0

Our org is hitting total API limit per 24 hour. After reviewing the login event report, we found one of the external application is trying to access salesforce using username , password + security token which generates too many login request to salesforce which can be result in too many total API hit per 24 hour. I checked the link.OAuth interactions: do they count as API calls? and it seems OAUTH refresh / access token doesn't count to the api limit

1) I wanted to know if the external application uses OAUTH 2.0 refresh token to access Salesforce api and refresh token is set to never expire in the connected app , will this reduce the total API hit per 24 hour?

2) After API user logs in to salesforce, does subsequent hit to salesforce url by external application is counted as part of API limit?

Manish Anand
  • 829
  • 1
  • 18
  • 32
  • No. I want to know- Will using refresh token (which is set to never expire) increase my login api count? If no, will the login api count be 1 (just for the first time login) ? – Manish Anand Feb 20 '20 at 21:29

1 Answers1

3

Daily Login Limit

The limit is specifically on calls to login() via the SOAP API, which is what your application is currently doing with the security token. Since the limit is 3600/hour, it appears that your application is performing a new login once per second.

You can probably fix this problem just by holding the session id during its validity period, as recommended in the knowledge article Sign in error 'Login Rate Exceeded':

Make sure that you are reusing the session, and not making a login call for every API request

That said, there are a wide variety of good reasons to switch to OAuth authentication, including that your application does not need to store actual credentials, which is a poor security practice. While you'll have to pay attention to other platform limits in any case, such as the total API call limit, any OAuth flow that involves storing an access token and a refresh token should both increase your security and get rid of this error.

Edit

Let's be clear here. You've now stated that the login limit is not your issue, but the daily API call limit is.

Using OAuth authentication means, per the question that you linked, that the calls you make to authenticate to Salesforce do not count towards your API limit. Regular calls made to the Salesforce REST API after authentication always count towards your limit, and there is no magic trick to make them not count.

If you are exceeding the Daily API Call limit, you need to either

  • Work with your account executive to request an increase in this limit.
  • Optimize your remote application to make fewer calls, such as by using the sObject Collection and sObject Composite resources. However, only your developers can testify to what exactly your app is doing to burn 1 million API calls and how then to fix it.
David Reed
  • 92,733
  • 13
  • 84
  • 157
  • Sorry for the confusion here. I have updated my original question. I am not exceeding login rate per / hour. Rather I am getting total API limit per 24 hour. Can use of OAUTH refresh token decrease the total API count per 24 hour? – Manish Anand Feb 21 '20 at 06:39
  • Then how does the question you linked not answer your question? The accepted answer states that OAuth interactions do not count as API calls. – David Reed Feb 21 '20 at 14:00
  • This is no where documented as part of the salesforce official document that we can use OAUTH refresh token to decrease the API hit to 0 for a specific user. In my use case, this user API hit per 24 hour is more than 1M , so wanted to reconfirm if someone had similar experience for reducing the API count using refresh token. – Manish Anand Feb 23 '20 at 06:08
  • You can't. Using OAuth means that your authorization calls don't count against API limits. It doesn't get you out of limits for other calls. I've updated my answer above. – David Reed Feb 23 '20 at 15:46
  • Got it. So does it mean - After login and first time authenticate to salesforce, all the subsequent calls to the salesforce resources are counted towards the api limit ?? – Manish Anand Feb 23 '20 at 18:43
  • Yes. This is documented here: https://developer.salesforce.com/docs/atlas.en-us.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_api.htm – David Reed Feb 23 '20 at 18:46