Articles on: Browser Extension

Why am I seeing "login from Germany" security alerts in Salesforce?

Summary


PipeLaunch's main backend runs on AWS in Frankfurt, Germany (eu-central-1). When PipeLaunch makes Salesforce REST API calls on behalf of a user, Salesforce records the request as originating from our AWS IP in Germany. If your org has geo-based or IP-based login risk policies, this can trigger:


  • "Suspicious login" email alerts to the user or admin
  • Automatic user deactivation
  • Blocked API calls


This is expected Salesforce behavior and not a security incident in PipeLaunch.


This issue is separate from Salesforce's 2026 mandatory Connected App security controls (PKCE, Refresh Token Rotation, idle Refresh Token TTL, and Refresh Token IP Allowlist), which PipeLaunch has fully enforced on its Connected App.


As of June 2026, PipeLaunch's Salesforce authentication runs through a single fixed egress IP rather than a rotating pool:


63.183.111.231 (AWS, Frankfurt / eu-central-1)


Because the OAuth login your users perform now always originates from this one address, you can allowlist it directly (see Option 2). And once Salesforce has recorded a successful login from it for a given user, the repeated "new location" challenges and suspicious-login emails generally stop on their own.



This is the simplest, most durable fix. It applies only to the PipeLaunch Connected App — your general login IP policies are unaffected.


  1. In Salesforce, go to Setup.
  2. Search for App Manager.
  3. Find Pipelaunch Chrome Extension in the list.
  4. Click the dropdown arrow on the right → Manage.
  5. Click Edit Policies.
  6. Under IP Relaxation, choose: Relax IP restrictions
  7. Click Save.


That's it. PipeLaunch's API calls will no longer be blocked by your org's IP-based login policies, and other apps and user logins remain fully protected.


Option 2 — Allowlist PipeLaunch's static IP


If your security policy requires explicit IP allowlisting rather than relaxing restrictions, you can now allowlist a single address instead of an entire cloud range.


Add this IP to either Login IP Ranges on the relevant user Profiles, or Trusted IP Ranges under Setup → Network Access: 63.183.111.231 (enter it as both the start and end address)


This is the address PipeLaunch uses for the Salesforce OAuth login and token refresh.


If your org enforces login IP ranges on every request


By default, Salesforce only checks the source IP at login, so allowlisting the address above is enough. If you have Enforce login IP ranges on every request turned on (Setup → Session Settings), then PipeLaunch's background API calls are IP-checked too. Those still originate from AWS's broader Frankfurt (eu-central-1) range, so in that case either:


  • use Option 1 (Relax IP restrictions on the Connected App), which covers all PipeLaunch traffic regardless of source IP, or
  • additionally allowlist the AWS eu-central-1 / EC2 ranges from https://ip-ranges.amazonaws.com/ip-ranges.json.


FAQ


Q: Do the Salesforce 2026 Connected App security controls require any action from me?
A: A: No. PipeLaunch has enforced all four mandatory controls (PKCE, Refresh Token Rotation, idle Refresh Token TTL, and Refresh Token IP Allowlist) on the Connected App side. No action is required from you.


Q: Why does Salesforce flag Germany specifically?
A: It doesn't flag Germany by name. It flags any login origin that differs from the user's normal location, or that falls outside your org's configured Login IP / Trusted IP ranges. Frankfurt happens to be where our AWS region is located.

Updated on: 14/06/2026