The Issue: Most companies expose their Salesforce APIs for integrations, but forget that an open API door is also an open threat vector. Default token expiry, hardcoded credentials, or wide-scoped connected apps?