What is the most important tip for working with Web Services API?

Pick the right API for the workload. REST for small to medium CRUD, Bulk for over 10,000 records, Streaming or Pub/Sub for real-time push. Wrong API plus right code still produces wrong outcomes at scale.

DevelopmentIntermediate

Web Services API

Q: What is the Web Services API?

Web Services API encompasses all Salesforce programmatic interfaces.

Q: What APIs are included?

The collection includes many specialized APIs.

Q: How do you choose between them?

Each API fits different integration patterns.

Web Services API in Salesforce is the umbrella name for the set of programmatic interfaces that let external systems interact with Salesforce data, metadata, and platform features over HTTP.

Hear it

§ 01

Definition

Web Services API in Salesforce is the umbrella name for the set of programmatic interfaces that let external systems interact with Salesforce data, metadata, and platform features over HTTP. The collection includes REST API, SOAP API, Bulk API and Bulk API 2.0, Streaming API and the Pub/Sub API, Metadata API, Connect REST API, GraphQL API, Tooling API, and a handful of more specialized ones. Each API targets a different use case but shares the same authentication (OAuth 2.0 or session-based), the same versioning model, and the same rate limits.

The term Web Services API is a holdover from the early Salesforce platform when SOAP was the only option and Apex had a Web Services namespace for callouts. Modern Salesforce documentation tends to use API or Platform API instead, but Web Services API still shows up in older content, on certification exams, and in any conversation with a long-tenured Salesforce developer.

§ 02

The Salesforce Web Services API portfolio: what to use when and how to authenticate

The current Salesforce API portfolio

Salesforce ships a portfolio of APIs and each one fits a specific workload. REST API is the default for record-level CRUD operations, complex queries, and small to medium data volumes; it returns JSON and is the most actively developed. SOAP API is the original XML-based API and is still supported for legacy callers and a few features that REST does not cover yet. Bulk API and Bulk API 2.0 handle very large data loads (millions of records), running asynchronously with job and batch tracking. Streaming API and Pub/Sub API push real-time events to subscribers. Metadata API moves metadata between orgs for deployments. Connect REST API exposes Chatter, Communities, and CMS features. GraphQL API offers a single endpoint with flexible field selection. Tooling API powers IDEs and dev tools.

Authentication: OAuth and the Connected App

Almost every Web Services API call authenticates through OAuth 2.0 against a Connected App configured in the target Salesforce org. The Connected App holds the Consumer Key and Consumer Secret, the allowed OAuth scopes, the callback URL, and any IP restrictions. External applications obtain an Access Token through one of several OAuth flows (Web Server, JWT Bearer, Client Credentials, Username-Password, Device, Refresh Token) depending on the integration pattern. The Access Token then goes in the Authorization header of every subsequent API call. Session-based authentication (Username plus Password Token) is still supported for SOAP API but is being phased out in favor of OAuth. Configure the Connected App once, store the credentials securely on the caller side, and use OAuth for everything else.

API versioning and the v59.0-style URL

Every Web Services API endpoint includes a version number in the URL path: /services/data/v59.0/sobjects/Account. The version number tracks the Salesforce release that introduced the endpoint behavior. New API versions ship with every Salesforce release (three times a year). Older API versions remain available indefinitely so customer integrations do not break on every Salesforce upgrade. Best practice is to pin each integration to a specific API version (not the latest) so behavior is predictable, and bump the version on a controlled schedule after testing. The Salesforce API behavior compatibility guide documents every behavior change between versions; read it before any bump. Endpoints called without a version number default to the oldest still-supported version, which is rarely what you want.

Rate limits, governor limits, and how to stay under them

Every API call counts against the org daily API request limit, which scales with the number of paid Salesforce user licenses (typically tens of thousands of calls per day for an Enterprise Edition org). Burst limits apply at the per-minute level. Bulk API operations count differently than REST: a Bulk job uses fewer API calls per record processed but blocks behind a job queue. Streaming API push messages do not count against the daily limit but have separate event-per-day allowances. Hitting the limit returns an error code and blocks subsequent calls until the daily window resets. Mature integrations monitor the API usage dashboard in Setup and add throttling on the caller side to keep usage below 80 percent of the limit, with a buffer for unexpected bursts.

Choosing the right API for the workload

Picking the wrong API is the most common architectural mistake in Salesforce integrations. Rules of thumb: use REST API for general-purpose CRUD on small to medium record counts (under 10,000 records per operation). Use Bulk API 2.0 for any data load over 10,000 records or any operation that does not need to be synchronous. Use Streaming API or Pub/Sub API when you need real-time push (record changes, custom platform events). Use Metadata API only for moving metadata between orgs; never for record-level work. Use Connect REST API for Chatter, Communities, or CMS work. Use GraphQL when the caller needs to assemble multiple object relationships in a single request. Trying to make REST handle a Bulk workload, or vice versa, ends in rate-limit errors and poor performance.

Where Web Services API knowledge appears in 2026

In 2026, Web Services API knowledge shows up in three contexts. First, every Salesforce certification has at least a few API questions, especially Platform Developer I and II, Integration Architecture, and System Architect. Second, every real-world Salesforce integration project requires choosing between the APIs based on the workload and authenticating through a Connected App. Third, troubleshooting third-party tools (Mulesoft, Workato, Boomi, Zapier, Tableau) often requires understanding what API the tool is calling and what limit it is hitting. Naming convention has shifted slightly: Salesforce documentation now prefers Platform API or just API over Web Services API, but the older name still appears in legacy content and continues to be valid on the cert exams.

§ 03

Setting up and operating a Web Services API integration

Setting up a Web Services API integration is a standard pattern: configure a Connected App on the Salesforce side, generate OAuth credentials, pick the right API for the workload, authenticate, and make calls with proper error handling. The pattern is the same for every external caller (Mulesoft, custom Node service, Python script, low-code platform), only the syntax changes. Walk through this once and the next integration is straightforward. The mistake most teams make is skipping the rate-limit analysis until the integration is in production and hitting daily caps.

Create a Connected App with the right OAuth scopes
From Setup, App Manager, click New Connected App. Enter the integration name, contact email, and logo. Enable OAuth Settings. Set the Callback URL to the external system OAuth callback (or localhost for testing). Select the required OAuth Scopes: api for record access, refresh_token for long-lived sessions, openid for user identity, web for web-server flow. Save the Connected App. Salesforce generates a Consumer Key and Consumer Secret; copy them to your external system secret store. Configure IP restrictions or trusted IP ranges to limit where the credentials can be used from.
Pick the right API and the right OAuth flow
Match the API to the workload using the rules of thumb above. Match the OAuth flow to the caller pattern. Web Server flow for human-initiated access. JWT Bearer flow for server-to-server with a certificate. Client Credentials flow (new) for server-to-server without user context. Username-Password flow is legacy and should be avoided. Refresh Token flow for long-lived sessions that survive token expiration. Document the API and flow choice in the integration runbook. The choice determines the credential rotation requirements and the error-handling logic the caller has to implement.
Authenticate and make a smoke-test call
From the caller, perform the OAuth flow to obtain an Access Token. Make a smoke-test call against a known-good endpoint (typically /services/data/v59.0/sobjects/Account/describe). Confirm the response includes the expected fields and the status code is 200. If the call returns 401 Unauthorized, check the Access Token format, the OAuth scopes on the Connected App, and the user permissions. If the call returns 403, check IP restrictions and profile-level API access. Once the smoke test passes, move to the actual integration logic. Never deploy an integration that has not passed the smoke test in production conditions.
Add monitoring, retries, and rate-limit handling
On the caller side, log every API call with timing and result. Watch for the daily API usage to climb toward the org limit; throttle proactively at 70 to 80 percent of the cap. On any 503 or 429 response, back off with exponential delay before retrying. On any token expiration (401 after the token was valid), refresh the token and retry. Add the integration to the org API monitoring dashboard so the admin team can see traffic from each caller. Document the rate-limit budget for each caller in the integration runbook so future architects know which budget belongs to which workload.

Gotchas

Username-Password OAuth flow is being phased out for security reasons. New integrations should use JWT Bearer or Client Credentials. Legacy callers using Username-Password will fail when Salesforce disables the flow.
API calls without a version number default to the oldest still-supported version. This behavior is rarely what you want; always include the version in the URL path.
Bulk API uses different rate-limit accounting than REST. A Bulk job uses fewer API calls per record but blocks behind a queue. Picking the wrong API for the workload causes rate-limit errors at scale.
Connected App Consumer Secrets do not auto-rotate. If a secret leaks, you have to manually regenerate it in Setup and update every caller. Plan rotation as a recurring task.
Daily API Request Limit is shared across the entire org. One runaway integration can lock out every other caller for the rest of the day. Add per-caller monitoring and throttling to prevent this.

Trust & references

Official documentation

Straight from the source - Salesforce's reference material on Web Services API.

REST API Developer GuideSalesforce Developer Docs
Bulk API 2.0 Developer GuideSalesforce Developer Docs
Connected Apps OverviewSalesforce Help

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.

Test your knowledge

Q1. What is the Web Services API?

Q2. What APIs are included?

Q3. How do you choose between them?

Discussion

Loading…

Loading discussion…

Back to Dictionary