Articles on: Browser Extension

Why am I seeing "login from Germany" security alerts in Salesforce?

Summary


PipeLaunch's main backend runs on AWS in Frankfurt, Germany (eu-central-1). When PipeLaunch makes Salesforce REST API calls on behalf of a user, Salesforce records the request as originating from our AWS IP in Germany. If your org has geo-based or IP-based login risk policies, this can trigger:


  • "Suspicious login" email alerts to the user or admin
  • Automatic user deactivation
  • Blocked API calls


This is expected Salesforce behavior and not a security incident in PipeLaunch.


This issue is unrelated to the Salesforce May 11, 2026 security update (PKCE + Refresh Token Rotation for Connected Apps). PipeLaunch is on track for that mandate independently.


PipeLaunch runs on AWS Lambda, which uses a pool of egress IP addresses managed and rotated by AWS to improve reliability. We do not operate from a single static IP.



This is the simplest, most durable fix. It applies only to the PipeLaunch Connected App — your general login IP policies are unaffected.


  1. In Salesforce, go to Setup.
  2. Search for App Manager.
  3. Find Pipelaunch Chrome Extension in the list.
  4. Click the dropdown arrow on the right → Manage.
  5. Click Edit Policies.
  6. Under IP Relaxation, choose: Relax IP restrictions
  7. Click Save.


That's it. PipeLaunch's API calls will no longer be blocked by your

org's IP-based login policies, and other apps and user logins remain

fully protected.


Option 2 — Allowlist AWS Frankfurt IP ranges


If your security policy requires explicit IP allowlisting, AWS publishes its current IP ranges as a public JSON file: https://ip-ranges.amazonaws.com/ip-ranges.json


Filter for entries where:

  • "region": "eu-central-1"
  • "service": "EC2"


(Lambda egress IPs fall under the EC2 ranges.)


Add those CIDR blocks to either:


  • Login IP Ranges on the relevant user profiles, or
  • Trusted IP Ranges under Setup → Network Access


Important caveats


  • AWS updates these ranges over time. To stay current, subscribe to AWS's SNS notifications:

Subscribe to AWS IP range changes

  • We recommend automating the refresh (a small scheduled job) rather than maintaining the list manually.


Re-activating affected users


After applying option 1 or 2:


  1. Go to Setup → Users, find the affected user, set Active = true.
  2. Ask the user to re-open PipeLaunch and sign in again.
  3. If they still see alerts, confirm step 6 of option 1 shows Relax IP restrictions, or that the AWS ranges have been added.


FAQ


Q: Does the May 11, 2026 Salesforce security update require any action from me?

A: No action is required from you for the core mandate (PKCE + Refresh Token Rotation) — PipeLaunch handles that on the Connected App side. If you'd like to additionally enable optional hardening (Idle Refresh Token TTL, Refresh Token IP Allow List), we can guide you.


Q: Why does Salesforce flag Germany specifically?

A: It doesn't flag Germany by name. It flags any login origin that differs from the user's normal location, or that falls outside your org's configured Login IP / Trusted IP ranges. Frankfurt happens to be where our AWS region is located.


Updated on: 28/04/2026