Trust & Security
You're about to point a free tool at an org you're responsible for. Here is exactly what OrgKit can see, store, and do — and what it can't.
Architecture: there is no server
OrgKit is a set of static pages. There is no backend, no database, no API of ours in the middle. When you use a tool, your browser talks directly to your Salesforce instance over HTTPS using Salesforce's own APIs. That's why each org needs a one-time CORS allowlist entry — Salesforce is verifying that your org's admin approved this site to make browser calls, which is a security feature, not a workaround.
OrgKit works on the metadata layer only — automations, object schemas, profiles, OmniStudio components. It never queries or writes your business records.
Your access token
- You authenticate on Salesforce's own login page (OAuth 2.0). Your username and password never pass through OrgKit.
- The access token is kept in
sessionStorageonly — it is destroyed when the tab closes and is never written to persistent storage. - The token is only ever sent to one place: your own Salesforce instance URL.
- Disconnect any time — or revoke the session in Salesforce under Setup → Session Management.
- Prefer full control? Create your own Connected App in your org and use its Consumer Key instead of OrgKit's shared one. Your admin then controls scopes, IP ranges, and session policies.
What stays in your browser
So that snapshots and audit trails survive a browser restart, OrgKit keeps non-sensitive working data in your browser's localStorage: org nickname and instance URL, automation snapshots, your local audit log, and preferences. None of it contains credentials, and none of it ever leaves your machine. Clearing site data removes everything.
Safety rails for destructive actions
- Snapshot before change — Migration Mode auto-snapshots the exact active/inactive state of every automation before touching anything.
- Verified toggles — after every change, the tool re-reads Salesforce to confirm the change actually applied. Silent failures are surfaced, not swallowed.
- Crash-safe bulk operations — bulk changes are journaled locally item-by-item. If your tab crashes or your session expires mid-run, you can resume exactly where you stopped after reconnecting.
- Production friction — entering Migration Mode on a production org requires typing the org name to confirm.
- Audit log — every change is recorded locally with timestamps and before/after state, exportable to CSV for your change ticket.
Common security-review questions
Terms of use
OrgKit is provided free of charge, "AS IS" and without warranty of any kind, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, and non-infringement. In no event shall the author be liable for any claim, damages, or other liability arising from the use of these tools.
You are solely responsible for: changes made to any Salesforce org through these tools; compliance with your organization's and your clients' change-management, security, and access policies; and verifying results after any operation. Test in a sandbox before using in production.
OrgKit is an independent project by Himadeep Guduru. It is not affiliated with, endorsed by, or supported by Salesforce, Inc. Salesforce and related marks are trademarks of Salesforce, Inc.
Found a security issue?
Please report it privately via GitHub — responsible disclosure is appreciated and acknowledged.