Salesforce
Sales teams live in Salesforce. The connector puts the licensing picture where they already are: when an entitlement activates in MonetizeIt, its id and current status appear on a matching record in your Salesforce org, so an account owner sees whether a customer is live, paused or lapsed without leaving the CRM.
What it does today
Section titled “What it does today”When an entitlement changes, MonetizeIt writes to a LicenseGrant__c custom object
in your org:
| MonetizeIt | Salesforce LicenseGrant__c |
|---|---|
| Entitlement id | MonetizeItEntitlementId__c |
| Subscription status (active / paused / cancelled …) | Status__c |
The status is the entitlement’s current lifecycle state, re-evaluated against the
clock on every write — a license past its end date shows as expired even if nothing
else about it changed. The first write stamps MonetizeItEntitlementId__c onto the
record and never rewrites it, so the entitlement and the Salesforce record stay tied
together.
A few guardrails keep the write-back safe to leave running:
- No surprise records. By default the connector only updates records that already carry the anchor; it never creates new Salesforce records unless you turn that on.
- No writing to the wrong record. If a record is later reassigned so its anchor no longer matches, MonetizeIt refuses to overwrite it and flags it instead.
- Idempotent. Every write targets a specific record, so retries never leave duplicates behind.
Updates are batched and sent through Salesforce’s Composite API, so a burst of activations turns into a small number of requests rather than one call each. Richer fields — activation timestamps, seats used, usage — are planned; the preview keeps the mapping deliberately small.
Prepare your Salesforce org
Section titled “Prepare your Salesforce org”A Salesforce admin sets the org up once. Installing the connector’s package is the supported path — it creates the object and fields below and a minimum-permission profile for the integration user, so you don’t hand-build the schema.
The LicenseGrant__c object
Section titled “The LicenseGrant__c object”MonetizeIt writes onto a LicenseGrant__c custom object. Salesforce owns the order
details on it; MonetizeIt owns the write-back fields. In this preview MonetizeIt only
writes the status fields — it reads the order fields when inbound sync
ships.
Write-back fields (MonetizeIt-owned — leave these to the connector):
| Field | Type | Written | Notes |
|---|---|---|---|
Status__c | Picklist | now | The entitlement’s current lifecycle status. Default Pending. |
MonetizeItEntitlementId__c | Text(64) | now | The link back to the entitlement; set once. |
ActivatedAt__c | DateTime | later | Reserved for the usage release; empty in preview. |
LastUsageAt__c | DateTime | later | Reserved for the usage release. |
SeatsUsed__c | Number(8,0) | later | Reserved for the usage release. |
UsageJson__c | Long Text Area | later | Reserved for the usage release. |
Order fields (Salesforce-owned — your team maintains these):
| Field | Type | Required | Notes |
|---|---|---|---|
Name | Auto Number / Text | Yes | Display name. |
Order | Master-Detail(Order) | Yes | The parent order. |
StartDate__c | Date | Yes | Validated TODAY()-1 ≤ StartDate__c. |
EndDate__c | Date | No | Validated EndDate__c ≥ StartDate__c. Empty means perpetual. |
Quantity__c | Number(8,0) | Yes | Seats; minimum 1. |
ProductId__c / ProductCode__c | Text(64) | One required | Product reference; ProductCode__c wins if both are set. |
Subscription | Lookup(SBQQ__Subscription__c) | No | Salesforce CPQ subscriptions only. |
The order fields come into play when inbound sync ships; today the connector only writes the status fields above.
The connected app
Section titled “The connected app”MonetizeIt authenticates server-to-server, so the org needs a connected app set up for it:
- Create a connected app enabled for the OAuth
client_credentialsflow. - Assign an Execution User. Its profile and permission sets decide what the integration can do — assign the package’s minimum-permission profile, which grants Read / Edit on the write-back fields and nothing broader.
- Keep OAuth scopes minimal —
apiandrefresh_tokenare enough; avoid broad scopes such asfullandweb. - Note the authority for the environment —
https://login.salesforce.comfor a production org,https://test.salesforce.comfor a sandbox (or your My Domain URL).
Connect it in MonetizeIt
Section titled “Connect it in MonetizeIt”Administrator only. Give MonetizeIt the connected app’s credentials by reference — the client secret goes into your configured secret store, and MonetizeIt takes a reference to it, never the secret inline.
- Register the connector with MonetizeIt — its kind (
Salesforce), the org’s login authority, the environment (production or sandbox), the connected app’s client id and a reference to the stored secret. - Registration runs a live sign-in against your org before anything is saved and commits the connector only if that succeeds — so an unverified credential is never stored. On success it records your org’s id and binds this MonetizeIt account to that one org.
- MonetizeIt keeps a health status on the connection — pending → healthy → revoked, dropping to degraded if checks start failing — that you can see and re-verify at any time with a probe from the connector workbench. Rotate the secret (verified first, with no overlap window) or revoke the connector from the same place.
Nothing in your org calls MonetizeIt in this direction — the platform reaches out to Salesforce, so there is no inbound endpoint to expose.
Data & privacy
Section titled “Data & privacy”- No personal data leaves MonetizeIt. The outbound write carries only the entitlement’s status and id — no names, emails or usage.
- Secrets stay in the secret store. The client secret lives only in your configured secret store, never in configuration, and a rotation takes effect only after the new secret verifies.
- One account, one org. A connector binds exactly one MonetizeIt account to one Salesforce org; a request for another account’s connector returns not found.
- Hardened traffic. Calls to Salesforce use TLS 1.2 or higher, reach only Salesforce domains, and never follow a redirect to another host.
- Audited. Every registration, rotation, revoke and probe is recorded — who, when, what and the result — and retained for seven years.
Not yet available
Section titled “Not yet available”So you can plan around it, these are the parts still in progress and not to build on yet:
- Inbound sync — Salesforce accounts, contacts and orders creating or updating organizations, users and entitlements in MonetizeIt. This is where the order fields above, and Change Data Capture on the synced objects, come into play.
- Durable delivery guarantees and usage projection onto the Salesforce record (the reserved fields above).
If you need account-and-order sync today, the Zapier and Stripe patterns — webhooks plus the REST API — are the supported way to drive entitlements from an external system.