SOAP API Developer Guide

Getting Started
Reference
Using the API with Salesforce Features
Implementation Considerations
Outbound Messaging
Data Loading and Integration
Data Replication
Feature-Specific Considerations
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Implementation Considerations

Before you build an integration app or other client app, consider the data management, use limits, and communication issues explained in this section.

Choosing a User for an Integration

When your client app connects to the API, it must first log in. You must specify a user to log in to Salesforce when calling login(). Client apps run with the permissions and sharing of the logged-in user. Use the following sections to help decide how to configure a user for your client app.

Permissions

As an org's Salesforce admin, you control which features and views are available to users by configuring profiles and permission sets and assigning users to them. To access the API to issue calls and receive the call results, a user must have the API Enabled permission. Client apps can query or update only those objects and fields to which they have access via the permissions of the logged-in user.

If the client application logs in as a user who has access to data via a sharing rule, then the API must issue an extra query to check access. To avoid this, log in as a user with the “Modify All Data” permission. This can speed up the call response time. If providing the Modify All Data permission is too permissive for a particular user, consider using the Modify All object-level permission to restrict data access on an object basis. For more information, see Factors that Affect Data Access.

Limits

Salesforce limits the number of queries that a user can execute concurrently. A user can have up to 10 query cursors open at a time. If 10 QueryLocator cursors are open when a client application, logged in as the same user, attempts to open a new one, then the oldest of the 10 cursors is released. If the client application attempts to open the released query cursor, an error results.

Multiple client apps can log in using the same username argument. However, this approach increases your risk of getting errors due to query limits.

If multiple client apps are logged in with the same user, they all share the same session. If one of the client apps calls logout(), it invalidates the session for all the client apps. Using a different user for each client app makes it easier to avoid these limits.

In addition to user limits, Salesforce limits for API requests for each org. For more information, see API Usage Metering.

Note

Login Server URL

SOAP API provides a single login server. You can log in to any org from a single entry point without hard coding the instance. To access an org via the API, first authenticate the session by sending a login() request to the login server at one of the following URLs, depending on your choice of WSDL.

  • https://login.salesforce.com/services/Soap/c/47.0 (enterprise WSDL)
  • https://login.salesforce.com/services/Soap/u/47.0 (partner WSDL)

The less secure version of each URL is also supported.

1http://login.salesforce.com/services/Soap/c/47.0
  • http://login.salesforce.com/services/Soap/c/47.0 (enterprise WSDL)
  • http://login.salesforce.com/services/Soap/u/47.0 (partner WSDL)

The less secure version of the URL is supported, but not recommended. It is helpful for debugging through proxy servers.

All subsequent calls to the server during the session should be made to the URL returned in the login() response, which points to the server instance for your org.

Log In to the Login Server

Before invoking any other calls, a client app must first invoke the login() call to establish a session with the login server. It then sets the returned server URL as the target server for subsequent API requests and sets the returned session ID in the SOAP header to provide server authorization for subsequent API requests. Salesforce checks the IP address from which the client app is logging in and blocks logins from unknown IP addresses. For more information, see login() and Step 4: Walk Through the Sample Code.

If the API blocks the login, Salesforce returns a login fault. To log in, the user must add the security token at the end of the user’s password. For example, if a user's password is mypassword and the security token is XXXXXXXXXX, the user enters mypasswordXXXXXXXXXX. Users get their security token by changing their password or resetting their security token from the Salesforce user interface. When users change their password or reset their security token, Salesforce sends a new security token to the email address on the user’s Salesforce record. The security token is valid until the user resets the security token, or changes the password, or you reset the user’s password. When the security token is invalid, the user must repeat the login process. To avoid another log in, add the client's IP address to the org's list of trusted IP addresses. For more information, see Security Token.

When you are logged in, you can issue API calls. For each operation, client apps submit a synchronous request to the API, await the response, and then process the results. The API commits changed data automatically.

API calls:

Typical API Call Sequence

For each call, your client app typically:

  1. Prepares the request by defining request parameters, if applicable.
  2. Invokes the call, which passes the request with its parameters to the Lightning Platform Web Service for processing.
  3. Receives the response from the API.
  4. Handles the response, either by processing the returned data (for a successful invocation) or by handling the error (for a failed invocation).

Salesforce Sandbox

Professional, Enterprise, Unlimited, and Performance Edition customers have access to the Salesforce Sandbox, which is a testing environment that offers a full or partial copy of your Salesforce org’s live production data. For more information, visit the Salesforce Community website at www.salesforce.com/community or see Sandbox Types and Templates in the Salesforce Help.

To access your org’s sandbox via the API, use the following URLs to make login requests.

  • https://test.salesforce.com/services/Soap/c/47.0 (enterprise WSDL)
  • https://test.salesforce.com/services/Soap/u/47.0 (partner WSDL)

Multiple Instances of Salesforce Database Servers

Although orgs are generally allocated by geographic regions, an org may be on any instance.

Content Type Requirement

In the API version 7.0 and later, all requests must contain a correct content type HTTP header, for example: Content-Type: text/xml; charset=utf-8. Earlier versions of the API do not enforce this requirement.

Monitoring API Traffic

You can monitor the number of API requests generated by your org in two ways.

  • Any user can see the number of API requests sent in the last 24 hours. To view the information, from Setup, enter Company Information in the Quick Find box, then select Company Information. Look for the API Requests, Last 24 Hours field in the right column.
  • If a user has the Modify All Data permission, the user can view a report of the API requests sent for the last seven days. To view the information, on the Reports tab, scroll to the Administrative Reports section and click API Usage Last 7 Days. Users can sort the report by any field listed in the Summarize Information by: dropdown list. For more information about sorting, filtering, or customizing reports, see the Salesforce online help for reports.

API Usage Metering

To maintain optimum performance and ensure that the Lightning Platform API is available to all our customers, Salesforce balances transaction loads by imposing two types of limits:

  • Concurrent API Request Limits
  • Total API Request Allocations

When a call exceeds a request limit, an error is returned.

Concurrent API Request Limits

The following table lists the limits for various types of orgs for concurrent requests (calls) with a duration of 20 seconds or longer.

Org Type Limit
Developer Edition and Trial orgs 5
Production orgs and Sandbox 25

Total API Request Allocations

The following table lists the limits for the total API requests (calls) per 24-hour period for an org.

Salesforce Edition API Calls Per License Type Total Calls Per 24-Hour Period
Developer Edition N/A 15,000
  • Enterprise Edition
  • Professional Edition with API access enabled
  • Salesforce: 1,000
  • Salesforce Platform: 1,000
  • Force.com - One App: 200
  • Customer Community: 0
  • Customer Community Login: 0
  • Customer Community Plus: 200
  • Customer Community Plus Login: 10
  • Partner Community: 200
  • Partner Community Login: 10
  • Lightning Platform Starter: 200 per member for Enterprise Edition orgs
  • Lightning Platform Plus: 1000 per member for Enterprise Edition orgs
 15,000 + (number of licenses X calls per license type), up to a maximum of 1,000,000
  • Unlimited Edition
  • Performance Edition
  • Salesforce: 5,000
  • Salesforce Platform: 5,000
  • Force.com - One App: 200
  • Customer Community: 0
  • Customer Community Login: 0
  • Customer Community Plus: 200
  • Customer Community Plus Login: 10
  • Partner Community: 200
  • Partner Community Login: 10
  • Lightning Platform Starter: 200 per member for Unlimited and Performance Edition orgs
  • Lightning Platform Plus: 5000 per member for Unlimited and Performance Edition orgs
 15,000 + (number of licenses X calls per license type)
Sandbox N/A 5,000,000

Limits are enforced against the aggregate of all API calls made by the org in a 24 hour period. Limits are not on a per-user basis. When an org exceeds a limit, all users in the org can be temporarily blocked from making additional calls. Calls are blocked until usage for the preceding 24 hours drops below the limit.

Allocations are automatically enforced for all editions.

Note

Any action that sends a call to the API counts toward usage amounts, except the following:

  • Outbound messages
  • Apex callouts

You can create an API usage metering notification, so that Salesforce will send an email to a designated user when API limits have exceeded a specified limit in a specified time period. For more information, see “API Usage Notifications” in the Salesforce online help.

There are also limits on the number of requests allowed per org from the Salesforce user interface. For details, see “Concurrent Usage Limits” in the Salesforce online help.

Example API Usage Metering Calculations

The following examples illustrate API usage metering calculations for several scenarios.
  • For an Enterprise Edition org with 15 Salesforce licenses, the request limit is 15,000 requests (15 licenses X 1,000 calls).
  • For an Enterprise Edition org with 15,000 Salesforce licenses, the request limit is 1,000,000. The number of licenses X 1,000 calls is greater than the maximum value, so the lower limit of 1,000,000 is used.
  • For a Developer Edition org that made 14,500 calls at 5:00 AM Wednesday, 499 calls at 11:00 PM Wednesday, only one more call can successfully be made until 5:00 AM Thursday.
  • For an Enterprise Edition org with 60 Gold Partner licenses, the request limit is 15,000. The number of licenses X 200 calls is less than the minimum value of 15,000.

Increasing the Total API Request Limit

Basing the API request limit on user licenses allows sufficient capacity for your org for your number of users. If you need a higher limit and you don’t want to purchase more user licenses or upgrade to Performance Edition, you can purchase additional API calls. For more information, contact your account representative.

Before you purchase additional API calls, assess your current API usage. You can often optimize client apps that make calls to the API, whether it’s your own enterprise apps or partner apps, to use fewer API calls to do the same work. If you’re using a partner product, consult the vendor to verify that the product is making optimal use of the API. A product that makes inefficient use of the API incurs unnecessary costs.

Compression

The API allows the use of compression on the request and the response, using the standards defined by the HTTP 1.1 specification. This is automatically supported by some SOAP/WSDL clients, and can be manually added to others. Visit https://developer.salesforce.com/page/Tools for more information on particular clients.

Compression is not used unless the client specifically indicates that it supports compression. For better performance, we suggest that clients accept and support compression as defined by the HTTP 1.1 specification.

To indicate that the client supports compression, you should include the HTTP header “Accept-Encoding: gzip, deflate” or a similar heading. The API compresses the response if the client properly specifies this header. The response includes the header “Content-Encoding: deflate” or “Content-Encoding: gzip,” as appropriate. You can also compress any request by including a “Content-Encoding: deflate” or “gzip” header.

Most clients are partially constrained by their network connection, even on a corporate LAN. The API allows the use of compression to improve performance. Almost all clients can benefit from response compression, and many clients may benefit from compression of requests as well. The API supports deflate and gzip compression according the HTTP 1.1 specification.

Response Compression

The API can optionally compress responses. Responses are compressed only if the client sends an Accept-Encoding header with either gzip or deflate compression specified. The API is not required to compress the response even if you have specified Accept-Encoding, but it normally does. If the API compresses the response, it also specifies a Content-Encoding header with the name of the compression algorithm used, either gzip or deflate.

Request Compression

Clients can also compress requests. The API decompresses any requests before processing. The client must send up a Content-Encoding HTTP header with the name of the appropriate compression algorithm. For more information, see:

To implement request SOAP compression in a Java client with WSC (Web Service Connector), call setCompression() on the Config you use to instantiate a Connection object with. For an example, see login() sample code.

Note

HTTP Persistent Connections

Most clients achieve better performance if they use HTTP 1.1 persistent connection to reuse the socket connection for multiple requests. Persistent connections are normally handled by your SOAP/WSDL client automatically. For more details, see the HTTP 1.1 specification at:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html#sec8.1

HTTP Chunking

Clients that use HTTP 1.1 may receive chunked responses. Chunking is normally handled by your SOAP/WSDL client automatically.

Internationalization and Character Sets

The API supports either full Unicode characters or ISO-8859-1 characters. The character set depends on the Salesforce instance that your org uses. If your org logs in to ssl.salesforce.com, your encoding is ISO-8859-1. All other instances use UTF-8. To determine the character set, call describeGlobal() and inspect the encoding value returned in DescribeGlobalResult.

If your org uses ISO-8859-1 encoding, all data sent to the API must be encoded in ISO-8859-1. Characters outside the valid ISO-8859-1 range might be truncated or cause an error.

The API response is encoded in the character set used by your org (UTF-8 or ISO-8859-1). Either way, the encoded data is usually handled for you by the SOAP client.

Note

XML Compliance

The API is based on XML, which requires all documents to be well formed. Part of that requirement is that certain Unicode characters are not allowed in an XML document, even in an escaped form, and that others must be encoded according to their location. Normally this is handled for you by any standard SOAP or XML client. Clients must be able to parse any normal XML escape sequence, and must not pass up invalid XML characters.

Some characters, as mentioned, are illegal even if they are escaped. The illegal characters include unpaired Unicode surrogates and a few other Unicode characters. All are seldom-used control characters that are usually not important in any data, and tend to cause problems with many programs. Although they are not allowed in XML documents, they are allowed in HTML documents and may be present in Salesforce data. The illegal characters will be stripped from any API response.

Illegal characters:

  • 0xFFFE
  • 0xFFFF
  • Control characters 0x0 - 0x19, except the following characters, which are legal: 0x9, 0xA, 0xD, tab, newline, and carriage return)
  • 0xD800 - 0xDFFF, unless they’re used to form a surrogate pair

.NET, Non-String Fields, and the Enterprise WSDL

If you use .NET with the enterprise WSDL, .NET generates a Boolean field for each non-string field. For example, if you have a date value in MyDateField__c, .NET generates a Boolean field called MyDateField__cSpecified.

The generated field value is false by default. If a Specified field value is false, then the values in the corresponding original field are not be included in the SOAP message. For example, before the values in the currency field annualRevenue can be included in a SOAP message generated by your client app, the value of annualRevenueSpecified must be set to true.

1account.annualRevenue = 10000;
2account.annualRevenueSpecified = true;