Operating Salesforce APIs effectively spans configuration of access controls, monitoring of consumption, and integration design that respects limits. The workflow below covers the standard sequence for managing the org's API posture.
- Understand the org's API allocation
From Setup, open Company Information to see the current API call allocation: the base limit per 24 hours plus any add-on packages. Document the allocation in the team's runbook. Identify the integrations consuming API calls: Marketing Cloud sync, ERP integration, custom Apex callouts from external systems, MuleSoft flows, partner integrations. Estimate each integration's typical daily API consumption. The sum should be comfortably below the org's allocation; if it is approaching the limit, plan capacity additions or consumption optimizations.
- Configure user-level API access
From Setup, configure which user profiles have API Enabled (the permission allowing API access). Restrict API access to integration users and specific user roles that need it; general users typically should not have API access. For integration users, use Connected Apps with OAuth scopes that match exactly what the integration needs (no over-scoping). Configure IP restrictions on integration users where appropriate, limiting API access to known integration source IPs.
- Monitor API consumption continuously
Set up monitoring on API consumption against the limit. The Setup page System Overview shows current consumption; for continuous monitoring, integrate with the org's standard observability platform (Splunk, Datadog) through Event Monitoring or the API limit API. Configure alerts that fire when daily consumption exceeds defined thresholds (60 percent of allocation triggers attention, 80 percent triggers escalation). Track trends over time to identify which integrations are growing and may need optimization or additional capacity.
- Design integrations to respect API limits
For new integrations, design with API efficiency in mind: use Bulk API for high-volume operations, batch operations through Composite API, cache data on the integration side to reduce repeated reads, use Change Data Capture or Platform Events instead of polling. Review existing integrations periodically for chatty patterns that consume API calls without delivering proportionate value. Refactoring inefficient integrations is often more cost-effective than purchasing additional API capacity.
- Exceeding the daily API limit causes new calls to fail. The fix is purchasing add-on capacity or waiting for the 24-hour reset.
- Bulk API calls are counted differently from REST or SOAP. A Bulk job processing 100,000 records is one API call, not 100,000.
- Different APIs have different rate limits. Streaming API has connection limits separate from the daily call limit.
- Integration user-level IP restrictions can lock out integrations if not configured carefully. Test thoroughly before enforcing.
- Connected App OAuth scopes are minimal-permission by design. Over-scoping creates security risk; under-scoping breaks the integration.