Note: This release is in preview. Features described here don’t become generally available until the latest general availability date that Salesforce announces for this release. Before then, and where features are noted as beta, pilot, or developer preview, we can’t guarantee general availability within any particular time frame or at all. Make your purchase decisions only on the basis of generally available products and features.

Control How to Serialize and Deserialize Apex Types

The new @JsonAccess annotation defined at Apex class level controls whether instances of the class can be serialized or deserialized. If the annotation restricts JSON serialization and deserialization, a runtime JSONException exception is thrown.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

How: The serializable and deserializable parameters of the @JsonAccess annotation enforce the contexts in which Apex allows serialization and deserialization. You can specify one or both parameters, but you can’t specify the annotation with no parameters. The valid values for the parameters to indicate whether serialization and deserialization are allowed:
  • never: never allowed
  • sameNamespace: allowed only for Apex code in the same namespace
  • samePackage: allowed only for Apex code in the same package (impacts only second-generation packages)
  • always: always allowed for any Apex code

In versions 48.0 and earlier, the default access for deserialization is always and the default access for serialization is sameNamespace to preserve the existing behavior. From version 49.0 onwards, the default access for both serialization and deserialization is sameNamespace.

This example code shows an Apex class marked with the @JsonAccess annotation.

@JsonAccess(serializable='never' deserializable='sameNamespace')
public class Foo {}