Skip to content
theCodeFlash

Salesforce API Landscape

Salesforce exposes dozens of APIs, each built for specific use cases. Choosing the wrong one is a common CTA pitfall. This page covers every API that matters for the exam: decision criteria, volume thresholds, and rate limits.

API Decision Matrix

APIProtocolFormatBest ForVolumeDirection
REST APIRESTJSON/XMLCRUD operations, modern integrationsLow-mediumBidirectional
SOAP APISOAPXMLLegacy systems, full metadata accessLow-mediumBidirectional
Bulk API 2.0RESTCSV/JSONLarge data loads (thousands+)HighBidirectional
Composite APIRESTJSONMulti-step operations, reducing roundtripsLow-mediumInbound
Streaming APIBayeux/CometDJSONReal-time notifications (legacy)Event-basedOutbound
Pub/Sub APIgRPCAvro/BinaryHigh-throughput event streamingEvent-basedBidirectional
Platform Events APIRESTJSONCustom business eventsEvent-basedBidirectional
Change Data CapturePub/SubAvroData change notificationsEvent-basedOutbound
GraphQL APIGraphQLJSONFlexible queries, mobile optimizationLow-mediumBidirectional
Metadata APISOAP/RESTXML/JSONDeployment, org configurationN/ABidirectional
Tooling APIREST/SOAPJSON/XMLDeveloper tools, IDE integrationN/ABidirectional
Analytics APIRESTJSONCRM Analytics (Tableau CRM) dataReports/dashboardsBidirectional
Connect API (Chatter)RESTJSONSocial features, feeds, communitiesLowBidirectional
Apex REST/SOAPREST/SOAPJSON/XMLCustom business logic endpointsLow-mediumInbound

REST API

The most commonly used Salesforce API. JSON-based, lightweight, suitable for most CRUD operations.

Key Characteristics

  • Standard HTTP methods (GET, POST, PATCH, DELETE)
  • JSON or XML payloads
  • Versioned endpoints (e.g., /services/data/v66.0/sobjects/Account/)
  • Supports SOQL and SOSL queries
  • Named Credentials for authentication

When to Use

  • Modern integrations with JSON-capable systems
  • Single-record or small-batch CRUD operations
  • Mobile and web application backends
  • Any integration where simplicity is valued

Rate Limits

EditionAPI Requests per 24 Hours
Enterprise100,000 (base) + 1,000 per Salesforce license
Unlimited100,000 (base) + 5,000 per Salesforce license
Per user addition (other licenses)200 per Platform, Force.com, or other license type

Concurrent call limit

All API types share a concurrent long-running call limit of 25 (for total org, not per user). Calls running longer than 20 seconds count against this limit. This is one of the most commonly overlooked limits in CTA scenarios.

When NOT to Use

  • Volumes exceeding a few thousand records per transaction (use Bulk API)
  • When you need to subscribe to data changes (use Streaming/Pub/Sub)
  • When the consumer is a legacy SOAP-only system (use SOAP API)

SOAP API

XML-based API using WSDL contracts. Same data access as REST, but with stronger typing and full metadata access.

Key Characteristics

  • WSDL-based service definitions
  • Enterprise WSDL (strongly typed, org-specific) and Partner WSDL (loosely typed, generic)
  • Full metadata access capabilities
  • Session-based authentication

When to Use

  • Legacy systems that require WSDL contracts
  • When you need the Partner WSDL for ISV/multi-org tools
  • Metadata operations (though Metadata API is more focused)
  • When strong typing and contract-first design are required

When NOT to Use

  • Modern integrations (REST is simpler and lighter)
  • High-volume operations (use Bulk API)
  • Mobile applications (XML payload overhead)

Bulk API 2.0

Purpose-built for loading, querying, and deleting large datasets. Uses a job-based asynchronous pattern.

Key Characteristics

  • Asynchronous, job-based processing
  • CSV or JSON input/output
  • Supports insert, update, upsert, delete, and hard delete
  • Automatic batching by the platform
  • Query all records with SOQL (Bulk Query)

How It Works

Client creates an ingest job, uploads CSV data, closes the job, polls for status, and retrieves per-record success and failure results.
Figure 1. Bulk API 2.0 uses a job-based async lifecycle: create, upload, close, poll, retrieve results. Partial failures are normal, so retrieve success and failure result files separately and resubmit only failed records.

Volume Guidance

ScenarioRecommendation
< 200 recordsREST API (single or Composite)
200 - 2,000 recordsREST API Composite or Bulk API
2,000 - 100,000 recordsBulk API 2.0 (serial mode)
100,000 - 10M recordsBulk API 2.0 (parallel mode)
10M+ recordsBulk API 2.0 + partitioned jobs + off-peak
Query large datasetsBulk Query (Bulk API 2.0 query operation)

Serial vs Parallel Processing

ModeBehaviorWhen to Use
SerialRecords processed in order, one batch at a timeLock contention risk, parent-child relationships
ParallelMultiple batches processed concurrentlyIndependent records, maximum throughput

Limits

LimitValue
Max records per 24-hour period100 million
Max record size10 MB per record
Max file size per upload100 MB (recommended)
Query result size1 GB per query

Serial mode for parent-child

When loading data with parent-child relationships (e.g., Accounts then Contacts), use serial mode or separate jobs with ordering. Parallel mode can cause lock contention and “UNABLE_TO_LOCK_ROW” errors. This is a frequent CTA scenario trap.

Composite API

Packs multiple API operations into a single HTTP request, cutting round trips. Three variants serve different needs.

Variants

VariantMax SubrequestsDependenciesUse Case
Composite25Yes (reference previous results)Multi-step operations with dependencies
Composite Batch25No (all independent)Multiple independent operations
sObject Tree200 recordsParent-childCreating record trees (Account + Contacts)
sObject Collections200 recordsNoBulk CRUD on same object type

Composite Request Flow

A single HTTP POST carries five dependent subrequests; Salesforce executes them sequentially using reference IDs and returns one consolidated response.
Figure 2. Composite API reduces five separate API calls to one, using reference IDs to chain dependent operations. Each subrequest can reference the output of a prior one, enabling parent-child record creation in a single round trip.

Composite Subrequest Processing (Internal Flow)

How Salesforce processes subrequests internally explains allOrNone behavior and reference ID resolution, both commonly tested at the CTA board.

Illustrates how allOrNone controls transaction scope, reference ID resolution, rollback behavior, and partial success across up to 25 subrequests.
Figure 3. The allOrNone flag determines whether a subrequest failure rolls back all prior work or allows partial success. Reference IDs resolve sequentially, so a failed subrequest breaks all downstream references that depend on it.
BehaviorallOrNone = trueallOrNone = false
Transaction scopeAll subrequests share one transactionFailed subrequests do not roll back previous successful ones, but all subrequests execute within the same request context (not separate database transactions)
On failureEntire request rolls backOnly failed subrequest rolls back
Reference IDsResolved sequentiallyResolved sequentially (but failed refs cause downstream failures)
Use caseParent-child record creation where all must succeedIndependent operations where partial success is acceptable
Governor limitsShared across all subrequestsShared across all subrequests

Reference ID dependency chains

If subrequest 2 references the ID from subrequest 1, and subrequest 1 fails with allOrNone=false, subrequest 2 will also fail because the reference cannot be resolved. Design your subrequest order carefully and always place dependent operations after their prerequisites.

When to Use

  • Creating related records in a single transaction
  • Reducing API call consumption (1 call instead of 25)
  • Mobile apps where network round trips are expensive
  • When operations have dependencies on each other

Composite Graph API

Extends the standard Composite API from 25 to 500 subrequests, organized into multiple independent graphs within a single HTTP request. Available in API v50.0+.

Composite API vs Composite Graph API

CapabilityComposite APIComposite Graph API
Max subrequests25500
GroupingSingle linear sequenceMultiple independent graphs
Transaction scopeOne transaction (with allOrNone)Each graph is its own transaction
Cross-graph referencesN/ANot supported - references only within a graph
Use caseSmall multi-step operationsComplex record trees, data loading with parent-child hierarchies

Graph Structure and Transaction Behavior

Each graph is always transactional: all subrequests in a graph succeed or all fail (allOrNone is implicitly true per graph). The parent request is not transactional as a whole. If Graph A succeeds and Graph B fails, Graph A’s changes persist. Partial success only happens across graphs, never within a single graph.

A single HTTP POST contains three independent graphs, each transactional on its own, allowing up to 500 subrequests with isolated failure boundaries.
Figure 4. Composite Graph API groups up to 500 subrequests into independent transactional graphs within a single HTTP call. If Graph 2 fails, Graph 1 changes persist. Failure isolation is per-graph, not per-request.

When to Use Composite Graph API

  • Loading record trees where 25 subrequests is insufficient (e.g., Account + Contacts + Opportunities + line items in one call)
  • Batch operations that need transactional grouping by logical entity (each graph = one business entity)
  • Reducing API call consumption in high-volume synchronous integrations
  • When different record groups need independent transaction boundaries within the same request

When NOT to Use

  • Under 25 subrequests - standard Composite API is simpler
  • When you need cross-graph references (use a single graph or chain requests)
  • Bulk data loads of thousands of records - Bulk API 2.0 is more appropriate

CTA Exam Relevance

Composite Graph API is the answer when a scenario needs complex record trees in a single synchronous call and 25 subrequests is not enough. The key architectural point: each graph is its own transaction. This isolates failures to one business entity without rolling back unrelated records in other graphs.

Pub/Sub API (gRPC)

The modern, high-performance event streaming API built on gRPC with Avro-encoded events. Replaces the legacy Streaming API.

Key Characteristics

  • gRPC-based bidirectional streaming
  • Avro binary encoding (compact, schema-enforced)
  • Subscribe to Platform Events, Change Data Capture, and custom channels
  • Publish and subscribe capabilities
  • Supports managed subscriptions with server-side cursor tracking

Architecture

Salesforce triggers, flows, and external publishers send events to the gRPC event bus endpoint, which streams to multiple external and Apex subscribers.
Figure 5. Pub/Sub API uses gRPC over HTTP/2 with Avro binary encoding, enabling high-throughput bidirectional streaming. Multiple independent subscribers receive the same events without any subscriber affecting another’s delivery.

When to Use

  • High-throughput event consumption from external systems
  • When you need managed subscriptions (server tracks position)
  • Modern event-driven architectures
  • Replacing legacy CometD/Bayeux Streaming API

When NOT to Use

  • Simple, low-volume polling (REST API query is simpler)
  • If gRPC is not supported in the client environment
  • Batch data synchronization (use Bulk API)

Streaming API (Legacy)

CometD/Bayeux long-polling protocol for near-real-time notifications. Being superseded by Pub/Sub API.

Channels

Channel TypePurposeExample
PushTopicSOQL-based record change notificationsNew high-value Opportunities
Generic StreamingCustom event broadcastingApplication-specific events
Platform EventsCustom business eventsOrderPlaced, PaymentReceived
Change Data CaptureStandard/custom object changesAny field change on Account

PushTopic and Generic Streaming retiring Summer 2027

PushTopics and Generic Streaming Events are deprecated (since Spring ‘19) and retiring in Summer 2027. No new features are added. For new implementations, use Pub/Sub API with Platform Events or Change Data Capture. The CTA board may still ask about Streaming API for legacy scenarios — understand the pattern but always recommend the modern replacements for new designs.

GraphQL API

Consumers request exactly the data they need in a single query, avoiding over-fetching and under-fetching.

Key Characteristics

  • Single endpoint: /services/data/v66.0/graphql
  • Queries (all versions) and mutations (beta v59.0-v65.0, GA in API v66.0 / Spring ‘26)
  • Supports SOQL-like filtering and relationship traversal
  • Ideal for mobile and bandwidth-constrained clients

When to Use

  • Mobile applications needing optimized payloads
  • Complex queries spanning multiple related objects
  • When consumers need flexible, self-service data access
  • Reducing the number of API calls for related data

When NOT to Use

  • Bulk data operations
  • When consumers are WSDL-based legacy systems

Metadata API & Tooling API

Metadata API

  • Deploy and retrieve metadata (custom objects, fields, layouts, etc.)
  • Used by Salesforce CLI, VS Code extensions, CI/CD pipelines
  • SOAP-based (with REST Metadata API for some operations)
  • Not for data operations - for org configuration only

Tooling API

  • REST and SOAP access to metadata for developer tooling
  • Supports SOQL against metadata types (ApexClass, ApexTrigger, etc.)
  • Used for: code compilation, debug logs, test execution, code coverage
  • Lighter-weight than Metadata API for specific use cases

API Selection Decision Flowchart

Routes any data or metadata operation through volume, direction, protocol, and event-type criteria to the appropriate Salesforce API.
Figure 6. API selection depends on operation type, volume, protocol constraints, and whether the use case is event-driven. The most common mistakes are using REST API for bulk volumes (use Bulk API 2.0) and polling for changes (use CDC or Platform Events).

Rate Limits Summary

Limit TypeValueApplies To
Daily API requests100K base + per-user (EE: 1,000/user, UE: 5,000/user)REST, SOAP, Composite, Bulk
Concurrent API requests (long-running)25All APIs
Bulk API 2.0 daily records100 millionBulk API 2.0
Streaming API concurrent clients2,000Streaming/Pub/Sub
Platform Events published per hourVaries by allocationPlatform Events
Composite subrequests25 per requestComposite API
sObject Collections200 records per requestCollections API
API request timeout120 secondsAll synchronous APIs
Callout timeout (Apex)Default 10s per callout, configurable up to 120s; 120s cumulative per transactionApex HTTP callouts

API limit exhaustion

Running out of daily API calls is a production emergency. Always design with API limit budgeting: estimate daily call volume, compare to allocation, and build in headroom. If the math does not work, switch to Bulk API, Composite API, or change the pattern to cut call volume.

API Authentication

Every API call requires authentication. The table below maps each OAuth flow to its integration use case. For the full flow decision tree, sequence diagrams, and security comparison, see Identity & SSO - OAuth 2.0 Flows.

OAuth FlowIntegration Use CaseInvolves User?
Web Server FlowUser-facing applications with backendYes
JWT Bearer FlowServer-to-server, automated integrationsNo (service account)
Device FlowInput-constrained devices, CLI toolsYes (out-of-band)
Client Credentials FlowMachine-to-machine (no user context)No

Named Credentials

Always recommend Named Credentials for Salesforce-initiated callouts. They handle token management, refresh, and credential storage securely. Hardcoding credentials or storing tokens in custom settings is an anti-pattern the board will challenge.

CTA Scenario Tips

  • Count your API calls: For every integration, estimate daily API consumption and compare against limits
  • Composite for efficiency: If a process requires 5 API calls, ask whether Composite can reduce it to 1
  • Bulk for volume: Any time data volume exceeds a few thousand records, the answer is almost always Bulk API 2.0
  • Pub/Sub for events: For real-time event-driven architectures, Pub/Sub API is the modern choice
  • GraphQL for mobile: When a mobile or SPA frontend needs flexible data, GraphQL reduces over-fetching
  • Named Credentials always: There is no acceptable reason to hardcode credentials in a CTA scenario
  • Large Data Volumes: Bulk API 2.0 selection and volume thresholds tie directly to LDV considerations
  • Shield & Encryption: API access to encrypted fields; Shield Platform Encryption affects API behavior
  • Platform Capabilities: API limits depend on edition, license type, and org-level platform limits

Sources

Personal study notes for the Salesforce CTA exam. Content compiled from VJ's study notes, official Salesforce documentation, community sources, and online publicly available content, then organized and presented with AI assistance. Not affiliated with Salesforce. © 2025–2026 VJ Srivastava.