+ Start a Discussion
Jason AdamsJason Adams 

Is the only way to use the API via oauth or session?


I'm working on integrating a Wordpress site with Salesforce (not just leads and cases). And I'm finding (https://www.salesforce.com/us/developer/docs/api_rest/) that it seems like the only way to use the api is with either an oauth token or salesforce session id. The problem with this is that it requires the integration to work from user sessions, but I'd like it to work for non-logged in users and also forego the token redirect process.

The web-to-lead applet offers something like this, but only for leads and cases.

If I have to use OAuth, is it bad practice to have the user provide the credentials then store the token in the database for all future use? The same token would then be used for every purpose. Would the token have a lifespan by default?

Thanks for any and all input! :)
Best Answer chosen by Jason Adams
The answer is yes to use the standard Salesforce REST API you must use either a session or OAuth. You can create custom public APIs using Force.com Sites (see Pat's blog here (https://developer.salesforce.com/blogs/developer-relations/2012/02/quick-tip-public-restful-web-services-on-force-com-sites.html)) which would enable you to send data to Salesforce using the API in an unauthenticated manner.

It is generally bad practice to store the OAuth token indefinitely as you open up your users to a separate attack vector not of their choosing. If tokens must be stored they should be stored encrypted. Mobile apps are a great example here as they store OAuth tokens locally (hopefully) encrypted and the token is only accessible to that application. Where possible web systems should not in their database store tokens.