Control How to Serialize and Deserialize Apex Types

The new @JsonAccess annotation defined at Apex class level controls whether instances of the class can be serialized or deserialized. If the annotation restricts JSON serialization and deserialization, a runtime JSONException exception is thrown.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

How: The serializable and deserializable parameters of the @JsonAccess annotation enforce the contexts in which Apex allows serialization and deserialization. You can specify one or both parameters, but you can’t specify the annotation with no parameters. The valid values for the parameters to indicate whether serialization and deserialization are allowed:
  • never: never allowed
  • sameNamespace: allowed only for Apex code in the same namespace
  • samePackage: allowed only for Apex code in the same package (impacts only second-generation packages)
  • always: always allowed for any Apex code

In versions 48.0 and earlier, the default access for deserialization is always and the default access for serialization is sameNamespace to preserve the existing behavior. From version 49.0 onwards, the default access for both serialization and deserialization is sameNamespace.

This example code shows an Apex class marked with the @JsonAccess annotation.

@JsonAccess(serializable='never' deserializable='sameNamespace')
public class Foo {}