Salesforce Data Cloud | Bridged User Guide

Salesforce Data Cloud Integration Guide

Overview

This guide explains how to connect Bridged with Salesforce Data Cloud (recently rebranded as Data 360) to unify customer data, enable real-time personalization, and power AI-driven experiences. The integration supports reading unified customer profiles, ingesting engagement data, and leveraging Data Cloud's hyperscale data platform for activation playbooks.

Salesforce Data Cloud is a hyperscale data platform built on Salesforce's core infrastructure. It enables organizations to unify customer data from various systems (CRMs, ERP systems, web applications, data warehouses) into a single, real-time customer profile. This unified view allows marketing, sales, and service teams to activate customer data across every interaction, whether through email campaigns, service workflows, or digital advertising. With Data Cloud, businesses can move from insight to action in milliseconds, delivering personalization at scale.

Prerequisites

Before starting, ensure you have:

A Salesforce org with Data Cloud enabled (requires a Data Cloud subscription/license)
A Salesforce user with System Administrator permissions
Access to create Connected Apps in Salesforce
For server-to-server authentication: Ability to generate a digital certificate (self-signed or CA-issued)

Data Cloud API Capabilities

Data Cloud provides multiple API surfaces for different use cases:

API / Method	Purpose	Use Case
Ingestion API	Bring external data into Data Cloud	Write customer interactions, transactions, events
Query API v2	Run ANSI SQL queries on Data Cloud data	Read unified customer profiles, segment data
Connect REST API	Manage segments, identity resolution rulesets	Profile stitching, audience management
Enrichments	Copy Data Cloud insights into standard Salesforce objects	Display unified metrics in Sales/Service Cloud
Data Actions	Publish platform events from Data Cloud	Trigger workflows in other Salesforce orgs

Note: As of October 14, 2025, Data Cloud has been rebranded to Data 360. During this transition, you may see references to either name in Salesforce documentation and applications.

Connection Methods

Bridged supports multiple authentication methods for Salesforce Data Cloud:

Method	Best for	Setup complexity	Required for
OAuth 2.0 JWT Bearer (Preferred)	Server-to-server, production integrations	High	Query API, Ingestion API
OAuth 2.0 Web Server Flow	Interactive user login, testing	Medium	Development, debugging
Named Credentials	Org-to-org Apex callouts	Medium	Querying from non-Data Cloud orgs

Recommendation: OAuth 2.0 JWT Bearer flow is required for most Data Cloud API interactions. The Data Cloud API has strict authentication requirements compared to other REST-based Salesforce APIs. JWT authentication enables secure server-to-server communication without user interaction.

Step 1: Create a Digital Certificate (Self-Signed)

Interacting with the Data Cloud API requires a signed digital certificate. You can use a private key and certificate issued by a certification authority, or create a self-signed certificate using OpenSSL.

Generate a private key and certificate:

bash

# Generate a 2048-bit RSA private key
openssl genrsa 2048 > host.key && chmod 400 host.key

# Use the private key to sign a certificate
openssl req -new -x509 -nodes -sha256 -days 365 -key host.key -out host.crt

Important: Keep the private key (host.key) secure. You will need it to encode JWTs for authentication.

Step 2: Create a Connected App in Salesforce

The connected app provides a framework that enables an external application (Bridged) to integrate with Salesforce Data Cloud using APIs and OAuth 2.0 JWT Bearer flow.

Log in to your Salesforce org where Data Cloud is enabled.
Navigate to Setup → App Manager.
Click New Connected App.
Select Create an External Client App, then Continue.

Basic Information:

Field	Value
Connected App Name	`Bridged Data Cloud Integration`
API Name	`Bridged_Data_Cloud_Integration`
Contact Email	your email address
Distribution State	Local

API (OAuth Settings):

Field	Value
Enable OAuth Settings	Checked
Callback URL	`https://gateway.bridged.media/auth/salesforcedatacloud/callback`
Use digital signatures	Checked
Certificate	Upload `host.crt` (the certificate file you created)

Selected OAuth Scopes - Add the following:

Scope	Description	Required for
`api`	Manage user data via APIs	Basic API access
`refresh_token`, `offline_access`	Perform requests at any time	Token refresh
`cdp_query_api`	Perform ANSI SQL queries on Data Cloud data	Reading data via Query API
`cdp_profile_api`	Manage Data Cloud profile data	Profile access
`cdp_ingest_api`	Ingest data into Data Cloud	Writing data via Ingestion API

Flow Enablement:

Field	Value
Enable JWT Bearer Flow	Checked

Security:

De-select all options under the Security section.

Click Save.
Click Manage Consumer Details.
Copy and save the Consumer Key (Client ID) — you will need this for authentication.

Step 3: Configure OAuth Policies

From the Connected App detail page, click Manage.
Click Edit Policies.

OAuth Policies:

Setting	Value
Permitted Users	`Admin approved users are pre-authorized`
Refresh Token Policy	`Refresh token is valid until revoked`
IP Relaxation	`Relax IP restrictions` (or set as appropriate for your security requirements)

Click Save.
Under Profiles, add System Administrator (or the profile of the integration user).

Step 4: Set Up an Integration User

For production integrations, create a dedicated integration user with Data Cloud permissions:

Go to Setup → Users → New User.
Create a user: Bridged Data Cloud User.
Assign a profile with API Only permission.
Assign the Data Cloud Admin permission set.
Ensure the user has access to the required Data Spaces:
- Navigate to Permission Sets → Data Cloud Admin → Data Cloud Data Space Management
- Check Enabled for the default data space
- Click Save

Step 5: Configure Bridged to Connect to Salesforce Data Cloud

Log in to your Bridged dashboard.
Navigate to the Integrations section. If you do not see this section, contact support@bridged.media.
Click Salesforce Data Cloud → Connect Account.
Choose your authentication method:

Option A: OAuth 2.0 JWT Bearer (Preferred for Production)

This method uses a JWT (JSON Web Token) signed with your private key to obtain an access token without user interaction.

Generate an Encoded JWT (Offline):

Bridged handles JWT generation automatically, but for testing or troubleshooting, you can generate one manually using the following Node.js script:

javascript

import { readFileSync } from 'fs';
import jwt from 'jsonwebtoken';

const clientId = 'YOUR_CONSUMER_KEY';  // From Connected App
const username = 'integration_user@yourcompany.com';  // Integration user email
const privateKey = readFileSync('host.key', 'utf8');

const claims = {
  iss: clientId,
  sub: username,
  aud: 'https://login.salesforce.com',
  exp: Math.floor(Date.now() / 1000) + (10 * 365 * 24 * 60 * 60)  // 10 years
};

const token = jwt.sign(claims, privateKey, { algorithm: 'RS256' });
console.log('Encoded JWT:', token);

Enter credentials in Bridged:

Field	Description	Where to find
Client ID (Consumer Key)	Connected App identifier	Connected App → Manage Consumer Details
Private Key	The private key file content (`host.key`)	Generated in Step 1
Username	Integration user email	User setup in Step 4
Login URL	Salesforce login endpoint	`https://login.salesforce.com` (Production) or `https://test.salesforce.com` (Sandbox)
API Region	US or EU (affects token endpoint)	Based on your Salesforce instance

Option B: Named Credentials (For Org-to-Org Queries)

If you are connecting from a Salesforce org without Data Cloud to a Data Cloud-enabled org, use Named Credentials:

In your source Salesforce org, create an Authentication Provider with "Salesforce" as the Provider type.
Create a Named Credential pointing to your Data Cloud org.
Configure the callback URL in the Data Cloud org's Connected App to point to your source org.

Step 6: Configure Data Sync Settings

Once connected, configure the following:

Setting	Options	Description
Sync direction	Read only, Write only, Read + Write	Define data flow
Data operation	Query, Ingest, Both	Query reads data; Ingest writes data
Data model objects	Unified Individual, Engagement, Custom DMOs	Which Data Cloud objects to access
Sync frequency	Real-time (streaming), Hourly, Daily	How often to sync
CRM connector sync	Enabled, Disabled	Note: CRM connector data syncs every 5-10 minutes, not sub-second

Bulk sync limit: Each bulk operation is limited to 50 records per request.

Understanding Data Cloud Data Flow

Data Cloud unifies data through several stages:

Stage	Description	Timing
Data Stream	Ingests raw data from sources (web, CRM, data lakes)	Configurable
Data Mapping	Maps source fields to Data Cloud model	One-time setup
Identity Resolution	Matches and reconciles records across sources	On-demand or scheduled
Unified Individual	Single customer record across all sources	After identity resolution
Real-Time Data Graph	Sub-second event processing	Real-time for web SDK events

Note: Web SDK events resolve in real-time (sub-second). CRM events resolve on schedule (typically 10-15 minutes).

Step 7: Reading Data from Data Cloud (Query API)

Bridged uses the Data Cloud Query API v2 to read unified customer data. The Query API accepts standard ANSI SQL (not SOQL).

Example: Query Unified Individual Profile

bash

POST https://your-instance.salesforce.com/services/data/v61.0/ssot/queryv2
Authorization: Bearer {access_token}
Content-Type: application/json

{
  "sql": "SELECT IndividualId, FirstName, LastName, Email FROM UnifiedIndividual LIMIT 50"
}

Obtaining a Data Cloud Token

The authentication flow requires two steps:

Obtain Salesforce access token via JWT Bearer flow
Exchange for Data Cloud token by POST to /services/a360/token

Token exchange request:

bash

POST /services/a360/token
Host: your-instance.salesforce.com
Authorization: Bearer {salesforce_access_token}

Successful response:

json

{
  "instance_url": "https://your-instance.salesforce.com",
  "access_token": "data_cloud_specific_token"
}

Bridged handles this token exchange automatically.

Supported Query Operations

Operation	SQL Example	Use Case
SELECT	`SELECT * FROM UnifiedIndividual`	Read customer profiles
WHERE	`WHERE Email = 'customer@example.com'`	Filter specific records
LIMIT	`LIMIT 50`	Control batch size
Aggregations	`COUNT(*), SUM, AVG`	Analytics

Important: Data Cloud Query API uses SQL, not Salesforce Object Query Language (SOQL).

Step 8: Writing Data to Data Cloud (Ingestion API)

Bridged uses the Data Cloud Ingestion API to write customer interactions, events, and engagement data into Data Cloud.

Step 8.1: Create an Ingestion API in Data Cloud

In your Data Cloud org, navigate to Data Cloud Setup.
Under External Integration, select Ingestion API.
Click New.
Define your data model using an OpenAPI Specification (OAS) file.

Step 8.2: Define OpenAPI Schema

Create an OAS file defining the data structure you want to ingest. Example for customer engagement events:

yaml

openapi: 3.0.3
components:
  schemas:
    EngagementEvent:
      type: object
      properties:
        event_id:
          type: string
        customer_email:
          type: string
          format: email
        event_type:
          type: string
        event_timestamp:
          type: string
          format: date-time
        conversation_id:
          type: string
        channel:
          type: string

Step 8.3: Upload Schema and Create Data Stream

Upload the OAS file using Upload Files in the Ingestion API connector.
Review the Preview Schema screen and click Save.
Create a Data Stream to enable actual data ingestion.

Step 8.4: Write Data via Ingestion API

Once configured, Bridged writes data using HTTP POST requests to the Ingestion API endpoint:

bash

POST https://your-instance.salesforce.com/api/v1/ingest/{stream_name}
Authorization: Bearer {data_cloud_token}
Content-Type: application/json

{
  "data": [
    {
      "event_id": "evt_12345",
      "customer_email": "lead@example.com",
      "event_type": "lead_qualified",
      "event_timestamp": "2026-04-19T10:00:00Z",
      "conversation_id": "conv_67890",
      "channel": "whatsapp"
    }
  ]
}

Note: Set EnableAsUpsert=ALL in your connection configuration to support upsert operations (update existing records or insert new ones).

Step 9: Configure Enrichments (Optional)

Data Cloud can copy insights directly into standard Salesforce objects for sales and service teams.

Use Cases for Enrichments:

Team	Enrichment Example
Sales	Copy account lifetime value from all lines of business into Sales Cloud
Service	Aggregate open cases across service organizations onto account records

To set up enrichments for Bridged-synced data:

In Data Cloud, navigate to Enrichments.
Create a new enrichment mapping Data Cloud fields to standard Salesforce object fields.
Activate the enrichment.

Step 10: Test the Integration

In Bridged, go to Integrations → Salesforce Data Cloud → Test Connection.
Run a test query to verify read access:

sql

SELECT IndividualId, Email FROM UnifiedIndividual LIMIT 1

If writing data: Send a test event via the Ingestion API.
Verify the data appears in Data Cloud using Data Explorer:
- Navigate to Data Explorer → Data Model
- Sort by Created Date to see incoming records

Common Use Cases

Playbook	Direction	Description
Activation	Read	Query unified customer profiles from Data Cloud for WhatsApp/SMS broadcast
Qualification Agent	Read + Write	Read historical engagement across channels; write qualification events back to Data Cloud
Nurture & Conversion	Write	Ingest conversation outcomes and lead scores into Data Cloud for unified profile
Real-Time Personalization	Read	Access real-time unified profiles for AI-powered agent responses
Lead Scoring	Read	Feed Data Cloud unified data into Einstein AI models for predictive scoring

Real-Time Identity Resolution Example

When a lead interacts via WhatsApp, Bridged can write the event to Data Cloud. Data Cloud's identity resolution then:

Matches the WhatsApp phone number to existing customer records
Creates or updates the Unified Individual profile
Makes the unified data available for subsequent interactions in milliseconds

Rate Limiting & Performance

Rate limits depend on your Data Cloud subscription tier, not on Bridged
Real-time events: Web SDK events process in sub-second time
CRM connector data: Syncs every 5-10 minutes (not real-time)
Identity resolution: On-demand or scheduled; real-time resolution available for web events
Bulk operations: Maximum 50 records per request

Performance Tuning

Consideration	Recommendation
Large data volumes	Use incremental queries with WHERE clauses on timestamp fields
Frequent queries	Implement caching for repeated queries
Real-time needs	Use web SDK events for sub-second processing
Batch operations	Use Ingestion API with batched records (up to 50 per request)

Security & Permissions

Bridged supports OAuth 2.0 JWT Bearer (preferred) for server-to-server authentication
JWT tokens are short-lived (less than 60 seconds); Bridged automatically refreshes them
Access tokens are exchanged for Data Cloud-specific tokens via /services/a360/token endpoint
All API calls are made over TLS 1.2+
You can revoke access at any time by deleting or deactivating the Connected App

Required OAuth Scopes Summary

Scope	Required for
`cdp_query_api`	Reading data (Query API)
`cdp_profile_api`	Accessing profile data
`cdp_ingest_api`	Writing data (Ingestion API)
`api`	Basic API access
`refresh_token`	Token refresh

Permissions for the Integration User

Permission Set / Profile	Required for
Data Cloud Admin	Full Data Cloud access
API Only	Programmatic access
Data Space access	Specific data spaces where data resides

Troubleshooting

Issue	Likely cause	Solution
JWT authentication fails	Invalid private key or claims	Verify private key matches certificate uploaded to Connected App
"kid not found" error	Key ID mismatch	Check that certificate was uploaded correctly to Connected App
Token exchange fails	Missing Data Cloud license	Verify user has Data Cloud permission set assigned
Query returns no data	Incorrect SQL syntax or object name	Use Data Explorer to verify object names exist
Identity resolution not working	Matching rules not configured	Run RuleSet on-demand to test matching
Web events not appearing	Web SDK not properly configured	Verify sitemap and data capture rules in Web Connection
Enrichment not visible	Field mapping incomplete	Check that enrichment is activated and field mappings are correct
Rate limiting (429)	Too many API calls	Reduce sync frequency or upgrade Data Cloud tier
"cdp_query_api" scope error	Scope not added to Connected App	Add the scope in Connected App OAuth settings

OAuth JWT-Specific Issues

Error	Likely cause	Solution
JWT expiration claim invalid	`exp` claim set incorrectly	Set `exp` to a future timestamp (max 10 years)
Invalid audience (`aud`)	Wrong login URL	Use `https://login.salesforce.com` for Production
Certificate not found	Certificate not uploaded	Verify certificate is attached in Connected App → Use digital signatures
User not approved	OAuth policy not configured	Set Permitted Users to "Admin approved users are pre-authorized"

Support

For integration support, contact your Bridged account manager or email support@bridged.media.

For Data Cloud-specific questions, refer to Salesforce documentation or contact Salesforce Support