a toast with the sanitized text.
    • Auto-replace sensitive content.
    • Log an incident for trust & safety review.

Step 1: Create External Credential and Named Credential

To begin integrating Zenguard with Salesforce Agentforce, you must create both an External Credential and a Named Credential. These will allow Salesforce to authenticate and securely call Zenguard's API.

Create External Credential Steps

  1. In Salesforce Setup, go to:
    Security > Named Credentials

  2. Click New External Credential.

  3. Fill in the required fields:

    • Label: ZenguardExtCreds
    • Name: ZenguardExtCreds
    • Authentication Protocol: Custom

  4. Click Save.

External Credential Example

  1. After saving, open the newly created External Credential.

  2. In the Principals related list, click New to add a Named Principal:

    • Label: ZenguardNamedPrincipal

  3. Click Save to create the principal.

Named Principal

Create Named Credential Steps

  1. After creating the External Credential, go back to:
    Security > Named Credentials

  2. Click New Named Credential.

  3. Fill in the required fields:

    • Label: ZenguardAPI
    • Name: ZenguardAPI
    • URL: https://api.zenguard.ai/v1/detect
    • External Credential: Select the ZenguardExtCreds created above

  4. Save the Named Credential.

  5. After saving, reopen the created Named Credential.

  6. In the Custom Headers section, click New and add the following:

    • Name: x-api-key
    • Value: Enter your API key from the ZenGuard

  7. Save the Named Credential again.

Api Key header

Step 2: Enable Access to Named Principal in User Profiles

After creating the Named Principal, you need to enable access to it for the relevant user profiles (e.g., your profile and the Agentforce user profiles) by updating their profile settings.

Grant Access Steps

  1. In Salesforce Setup, navigate to:
    Users > Users

  2. Find yourself and click on our profile (for example, System Administrator).

  3. Click Enabled External Credential Principal Access.

Enabled External Credential Principal Access

  1. Click Edit, add the Named Principal you created earlier (e.g., ZenguardNamedPrincipal).

  2. Save the profile.

Add Named Principal

Repeat this process for all profiles that require access to the Named Principal, including the Agentforce user profiles.

Note:
Make sure that the Agentforce user profile has access to User External Credentials enabled. Without this, the integration will not have the necessary permissions to authenticate properly.

User External Credentials

Step 3: Use an Existing Flow or Create a New Autolaunched Flow

You need to either modify an existing Flow or create a new one to build logic with ZenGuard.

Setup Flow Steps

  1. In Salesforce Setup, navigate to:
    Process Automation > Flows

  2. To create a new flow, click New Flow.
    If you already have a suitable flow, you can open and edit it instead.

  3. When creating a new flow, select Start From Scratch.

  4. Choose Autolaunched Flow as the flow type.

Step 4: Configure HTTP Callout in Flow Builder

In this step, you'll add an HTTP callout to your flow using the Named Credential you created earlier. This enables your flow to send requests to the Zenguard API.

Add Action to Flow Steps

  1. Click the "+" button after the Start element.
  2. Select Action from the menu.
  3. At the bottom, click Create HTTP Callout.

Create External Service Steps

  1. In the Create HTTP Callout window:
    • External Service Name: ZenguardApiES.
    • Named Credential: Select the Named Credential you created earlier (e.g., ZenguardAPI).
  2. Click Next.

External Service

Create Invocable Action Steps

  1. Fill in the required fields:
    • Label: ZenguardPIICheck
    • Method: POST
    • URL Path: /pii (choose the appropriate Zenguard API endpoint)
  2. Click Next.

Invocable Action

Provide example Request Body Steps

  1. When prompted to define the request body, choose Use Example Request.
  2. Paste the following example:
{
  "messages": ["Hello Dexter Morgan"]
}
  1. Click Review.
  2. Click Next.

Request Body

Provide example Response Body Steps

  1. When prompted to define the response structure, choose Use Example Response.
  2. Paste the following example:
{
   "is_detected": true,
   "score": 1,
   "latency": 259.70059260725975,
   "extra": {
      "sanitized_message": "Hello NAME_1",
      "detected_pii": [
         {
            "text": "Dexter Morgan",
            "type": "name"
         }
      ]
   }
}
  1. Click Review.
  2. Click Next.

Response Body

Set Request Body Resource Steps

  1. When prompted to define a request body resource, click + New Resource.

  2. In the New Resource window, configure the following:

    • API Name: ZenguardPIIBody

  3. Click Done.

Step 5: Add Assignment to Populate Request Variable

After setting up the flow start, you'll now assign a value to the messages field in your request body variable (ZenguardPIIBody).

Configure the Assignment Steps

  1. In the Flow Builder, click the + icon before created HTTP Callout Action.

  2. Select Assignment from the list of elements.

  3. In the New Assignment window, configure the following:

    • Label: AssignMessages
    • Variable: Expand Apex-Defined Variables and select ZenguardPIIBody.messages.
    • Operator: Select Add.
    • Value: Choose the variable that contains the message you want to check for PII (or a variable that holds the detector input).

Messages Assignment

Step 6: Add Decision to Handle API Response

After the HTTP Callout Action is added to the flow, you'll need to handle the API's response. This step involves creating a Decision element to inspect the response and determine what to do next based on the result.

Configure the Decision Element Steps

  1. In Flow Builder, click the + icon after your HTTP Callout Action.

  2. Select Decision from the list of elements.

  3. In the New Decision panel, configure the following:

    • Label: PIICheckDecision
    • API Name: PIICheckDecision

  4. Fill in the fields under Outcome Details:

    • Label: PII Detected
    • Condition Logic: Use a condition like
      Resource: ZenguardPIICheck.is_detected
      Operator: Equals
      Value: True

  5. You can also create additional outcomes to inspect:

    • The sanitized message (e.g., ZenguardPIICheck.extra.sanitized_message)
    • Detected PII types (e.g., ZenguardPIICheck.extra.detected_pii)

PII Detection Decision

Contents