Your Customer Success teams rely on Gainsight CS and its connections with tools like Salesforce, HubSpot, Zendesk, and Gong to keep customer workflows and revenue-critical processes running—and because those connections carry critical customer data, we’re continuing to strengthen the security and reliability of Gainsight CS.
Below, we’ll walk through the latest security enhancements we’ve made to Gainsight CS.
New Security Measures Now Live
As part of our ongoing commitment to platform safety and integration security, we’ve implemented a set of enhancements designed to improve security and hardening for credentials used across Salesforce-connected workflows.
Here’s what’s now in place:
- Shorter Refresh Token Lifespans: We’re enforcing shorter lifespans for refresh tokens used by our Salesforce Connected App, so even if a token gets out into the wild, it expires quickly and loses usefulness.
- Refresh Token Rotation (RTR): With RTR, each refresh token is single-use: every time an access request is made, a new refresh token is issued and the old one is immediately invalidated. This ensures that old credentials can’t be replayed or reused, even if they’re exposed somewhere they shouldn’t be.
- OAuth Proof Key for Code Exchange (PKCE): PKCE adds an important safeguard to the OAuth flow by requiring the app that starts authentication to prove it’s the same app that completes it. This thwarts interception attacks and aligns with industry-standard secure OAuth practices.
- Trusted IP Ranges: Token exchanges and refresh actions now only succeed when requests originate from infrastructure we explicitly trust. That means authentication traffic can’t be weaponized from unknown networks, even if someone holds a previously valid credential.
In addition to these changes, we’re continuing to invest in broader platform security, including DevSecOps and pipeline hardening, enhanced logging and visibility, enterprise governance improvements, and ongoing product security advancements.
These enhancements apply to our Salesforce Connector, which is now fully restored. If you’re looking for additional resources and information on restoring connectors, read more in our CTO’s recent blog or the community post here. We’ve also brought our connections with HubSpot, Zendesk, and Gong back online, which were temporarily disabled as a precaution, so your teams can resume their workflows as expected.