OAuth interactions: do they count as API calls?

OAuth token grants and token authorizations are human interactions that take place in the browser. And token refreshes happen to be machine interactions. Do any of the typical OAuth interactions count towards the 24-hour API limit?

I know the following API invocations count toward the 24-hour limit:

  • Rest API
  • SOAP API

And the following do NOT count toward that 24-hour limit:

  • Apex Callouts
  • Outbound Messages

https://developer.salesforce.com/docs/atlas.en-us.salesforce_app_limits_cheatsheet.meta/salesforce_app_limits_cheatsheet/salesforce_app_limits_platform_api.htm

Answer

After hammering the login.salesforce.com endpoints today (and getting blocked a couple of times), I’ve established (at least to my satisfaction) that the OAuth interactions around granting access tokens and refreshing them do not count against the API limits.

More specifically, I’ve hit the following endpoints 1,000 times each today.

  • https://login.salesforce.com/services/oauth2/authorize
  • https://login.salesforce.com/services/oauth2/token (both grant_type=password and grant_type=refresh_token)

… and the results.
Unhandled rejection Error

Wait… that’s not the result you want, this is.
0 API Usagee

PS. It’s also worth noting that grants and token authorisation are not always human interactions, the Username-Password flow requires no user interaction.

Attribution
Source : Link , Question Author : Matt and Neil , Answer Author : Alex Tennant

Leave a Comment