Generative AI is transforming how businesses automate workflows, generate content, and improve productivity. By integrating Google Gemini Vertex AI with Salesforce, developers can build AI-powered CRM experiences directly inside Salesforce applications.
Using Salesforce Named Credentials and External Credentials, businesses can securely authenticate with Google Vertex AI APIs without hardcoding authentication tokens or secrets in Apex code. This integration uses OAuth 2.0 JWT Bearer Flow for secure server-to-server communication.
This step by step guide covers the complete setup process, including:
- Google Cloud project configuration
- Vertex AI API setup
- Service account creation
- External Credential configuration
- Named Credential setup
- Apex integration
- Testing and troubleshooting
By the end of this guide, you will understand how to build a secure AI-powered Salesforce workflow using Gemini Vertex AI.
Architecture Overview
Before starting the implementation, let’s understand the high-level architecture of the integration.
Integration Flow
- Salesforce sends an API request to Vertex AI
- Named Credential manages the endpoint
- External Credential handles authentication securely
- Vertex AI processes the prompt using Gemini
- The AI-generated response is returned to Salesforce
Prerequisites
Before starting the integration, ensure the following prerequisites are completed.
Salesforce Requirements
- Salesforce org with API access
- System Administrator permissions
- Apex enabled
- Access to Named Credentials and External Credentials
Google Cloud Requirements
- Google Cloud Platform account
- Vertex AI API enabled
- Billing enabled in GCP
- Service account with Vertex AI permissions
Recommended Knowledge
- Apex development
- REST APIs
- JSON serialization/deserialization
- Salesforce authentication architecture
Step 1: Create a Google Cloud Project
The first step is creating a Google Cloud project where Vertex AI services will be enabled.
- Open Google Cloud Console
- Click Select Project
- Click New Project
- Enter the project name
- Click Create

Step 2: Enable Vertex AI API
Once the project is created, enable the Vertex AI API.
- Navigate to APIs & Services
- Click Library
- Search for Vertex AI API
- Click Enable
Step 3: Create a Service Account
A service account is required for secure communication between Salesforce and Vertex AI.
- Navigate to IAM & Admin → Service Accounts
- Click Create Service Account
- Enter service account name
- Assign the required roles:
- AI Platform Admin
- Agent Platform User (recommended)
- Complete the setup
Important Note
Follow the principle of least privilege and assign only the minimum permissions required for production environments.

Step 4: Generate a Service Account Key
Generate a JSON key file for the service account.
- Open the created service account
- Navigate to the Keys tab
- Click Add Key → Create New Key
- Select JSON
- Download the key file
Important Note
Store the JSON key securely and never expose it publicly or commit it to version control.
Salesforce uses OAuth 2.0 JWT Bearer Flow to securely authenticate with Google Vertex AI APIs. The service account credentials are used by Salesforce External Credentials to automatically generate access tokens without hardcoding secrets in Apex.

Step 5: Configure External Credential in Salesforce
External Credentials provide secure authentication management for external integrations.
Instead of manually generating access tokens in Apex, Salesforce automatically handles authentication through External Credentials.
Authentication Configuration
Use the following configuration:
- Authentication Protocol: OAuth 2.0 JWT Bearer Flow
- Token Endpoint: https://oauth2.googleapis.com/token
- Scope: https://www.googleapis.com/auth/cloud-platform
- Issuer: Service Account Email
- Audience: https://oauth2.googleapis.com/token
External Credential Setup Steps
Open Salesforce Setup:
- Search for External Credentials
- Click New
- Enter the Label and Name
- Configure the authentication protocol
- Add authentication parameters
- Save the External Credential


OAuth 2.0 Authentication Configuration
Salesforce uses OAuth 2.0 JWT Bearer Flow to authenticate securely with Google Vertex AI APIs.
To enable JWT signing, Salesforce requires a certificate that is used to sign authentication requests before exchanging them for OAuth access tokens.
Steps
- Generate or upload a certificate in Salesforce
- Associate the certificate with the External Credential
- Configure the service account email and authentication parameters
- Save the configuration securely

Why Use External Credentials?
External Credentials provide:
- Secure authentication management
- Centralized credential handling
- No hardcoded secrets in Apex
- Better maintainability
- Salesforce security best practices alignment
Step 6: Configure Named Credential
Named Credentials simplify secure API callouts from Apex.
Once configured, Apex can reference the Named Credential directly without manually managing authentication headers.
Vertex AI Endpoint Example
Use the regional Vertex AI endpoint:
https://us-central1-aiplatform.googleapis.com
Example API path:
/v1/projects/PROJECT_ID/locations/us-central1/publishers/google/models/gemini-2.5-pro:generateContent
Region Configuration
Vertex AI models are region-specific.
Common supported regions:
- us-central1
- europe-west4
Ensure the selected model is available in the configured region. Incorrect region configuration can result in API errors.
Steps
- Open Salesforce Setup
- Search for Named Credentials
- Click New
- Enter the Label and API Name
- Add the Vertex AI endpoint URL
- Link the External Credential created earlier
- Save the Named Credential

Step 7: Create Apex Integration Class
Now we will create the Apex integration class that sends prompts to Gemini Vertex AI and retrieves AI-generated responses.
The integration uses:
- Apex HTTP callouts
- JSON serialization
- Named Credentials
- Gemini generateContent API
Apex Integration Example
public with sharing class GeminiVertexAIService {
How Authentication Works
The authentication is automatically handled by Salesforce using Named Credentials and External Credentials.
In the Apex callout, the endpoint starts with: callout:Vertex_AI_Gemini
This instructs Salesforce to:
- Use the configured Named Credential
- Retrieve authentication details from the linked External Credential
- Automatically manage access tokens
- Send authenticated requests securely to Vertex AI
Because of this setup, there is no need to manually handle OAuth tokens or authentication headers in Apex code.
Step 8: Build the Gemini Request Payload
The request payload contains:
- User prompt
- Content structure
- Generation configuration
Salesforce serializes this payload into JSON before sending it to Vertex AI.
Step 9: Parse the Gemini Response
After Gemini processes the request, Salesforce receives a JSON response containing the generated AI output.
The response can be parsed using Apex JSON deserialization.
Example Parsing Logic
You can then extract the generated content from the response structure.
Step 10: Execute and Test the Integration
You can test the integration using Anonymous Apex.
- Open Salesforce Web Console or Developer Console
- Open Execute Anonymous Window
- Write the script
- Execute the code
- Review debug logs

Error Handling and Troubleshooting
Authentication Errors
Possible causes:
- Incorrect External Credential configuration
- Invalid service account permissions
- Misconfigured authentication parameters
API Callout Errors
Possible causes:
- Incorrect endpoint URL
- Vertex AI API not enabled
- Invalid Named Credential mapping
- Incorrect Vertex AI region configuration
Best Practices
Security: Always use External Credentials instead of hardcoding tokens. Restrict service account permissions to the minimum required and rotate certificates regularly.
Performance: Avoid redundant API calls, implement retry logic with exponential backoff, and respect Salesforce governor limits on callouts.
Cost & Monitoring: Vertex AI is billed per input and output token, varying by model. Monitor quota usage and billing in Google Cloud Console alongside Salesforce debug logs to catch issues early.
Conclusion
Integrating Gemini Vertex AI with Salesforce using Named Credentials and External Credentials provides a secure and scalable approach to bring generative AI capabilities into Salesforce applications.
With this Salesforce integration, developers can automate workflows, generate AI-powered content, and create intelligent experiences while maintaining secure authentication practices through OAuth 2.0 JWT Bearer Flow.
As businesses continue adopting AI solutions, Google Gemini integration with Salesforce will help organizations build smarter applications, improve productivity, and unlock new possibilities across their CRM workflows.
Watch Demo Video
No Data Found.