Implementation Considerations
Most issues involve data management, use limits, or communication.
Choosing a User for an Integration
When your client app connects to the API, it must first log in. You must specify a user to log in to Salesforce when calling login(). Client apps run with the permissions and sharing of the logged-in user. Use the following sections to help decide how to configure a user for your client app.
Permissions
As an org’s Salesforce admin, you control which features and views are available to users by configuring profiles and permission sets and assigning users to them. To access the API to issue calls and receive the call results, a user must have the API Enabled permission. Client apps can query or update only those objects and fields to which they have access via the permissions of the logged-in user.
If the client application logs in as a user who has access to data via a sharing rule, then the API must issue an extra query to check access. To avoid this, log in as a user with the “Modify All Data” permission. This can speed up the call response time. If providing the Modify All Data permission is too permissive for a particular user, consider using the Modify All Records object-level permission to restrict data access on an object basis.
Limits
Multiple client apps can log in using the same username argument. However, this approach increases your risk of getting errors due to query limits.
Login Server URL
SOAP API provides a single login server. You can log in to any org from a single entry point without hard coding the instance. To access an org via the API, first authenticate the session by sending a login() request to the login server at one of the following URLs, depending on your choice of WSDL.
All subsequent calls to the server during the session should be made to the URL returned in the login() response, which points to the server instance for your org.
Log In to the Login Server
Before invoking any other calls, a client app must first invoke the login() call to establish a session with the login server. It then sets the returned server URL as the target server for subsequent API requests and sets the returned session ID in the SOAP header to provide server authorization for subsequent API requests. Salesforce checks the IP address from which the client app is logging in and blocks logins from unknown IP addresses. For more information, see login() and Step 4: Walk Through the Sample Code.
If the API blocks the login, Salesforce returns a login fault. To log in, the user must add the security token at the end of the user’s password. For example, if a user's password is mypassword and the security token is XXXXXXXXXX, the user enters mypasswordXXXXXXXXXX. Users get their security token by changing their password or resetting their security token from the Salesforce user interface. When users change their password or reset their security token, Salesforce sends a new security token to the email address on the user’s Salesforce record. The security token is valid until the user resets the security token, or changes the password, or you reset the user’s password. When the security token is invalid, the user must repeat the login process. To avoid another log in, add the client's IP address to the org's list of trusted IP addresses.
When you are logged in, you can issue API calls. For each operation, client apps submit a synchronous request to the API, await the response, and then process the results. The API commits changed data automatically.
API calls:
Typical API Call Sequence
For each call, your client app typically:
- Prepares the request by defining request parameters, if applicable.
- Invokes the call, which passes the request with its parameters to the Lightning Platform Web Service for processing.
- Receives the response from the API.
- Handles the response, either by processing the returned data (for a successful invocation) or by handling the error (for a failed invocation).
Salesforce Sandbox
Professional, Enterprise, Unlimited, and Performance Edition customers have access to the Salesforce Sandbox, which is a testing environment that offers a full or partial copy of your Salesforce org’s live production data. For more information, visit the Salesforce Community website at www.salesforce.com/community or see Sandbox Types and Templates in the Salesforce Help.
To access your org’s sandbox via the API, use the following URLs to make login requests.
API Usage Metering
To maintain optimum performance and ensure that the Lightning Platform API is available to all our customers, Salesforce balances transaction loads by imposing two types of limits:
- Concurrent API Request Limits
- Total API Request Allocations
When a call exceeds a request limit, an error is returned.
Concurrent API Request Limits
The following table lists the limits for various types of orgs for concurrent inbound requests (calls) with a duration of 20 seconds or longer.
| Org Type | Limit |
|---|---|
| Developer Edition and Trial orgs | 5 |
| Production orgs and Sandboxes | 25 |
If the number of long running requests exceeds the limit, the API returns a REQUEST_LIMIT_EXCEEDED exception code. Any new concurrent requests aren't processed until there are fewer requests than the allowed limit. For example, in a production org, no new concurrent requests are allowed until there are fewer than 25 long running requests.
There isn’t a limit on the number of concurrent requests shorter than 20 seconds.
Total API Request Allocations
The following table lists the limits for the total inbound API requests (calls) per 24-hour period for an org.
| Salesforce Edition | API Calls Per License Type Per 24-Hour Period | Total Calls Per 24-Hour Period |
|---|---|---|
| Developer Edition | N/A | 15,000 |
|
|
100,000 + (number of licenses x calls per license type) + purchased API Call Add-Ons |
|
|
100,000 + (number of licenses x calls per license type) + purchased API Call Add-Ons |
| Full Sandbox | N/A | 5,000,000 This limit applies only to Full Sandboxes that aren’t created from a template. For any sandbox created from a template, values in the template determine the limits. For more information, visit Salesforce Help: Sandbox Types and Templates. |
For Experience Cloud limits, see Experience Cloud User Licenses.
APIs that count toward this allocation include the Lightning Platform REST API, the Lightning Platform SOAP API, Bulk API, Bulk API 2.0, and most Connect REST APIs. API calls issued by certain Salesforce connected apps (for example, the Salesforce mobile app) don’t count. To determine which APIs affect the allocation, see Monitoring Your API Usage.
Calls that include DebuggingHeader have a separate allocation limit of 1,000 calls per 24-hour period. These calls can continue to be made after the total request limit for an org is reached.
Limits and allocations are enforced against the aggregate of all API calls made to the org in a 24-hour period. Limits and allocations are not on a per-user basis.
Monitoring Your API Usage
To better monitor your org’s API usage and limits, you can use these resources:
- The API Usage section of the System Overview page in Setup.
- The API Requests, Last 24 Hours item in the Organization Detail section of the System Overview page in Setup.
- The API Request Limit per Month usage-based entitlement, which shows you your org’s API calls aggregated over 30 days. This can be found on the Company Information page in Setup.
- Information returned in the Sforce-Limit-Info response header for REST APIs.
- Information returned in the response body (in <type>API REQUESTS</type>) for SOAP APIs.
- The /limits call in the Lightning Platform REST API.
You can configure your org so that email is sent to a designated user when the number of API requests has exceeded a specified percentage of the amount allotted. Perform this configuration from Setup by entering API Usage Notifications in the Quick Find box and then selecting API Usage Notifications.
See also the Learn About Daily Rate Limits section in the App Development Without Limits Trailhead module.
What Happens If You Reach or Exceed Your API Request Limit
If your org reaches or exceeds its daily API request limit, Salesforce still allows the operations to proceed by a certain amount, if possible. This helps avoid blocking your workflows during unexpected spikes in workloads and occasional peak periods. A hard cap is in place to safeguard platform resources and prevent API requests from exceeding the daily limit unimpeded.
API request activity is aggregated into 30 day periods, starting with your contract start date, and includes calls that exceed the org's entitled limit.
Increasing Total API Request Allocations
The calculation of the API request amounts based on user licenses is designed to allow sufficient capacity for your org based on your number of users. If you need a higher amount and you don’t want to purchase extra user licenses or upgrade to Performance Edition, you can purchase extra API calls. For information, contact your account representative.
Before you purchase more API calls, perform due diligence of your API usage. You can optimize a client application, whether it’s your own enterprise application or partner application, to use fewer API calls and still accomplish the same work. If you use a partner product, consult with the vendor to verify that the product makes optimal use of the API. A product that makes inefficient use of the API incurs unnecessary costs for your company. Use REST API composite resources to improve your application’s performance by minimizing the number of round-trips between the client and server.
Example API Usage Metering Calculations
The following examples illustrate API usage metering calculations for several scenarios.
- For an Enterprise Edition org with 15 Salesforce licenses, the request limit is 115,000 requests (100,000 plus 15 licenses x 1,000 calls).
- For a Developer Edition org that made 14,500 calls at 5:00 AM Wednesday, 499 calls at 11:00 PM Wednesday, only one more call can successfully be made until 5:00 AM Thursday.
Length of Stored Third-Party Refresh and Access Tokens
Salesforce stores third-party access and refresh tokens of up to 10,000 characters in length.
Compression
The API allows the use of compression on the request and the response, using the standards defined by the HTTP 1.1 specification. This is automatically supported by some SOAP/WSDL clients, and can be manually added to others. Visit https://developer.salesforce.com/page/Tools for more information on particular clients.
Compression is not used unless the client specifically indicates that it supports compression. For better performance, we suggest that clients accept and support compression as defined by the HTTP 1.1 specification.
To indicate that the client supports compression, you should include the HTTP header “Accept-Encoding: gzip, deflate” or a similar heading. The API compresses the response if the client properly specifies this header. The response includes the header “Content-Encoding: deflate” or “Content-Encoding: gzip,” as appropriate. You can also compress any request by including a “Content-Encoding: deflate” or “gzip” header.
Most clients are partially constrained by their network connection, even on a corporate LAN. The API allows the use of compression to improve performance. Almost all clients can benefit from response compression, and many clients may benefit from compression of requests as well. The API supports deflate and gzip compression according to the HTTP 1.1 specification.
Response Compression
The API can optionally compress responses. Responses are compressed only if the client sends an Accept-Encoding header with either gzip or deflate compression specified. The API is not required to compress the response even if you have specified Accept-Encoding, but it normally does. If the API compresses the response, it also specifies a Content-Encoding header with the name of the compression algorithm used, either gzip or deflate.
Request Compression
Clients can also compress requests. The API decompresses any requests before processing. The client must send up a Content-Encoding HTTP header with the name of the appropriate compression algorithm. For more information, see:
- Content-Encoding at: www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11
- Accept-Encoding at: www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.3
- Content Codings at: www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.5
HTTP Persistent Connections
Most clients achieve better performance if they use HTTP 1.1 persistent connection to reuse the socket connection for multiple requests. Persistent connections are normally handled by your SOAP/WSDL client automatically. For more details, see the HTTP 1.1 specification at:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html#sec8.1
HTTP Chunking
Clients that use HTTP 1.1 may receive chunked responses. Chunking is normally handled by your SOAP/WSDL client automatically.
Internationalization and Character Sets
The API supports either full Unicode characters or ISO-8859-1 characters. The character set depends on the Salesforce instance that your org uses. If your org logs in to ssl.salesforce.com, your encoding is ISO-8859-1. All other instances use UTF-8. To determine the character set, call describeGlobal() and inspect the encoding value returned in DescribeGlobalResult.
If your org uses ISO-8859-1 encoding, all data sent to the API must be encoded in ISO-8859-1. Characters outside the valid ISO-8859-1 range might be truncated or cause an error.
XML Compliance
The API is based on XML, which requires all documents to be well formed. Part of that requirement is that certain Unicode characters are not allowed in an XML document, even in an escaped form, and that others must be encoded according to their location. Normally this is handled for you by any standard SOAP or XML client. Clients must be able to parse any normal XML escape sequence, and must not pass up invalid XML characters.
Some characters, as mentioned, are illegal even if they are escaped. The illegal characters include unpaired Unicode surrogates and a few other Unicode characters. All are seldom-used control characters that are usually not important in any data, and tend to cause problems with many programs. Although they are not allowed in XML documents, they are allowed in HTML documents and may be present in Salesforce data. The illegal characters are stripped from any API response.
Illegal characters:
- 0xFFFE
- 0xFFFF
- Control characters 0x0 - 0x19, except the following characters, which are legal: 0x9, 0xA, 0xD, tab, newline, and carriage return)
- 0xD800 - 0xDFFF, unless they’re used to form a surrogate pair
.NET, Non-String Fields, and the Enterprise WSDL
If you use .NET with the enterprise WSDL, .NET generates a Boolean field for each non-string field. For example, if you have a date value in MyDateField__c, .NET generates a Boolean field called MyDateField__cSpecified.
The generated field value is false by default. If a Specified field value is false, then the values in the corresponding original field are not be included in the SOAP message. For example, before the values in the currency field annualRevenue can be included in a SOAP message generated by your client app, the value of annualRevenueSpecified must be set to true.
1account.annualRevenue = 10000;
2account.annualRevenueSpecified = true;