Deploy Salesforce-connected Node.js applications to Heroku (native SF integration), Vercel, or Cloud Run with JWT authentication and proper secrets management.
Heroku has native Salesforce integration via Heroku Connect (bi-directional data sync).
# Create Heroku app
heroku create my-sf-app
# Set Salesforce credentials as config vars
heroku config:set SF_LOGIN_URL=https://login.salesforce.com
heroku config:set SF_CLIENT_ID=3MVG9...
heroku config:set SF_USERNAME=integration@yourcompany.com
heroku config:set SF_JWT_KEY="$(cat server.key)"
# Deploy
git push heroku main
# Optional: Add Heroku Connect for bi-directional sync
heroku addons:create herokuconnect:demo
heroku connect:authorize
# Map sObjects: Account, Contact, Opportunity → Postgres tables
# Add Salesforce secrets
vercel env add SF_LOGIN_URL production
vercel env add SF_CLIENT_ID production
vercel env add SF_USERNAME production
vercel env add SF_JWT_KEY production # Paste private key content
# Deploy
vercel --prod
{
"functions": {
"api/**/*.ts": {
"maxDuration": 30
}
}
}
// api/salesforce/accounts.ts — Vercel serverless function
import jsforce from 'jsforce';
export default async function handler(req, res) {
const conn = new jsforce.Connection({
loginUrl: process.env.SF_LOGIN_URL,
});
// JWT auth — no password needed
await conn.authorize({
grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
client_id: process.env.SF_CLIENT_ID!,
username: process.env.SF_USERNAME!,
privateKey: process.env.SF_JWT_KEY!,
});
const accounts = await conn.query(
'SELECT Id, Name, Industry FROM Account ORDER BY CreatedDate DESC LIMIT 10'
);
res.json({ accounts: accounts.records });
}
FROM node:20-slim
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
CMD ["npm", "start"]
# Store JWT key in Secret Manager
echo -n "$(cat server.key)" | gcloud secrets create sf-jwt-key --data-file=-
# Build and deploy
gcloud builds submit --tag gcr.io/$PROJECT_ID/sf-service
gcloud run deploy sf-service \
--image gcr.io/$PROJECT_ID/sf-service \
--region us-central1 \
--platform managed \
--set-env-vars SF_LOGIN_URL=https://login.salesforce.com \
--set-env-vars SF_CLIENT_ID=3MVG9... \
--set-env-vars SF_USERNAME=integration@yourcompany.com \
--set-secrets=SF_JWT_KEY=sf-jwt-key:latest
// health.ts — include in every deployment
export async function healthCheck() {
const conn = new jsforce.Connection({ loginUrl: process.env.SF_LOGIN_URL });
try {
await conn.authorize({ /* JWT params */ });
const limits = await conn.request('/services/data/v59.0/limits/');
const apiRemaining = limits.DailyApiRequests.Remaining;
return {
status: apiRemaining > 1000 ? 'healthy' : 'degraded',
salesforce: {
connected: true,
instance: conn.instanceUrl,
apiRemaining,
},
};
} catch (error: any) {
return {
status: 'unhealthy',
salesforce: { connected: false, error: error.message },
};
}
}
| Issue | Cause | Solution |
|---|---|---|
INVALID_GRANT on deploy |
JWT key format issue | Ensure full private key including headers |
| Cold start timeout | Connection + auth on every request | Cache connection or use connection pooling |
| Health check fails | Wrong SF_LOGIN_URL | login.salesforce.com for prod, test.salesforce.com for sandbox |
| Secret not found | Wrong secret name | Verify with platform-specific secret list command |
For event handling, see salesforce-webhooks-events.