OAuth token grants and token authorizations are human interactions that take place in the browser. And token refreshes happen to be machine interactions. Do any of the typical OAuth interactions count towards the 24-hour API limit?
I know the following API invocations count toward the 24-hour limit:
And the following do NOT count toward that 24-hour limit:
After hammering the login.salesforce.com endpoints today (and getting blocked a couple of times), I've established (at least to my satisfaction) that the OAuth interactions around granting access tokens and refreshing them do not count against the API limits.
More specifically, I've hit the following endpoints 1,000 times each today.
https://login.salesforce.com/services/oauth2/authorizehttps://login.salesforce.com/services/oauth2/token (both grant_type=password and grant_type=refresh_token)... and the results.
Wait... that's not the result you want, this is.
PS. It's also worth noting that grants and token authorisation are not always human interactions, the Username-Password flow requires no user interaction.
I would like to add that I performed a similar exercise as Alex Tennant did but instead called the https://login.salesforce.com/services/oauth2/userinfo endpoint which is part of the OpenID Connect protocol.
I called it thousands of times and can confirm that also for this endpoint no API Requests were used.
If you want to reproduce this scenario in your own org, you can use the following curl command in a terminal.
curl -X GET \
'https://login.salesforce.com/services/oauth2/userinfo?[1-10000]=' \
-H 'Authorization: Bearer <use_your_own_token_here>'
This will call the UserInfo endpoint 10000 times in a row.
