WebService Method
A WebService Method in Salesforce Apex is a method declared with the webservice keyword that exposes custom Apex logic as a SOAP web service endpoint.
Definition
A WebService Method in Salesforce Apex is a method declared with the webservice keyword that exposes custom Apex logic as a SOAP web service endpoint. External applications call the method through the org Apex WSDL, which Salesforce auto-generates from the class declarations. The method runs inside the Apex context with the calling user permissions, making it a way to extend the Salesforce SOAP API surface with org-specific business logic that the standard SOAP API does not cover.
The webservice keyword is the SOAP equivalent of the @RestResource annotation for REST. Methods marked webservice must be static, must live in a global class, and must accept and return SOAP-compatible types (primitives, sObjects, custom classes with @InvocableMethod or webservice members). The result is a callable SOAP operation discoverable in the org downloadable WSDL. In 2026, custom SOAP web services are increasingly legacy work; new integrations use REST or GraphQL APIs. WebService Method knowledge remains relevant for maintaining existing SOAP-based integrations and for certification exam questions.
WebService Methods in Apex: syntax, security, and the SOAP integration lifecycle
webservice keyword and what it requires
A method exposed as a SOAP web service must satisfy specific constraints. The webservice keyword goes between the access modifier (global) and the return type in the method signature: global static String myMethod(). The method must be static. The class containing it must be global, not public. The method parameters and return type must be types SOAP can serialize: primitives (String, Integer, Boolean, Date), sObjects, lists of these, or custom Apex classes whose members are also webservice. Exceptions thrown from the method translate to SOAP faults. The compiled WSDL exposes the method as a SOAP operation under the org Apex namespace, and external callers can invoke it through any SOAP client that authenticates with a valid Salesforce session id.
How external clients discover and call WebService Methods
External clients integrate with a Salesforce Apex WebService Method through the same WSDL download workflow as the standard SOAP APIs, but pointed at the Apex-specific WSDL instead of the Enterprise or Partner WSDL. From Salesforce Setup, search Apex Classes, find the class containing the WebService Methods, click WSDL. The downloaded file describes every webservice method in the class as a SOAP operation. The client generates stubs from the WSDL (using WSC for Java, Visual Studio for C#, similar tools for other languages), authenticates against the Salesforce login endpoint to obtain a session id, and calls the operation by name with the right parameters. The session id authenticates and authorizes the call; the method runs as the calling user.
When to use a WebService Method vs an Apex REST service
Both webservice (SOAP) and @RestResource (REST) expose custom Apex business logic to external callers. Pick the one that matches the caller preferred protocol. Older enterprise Java applications often use SOAP because their tooling generates SOAP clients more easily. Modern integrations almost always prefer REST because it returns JSON, has lighter overhead, and integrates more naturally with modern HTTP clients. For new development in 2026, default to @RestResource unless there is a specific reason to use SOAP. For existing SOAP-based integrations, leave the WebService Method in place; rewriting working SOAP code as REST rarely justifies the migration cost. Both styles run as the same Apex business logic; only the protocol wrapper differs.
Permissions, security, and the calling user context
WebService Methods run as the calling user, which means the calling user profile, field-level security, sharing rules, and permission sets all apply to whatever the method does. A user with limited access who calls the method sees limited results, even if the method itself does not filter explicitly. The method also has access to the calling user session through Userinfo.getUserId() and similar Apex utilities. The class containing the WebService Method should have appropriate sharing declarations (with sharing, without sharing, inherited sharing) based on the security intent. Profiles and permission sets need explicit Apex Class Access to the containing class for the WebService Method to be callable. Without that grant, callers receive a permission error even with valid authentication.
Testing and the @isTest constraint on webservice
Webservice methods can be unit-tested through standard Apex test methods. The test method calls the webservice method directly (not through the SOAP protocol; just the underlying Apex method invocation). This pattern verifies the business logic but not the SOAP serialization. To test serialization, use a real SOAP client during integration testing. WebService Methods count toward Apex code coverage requirements like any other Apex code; the 75 percent code coverage rule applies. The webservice keyword has restrictions in the test context: it cannot be called from a test method that uses Test.startTest if the method depends on session-id-based authentication. Most test methods work fine because they call the Apex directly rather than going through the SOAP layer.
Performance, governor limits, and operational concerns
WebService Methods run inside the standard Apex execution context, which means they are subject to all the usual governor limits: 100 SOQL queries per transaction, 150 DML statements, 6 MB heap size, 10 second CPU time for synchronous Apex. Long-running operations need to use @future, @Queueable, or Batch Apex instead of running synchronously in the WebService Method. Callout limits also apply: 100 HTTP callouts max per transaction, 60-second timeout per callout. WebService Method calls count against the org daily API request limit. Mature SOAP integrations build retry-with-exponential-backoff on the client side to handle transient failures (lock contention, query timeouts) since the Salesforce platform does not retry automatically. Monitor usage proactively; a runaway integration can lock out every other API caller for the day.
Building a custom Apex WebService Method end to end
Building a custom Apex WebService Method is straightforward syntactically but requires care around permissions, error handling, and testing. The four-step routine covers: declare the method with the webservice keyword and the right signature, grant Apex Class Access through profiles or permission sets, expose the WSDL to external integrators, and add test methods that cover the business logic. Each step has its own pitfalls; skipping any of them produces an integration that compiles in sandbox and breaks in production, usually around permissions.
- Declare the WebService Method in a global class
Create or open an Apex class with the global access modifier. Declare each method exposed as SOAP with global static return-type methodName(parameters) annotated with the webservice keyword between global and the return type. Use SOAP-compatible parameter types: primitives, sObjects, lists, or custom Apex classes whose members are also webservice. Document the method purpose, expected inputs, and outputs in a header comment so external integrators understand what they are calling. Add error handling: catch exceptions and rethrow them as meaningful SOAP faults with descriptive messages. The platform translates Apex exceptions to SOAP faults but the default messages are often unhelpful; explicit message handling is the safer pattern.
- Grant Apex Class Access through profiles or permission sets
In Salesforce Setup, open the profile or permission set used by the calling integration user. Add the containing Apex class to the Enabled Apex Class Access list. Without this grant, the WebService Method returns a permission error even when authentication succeeds. The grant is per-class, not per-method. Document the access grant in the integration runbook so future admins do not remove the permission set or profile when cleaning up unused configurations. For shared integration patterns (one Apex class containing methods called by multiple integrations), centralize the access in a single permission set that all relevant integration users carry.
- Generate and share the Apex WSDL
From Salesforce Setup, search Apex Classes, find the class containing the WebService Method, click WSDL. The platform generates a class-specific WSDL that describes the SOAP operations. Save the WSDL to a stable location and share it with the external integration team. They will use the WSDL to generate client stubs in their preferred language (Java, C#, Python, etc.). Document the WSDL version (the API version the class targets) so the external team knows which Salesforce release behavior to expect. Re-share the WSDL on every class signature change; old WSDLs reference old signatures and stubs generated from them stop working.
- Add test methods that cover the business logic
In a test class, write @isTest methods that call the WebService Method directly (no SOAP layer needed; just invoke the Apex method). Set up test data, exercise the method with realistic inputs, and assert the expected outcomes. Wrap async work in Test.startTest and Test.stopTest. Mock any external dependencies (HTTP callouts, custom settings) with the standard test mocking patterns. Aim for high coverage on the method itself plus at least one positive and one negative scenario. Add the test methods to your CI pipeline so any change to the WebService Method business logic gets validated automatically. Without tests, regressions in the SOAP integration ship to production undetected.
- WebService Methods must be in a global class. Public classes do not expose webservice methods to external SOAP callers; the WSDL generator skips them.
- The webservice keyword has parameter type restrictions. Use primitives, sObjects, or custom classes whose members are webservice. Other Apex types (Map, complex inner classes without webservice members) cause WSDL generation errors.
- Apex Class Access is required even with valid OAuth or session id authentication. Without it, callers receive permission errors that look like authentication failures.
- Regenerate and re-share the WSDL after any signature change. Old stubs generated from outdated WSDLs stop working; the external integration team has to regenerate their stubs to match.
- For new development, prefer @RestResource over webservice. SOAP is legacy; new integrations should default to REST unless there is a specific reason (existing SOAP tooling, partner contractual requirement) to use SOAP.
Trust & references
Straight from the source - Salesforce's reference material on WebService Method.
- Apex Web ServicesSalesforce Developer Docs
- webservice KeywordSalesforce Developer Docs
- Apex Class SecuritySalesforce Help
Hands-on resources to go deeper on WebService Method.
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. What is a WebService Method?
Q2. Is it the modern approach?
Q3. What keyword declares them?
Discussion
Loading discussion…