Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full REST (Representational State Transfer) entry
How-to guide

Make your first authenticated REST call against Salesforce

Stand up a Connected App, get an OAuth access token, and run a GET on the sobjects endpoint to confirm the Salesforce REST API is reachable from your environment.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated May 26, 2026

Stand up a Connected App, get an OAuth access token, and run a GET on the sobjects endpoint to confirm the Salesforce REST API is reachable from your environment.

  1. Create a Connected App

    Setup, App Manager, New Connected App. Enter the name, contact email, and callback URL. Enable OAuth Settings and add the scopes (Api, Refresh Token, Full).

  2. Save and note the credentials

    Save the Connected App. Copy the Consumer Key and Consumer Secret from the new app's detail page. These are the client_id and client_secret for the OAuth flow.

  3. Request an access token

    Run curl -X POST https://login.salesforce.com/services/oauth2/token with grant_type=password, client_id, client_secret, username, and password+security_token. The response contains the access_token.

  4. Discover the API base URL

    The token response includes an instance_url. The REST API base is instance_url plus /services/data/v62.0. Set this as your API root.

  5. Run a test query

    curl -H "Authorization: Bearer ACCESS_TOKEN" "https://INSTANCE/services/data/v62.0/query?q=SELECT+Id,Name+FROM+Account+LIMIT+5". Confirm you receive a JSON response with the expected accounts.

  6. Inspect the rate-limit header

    The response includes a Sforce-Limit-Info header showing api-usage. Log this in your integration so you can alert when usage approaches the org cap.

Key options
Connected Appremember

The Salesforce object that holds OAuth credentials, callback URL, and scopes for an external integration.

OAuth Grant Typeremember

The authentication flow used to get an access token (Web Server, User Agent, JWT Bearer, Refresh Token, Username-Password).

API Versionremember

The version path segment in the URL. Pin to a known version, upgrade on your own schedule.

Composite Resourceremember

Bundle multiple REST calls into one HTTP request. Reduces round-trips and supports per-call rollback.

Gotchas
  • Password OAuth flow requires the username, password, and security token concatenated as one string in the password parameter. Missing the token returns INVALID_LOGIN with no useful detail.
  • Access tokens expire after the session timeout (default 2 hours). Long-running integrations must use the refresh token to obtain new access tokens without re-authenticating the user.
  • The API daily limit is per org, not per Connected App. A misbehaving integration can exhaust the org cap and lock out other integrations.
  • REST endpoints differ from SOAP in some edge cases (the upsert payload shape, the way binary attachments are handled). Always test your specific endpoint, not just the documented common cases.

See the full REST (Representational State Transfer) entry

REST (Representational State Transfer) includes the definition, worked example, deep dive, related terms, and a quiz.