If you’re stepping into the Salesforce ecosystem as a developer or admin, there’s one topic that keeps coming up in job descriptions, project discussions, and certification exams: the Force.com REST API. And for good reason — it’s the backbone of almost every modern Salesforce integration.
But for many beginners, the word “API” can feel intimidating. You might be wondering: What exactly is it? How does it work? And where do I even start?
This guide gives you a clear, practical introduction to Force.com REST API — from core concepts to authentication flows to making your first HTTP call. By the end, you’ll understand not just what it does, but how to start using it confidently in your own projects.
At its core, the Force.com REST API is a web service interface that allows external applications to communicate with your Salesforce organization over HTTP. It follows the REST (Representational State Transfer) architectural style, which means it uses standard HTTP methods — GET, POST, PATCH, and DELETE — to interact with Salesforce data and metadata.
Think of it this way: Salesforce stores your CRM data — Accounts, Contacts, Opportunities, and more. The REST API is the bridge that lets any external system (a web app, a mobile app, an ERP) access, create, update, or delete that data securely and programmatically.
Why REST and Not SOAP?
Salesforce also offers a SOAP API, which is older and more verbose. REST is generally preferred today because:
- It’s lighter and faster, especially for mobile and web applications
- Requests and responses use JSON (though XML is also supported), which is easy to read and work with
- It’s simpler to implement across programming languages like Python, Java, JavaScript, and Node.js
- It’s well-suited for modern cloud-to-cloud integrations
That said, both APIs share the same underlying data model and limits, so concepts you learn in one transfer to the other.
Key Characteristics of the Force.com REST API
Before diving into authentication and requests, it helps to understand the architectural principles that make the REST API behave the way it does.
Stateless: Every request must carry all the information the server needs to process it. The server doesn’t remember previous requests. This keeps interactions clean and scalable.
Uniform Interface: All resources are accessed through standard HTTP methods over a consistent URL structure. Once you understand the pattern, navigating the API becomes predictable.
JSON and XML Support: JSON is the default response format and is used in most integrations today. You can request XML responses by setting the Accept header or appending .xml to the URI.
Named Resources via URIs: Every piece of data in Salesforce — an Account, a list of objects, a SOQL query — is accessible through a unique URI. For example:
https://yourInstance.salesforce.com/services/data/v60.0/sobjects/Account/
Friendly URLs: From API version 36.0 onward, you can traverse object relationships directly through the URL path, reducing the number of API calls needed. For instance, accessing a Contact’s parent Account can be done in a single call using a relationship path instead of two separate requests.
Layered Architecture: Proxy servers, gateways, and caching layers can sit between your app and Salesforce, enabling enterprise-grade infrastructure patterns.
Understanding Authentication: OAuth 2.0
This is where most beginners get stuck — and it’s also one of the most important things to get right. The Force.com REST API uses OAuth 2.0 for authentication, which means your application never handles a user’s Salesforce password directly. Instead, it obtains an access token that acts like a session key.
Step 1: Create a Connected App
Before you can make any API call, you need to register your application in Salesforce as a Connected App. This is done in Setup:
- Go to Setup → Apps → New Connected App
- Enter your app name and contact email
- Enable OAuth Settings and provide a Callback URL (must use HTTPS)
- Select the appropriate OAuth scopes (permissions your app needs)
- Save — Salesforce generates a Consumer Key and Consumer Secret
These two values are your app’s identity credentials for authenticating with Salesforce.
The Three Main OAuth Flows
Once your Connected App is set up, you choose one of three authentication flows depending on your scenario:
1. Web Server Flow — Used when your app runs on a secure server that can protect the Consumer Secret. The user logs into Salesforce via a browser redirect, grants permission, and your server exchanges an authorization code for an access token. This is the most secure and commonly used flow.
2. User-Agent Flow — Used for client-side apps (like JavaScript in a browser or mobile apps) where the Consumer Secret cannot be kept confidential. The access token is returned directly in the redirect URL after the user authorizes.
3. Username-Password Flow — The simplest flow, where your app sends credentials (username, password + security token) directly to Salesforce in exchange for an access token. Useful for server-to-server integrations or testing, but it doesn’t issue a refresh token, so it requires re-authentication when the token expires.
Once you receive an access_token, every subsequent API call includes it in the request header like this:
Authorization: Bearer your_access_token_here
Force.com REST Resources: What Can You Actually Do?
The real power of the Force.com REST API shows up when you see everything it lets you access. REST resources are organized around URIs, and each resource maps to a specific operation or dataset.
Common REST Resources and Use Cases
Versions Resource — Lists all available API versions. No authentication required:
curl https://yourInstance.salesforce.com/services/data/
SObject Basic Information — Retrieves metadata about a specific Salesforce object, such as Account or Contact.
SObject Rows — The workhorse of the API. Used to create, read, update, and delete individual records using their Salesforce ID.
Query Resource — Execute SOQL queries against your org’s data:
GET /services/data/v60.0/query?q=SELECT+Id,Name+FROM+Account+LIMIT+10
Search Resource — Run SOSL (Salesforce Object Search Language) searches across multiple objects simultaneously.
SObject Relationships — Traverse related records using friendly URL patterns, reducing the need for multiple API calls.
Composite Resources — A powerful feature that lets you batch multiple API requests into a single HTTP call. This is invaluable for performance optimization when you need to create nested records or perform several operations in sequence.
Making Your First REST API Call: A Step-by-Step Walkthrough
Let’s walk through the process of making an actual API call using cURL — a command-line tool available on Linux, Mac, and Windows.
Step 1: Get Your Access Token
Using the Username-Password flow (suitable for testing):
curl https://login.salesforce.com/services/oauth2/token \
-d "grant_type=password" \
-d "client_id=YOUR_CONSUMER_KEY" \
-d "client_secret=YOUR_CONSUMER_SECRET" \
-d "[email protected]" \
-d "password=yourPasswordPlusSecurityToken"
The response includes an access_token and instance_url.
Step 2: List Available API Versions
curl https://yourInstance.salesforce.com/services/data/ \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Step 3: Query Account Records
curl "https://yourInstance.salesforce.com/services/data/v60.0/query?q=SELECT+Id,Name+FROM+Account+LIMIT+5" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Step 4: Create a New Record
curl https://yourInstance.salesforce.com/services/data/v60.0/sobjects/Account/ \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"Name": "MyTutorialRack Test Account"}'
Step 5: Update an Existing Record
curl https://yourInstance.salesforce.com/services/data/v60.0/sobjects/Account/ACCOUNT_ID \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-X PATCH \
-d '{"BillingCity": "Chennai"}'
If the update is successful, Salesforce returns a 204 No Content status — no body, just confirmation.
Apex REST vs. Force.com REST API: What's the Difference?
This is a common point of confusion for developers new to Salesforce. Here’s a quick distinction:
- Force.com REST API (also called Salesforce REST API): A built-in API provided by Salesforce that gives you access to standard Salesforce objects and operations.
- Apex REST: A feature that lets you build your own custom REST endpoints using Apex code. You define the URL path, the HTTP method it responds to, and the logic it executes. This is useful when you need a custom integration endpoint that goes beyond what the standard API provides.
Both use HTTP, JSON, and OAuth — but they serve different purposes. The Force.com REST API is for consuming Salesforce data; Apex REST is for exposing custom Salesforce logic to the outside world.
Common Mistakes Beginners Make
1. Forgetting to append the security token to the password. In the username-password OAuth flow, your password must include your security token at the end (e.g., mypassword + XXXXXXXXXX). Without it, authentication fails.
2. Using HTTP instead of HTTPS. All Salesforce OAuth endpoints require secure HTTP (HTTPS). HTTP connections are rejected.
3. Ignoring API limits. Every Salesforce org has a daily API request limit. Monitor your DailyApiRequests usage via the Limits resource and plan your integration accordingly to avoid hitting the ceiling.
4. Making unnecessary multiple calls. Use Composite Resources or Friendly URLs to consolidate what could be several API calls into one. This improves performance and keeps you well within your org’s limits.
5. Hardcoding access tokens. Access tokens expire. Implement token refresh logic using the refresh_token from OAuth flows so your integration doesn’t break in production.
Why the Force.com REST API Matters in 2026 and Beyond
The Salesforce ecosystem continues to grow rapidly, and with it, the demand for developers who understand how to connect Salesforce with external systems. Whether you’re building a mobile app that syncs with CRM data, integrating an ERP with Salesforce Opportunities, or building a custom portal on top of Salesforce — REST API knowledge is non-negotiable.
Integration skills are now one of the highest-valued competencies in the Salesforce job market. Roles like Salesforce Developer, Integration Architect, and Technical Consultant consistently list REST API proficiency as a core requirement. If you’re aiming for the Salesforce Platform Developer I (PDI) certification or the Integration Architecture Designer credential, REST API concepts will appear in your exam and in your daily work.
Beyond careers, real-world Salesforce implementations rarely live in isolation. Businesses need their CRM to talk to their marketing platforms, accounting software, ticketing systems, and custom apps. Knowing the REST API gives you the power to design and build those integrations end to end.
Conclusion: Start Small, Think Big
The introduction to Force.com REST API can feel overwhelming at first — OAuth flows, HTTP methods, JSON payloads, URI structures. But once you break it down step by step, it’s a remarkably consistent and learnable system.
Start with a Developer Edition org, create a Connected App, and make your first cURL request. From there, the learning curve flattens quickly. Every integration project you build from this foundation will deepen your understanding and sharpen your skills.
The goal isn’t just to know what the REST API is — it’s to use it with confidence in real projects.
Ready to Go Deeper? Build Job-Ready Integration Skills
Understanding the REST API conceptually is just the first step. The real growth comes from applying it in hands-on, real-world integration projects — the kind that actually appear in Salesforce interviews and client implementations.
If you’re serious about mastering Salesforce integrations — including REST API callouts from Apex, working with external authentication, handling error responses, and building end-to-end integration patterns — check out the Salesforce Integration With External Systems course on MyTutorialRack.
This course is built for Salesforce professionals who want to move beyond theory and develop the practical, job-ready skills that employers and clients are looking for. You’ll work through real-world scenarios, write actual integration code, and walk away with portfolio-ready projects that demonstrate your ability to build and manage Salesforce integrations from scratch.
Whether you’re preparing for a developer role, upskilling for a certification, or looking to differentiate yourself in a competitive market — this is the course that bridges the gap between knowing and doing.
