Problem
The telecom provider relied on Salesforce Community Cloud as the core system of record for its door-to-door sales teams. However, the sales process was fragmented: some agents used Community Cloud directly, while others operated through a custom mobile app connected to an external cloud database. In both cases, Community Cloud remained the source of truth for user authentication via Salesforce SSO.
This created a critical challenge, half of the field agents had never interacted with the Community Cloud UI, yet their credentials and password management were tied to it. Standard reset and “forgot password” flows became unusable, requiring an externalized solution to handle authentication recovery outside of Salesforce and its Community Cloud interface.
Approach
We analyzed the fragmented password management process and recognized that Salesforce Community Cloud remained the system of record for authentication, but standard “Forgot Password” flows were unusable for agents who never touched the Community Cloud UI. Our team explored Salesforce’s Headless Identity APIs, which are designed for exactly this scenario: enabling password recovery outside of Salesforce’s native UI.
We evaluated two paths:
- Build an app-native manager flow to directly reset an agent’s password.
- Implement Salesforce’s headless “Forgot Password” API with added protections for self-service recovery.
Solution
- Manager-led reset inside the mobile app: Sales managers gained the ability to reset an agent’s password directly from the mobile app, bypassing the need for Community Cloud UI interaction. This allowed rapid, in-field recovery.
- Headless Forgot Password API: Using Salesforce’s Headless Identity APIs, we implemented a flow where agents could request a reset, receive a one-time password (OTP) via email/SMS, and set a new password, all without ever logging into Community Cloud. This followed Salesforce’s recommended headless flow.
- Security with Google reCAPTCHA: To prevent automated abuse, both flows included reCAPTCHA validation before requests were submitted to Salesforce, an enhancement beyond the out-of-the-box implementation.
-
Custom backend wrapper services:
We built supporting APIs to generate PKCE code verifiers, exchange authorization codes for tokens,
call Salesforce’s
/auth/headless/forgot_passwordendpoint, and handle OTP verification. These wrappers abstracted Salesforce’s complexity, exposing clean, app-ready APIs to the client teams. - Simplified experience for the field: Agents and managers interacted only with the familiar mobile app, while Salesforce remained the secure source of truth for authentication. This reduced support calls and eliminated friction during password recovery.
Impact
- Reduced support overhead: Eliminated the need for manual intervention by IT teams and password resets via Community Cloud UI. Managers could resolve issues instantly within the mobile app.
- Seamless agent experience: Door-to-door agents never had to interact with Salesforce Community Cloud for login recovery, removing a major adoption barrier and improving day-to-day usability.
- Faster recovery times: Average password reset turnaround dropped from hours (via support escalation) to minutes, allowing sales activity to continue without disruption.
- Higher adoption and productivity: By aligning authentication flows with the app agents were already using, login-related drop-offs decreased and field productivity increased measurably.
- Stronger security posture: Integration of Google reCAPTCHA and OTP verification strengthened defenses against automated attacks, while Salesforce remained the secure identity source of truth.