If you received Salesforce’s mandatory security email in late April 2026 and immediately started questioning which of the four OAuth controls actually apply to your AppExchange application — you are not alone. The email landed without much context. The official documentation is written for a broad audience that includes everything from simple connected apps to complex multi-flow enterprise integrations. And the ISV partner community Slack channels filled up with the same question repeated across dozens of threads: does this apply to us, and if so, what exactly do we need to change ? I spent two weeks working through this for an enterprise AppExchange application I architect — one that uses an External Client App (ECA) registered on an internal Salesforce org for license management. The architecture is server-to-server, the OAuth flow is JWT Bearer Grant, and refresh tokens are never issued or stored. What I found is that the answer is highly dependent on your specific OAuth architecture.…