Java library for REST API
Latest commit 8b64d0f Mar 2, 2017 @jesperfj bump version REST API Connector

Lightweight library for building apps with OAuth authentication and data access through the REST API.


Releases are published on Maven Central. Include in your project with:


Build and link locally

$ git clone
$ cd force-rest-api
$ mvn install -DskipTests

The version number is never updated in SCM. So builds will always produce a module with version 0-SNAPSHOT. Add it as a dependency to your local builds with:


To check out the source code for a particular version found in Maven Central, use the corresponding git tag, e.g:

 $ git clone
 $ cd force-rest-api
 $ git checkout force-rest-api-0.0.28

Authentication and Instantiation

API versions API updates its API version with every Salesforce release (3 times per year). The new version is supposed to always be backwards compatible, so in theory it is safe to always use the latest API version. However force-rest-api is designed to be conservative. The API version used may change with new versions of the library, but for a given version of the library, the version will always be ApiVersion.DEFAULT_VERSION unless you explicitly set it to something different. You set the API version when you instantiate an ApiConfig:

ApiConfig mycfg = new ApiConfig().setApiVersionString("v99.0");

You can also use the ApiVersion enum to set the version:

ApiConfig mycfg = new ApiConfig().setApiVersion(ApiVersion.V38);

But the enum may not always have the version you need and there is no particular benefit to using it compared to using a simple String.

Username / Password Authentication

Authenticate using just login and password:

ForceApi api = new ForceApi(new ApiConfig()

OAuth Username/Password Authentication Flow

As documented here

ForceApi api = new ForceApi(new ApiConfig()

OAuth Web Server Flow

As documented here

String url = Auth.startOAuthWebServerFlow(new AuthorizationRequest()
	.apiConfig(new ApiConfig()

// redirect browser to url
// Browser will get redirected back to your app after user authentication at
// with a code parameter. Now do:

ApiSession s = Auth.completeOAuthWebServerFlow(new AuthorizationResponse()
	.apiConfig(new ApiConfig()

ForceApi api = new ForceApi(s.getApiConfig(),s);

Instantiate with existing accessToken and endpoint

If you already have an access token and endpoint (e.g. from a cookie), you can pass an ApiSession instance to ForceApi:

ApiConfig c = new ApiConfig()

ApiSession s = new ApiSession()

ForceApi api = new ForceApi(c,s);

CRUD and Query Operations

Get an SObject

Account res = api.getSObject("Account", "001D000000INjVe").as(Account.class);

This assumes you have an Account class defined with proper Jackson deserialization annotations. For example:

import org.codehaus.jackson.annotate.JsonIgnoreProperties;
import org.codehaus.jackson.annotate.JsonProperty;

public class Account {

	String id;
	String name;
	private Double annualRevenue;
	String externalId;	

	public String getId() { return id; }
	public void setId(String id) { = id; }
	public String getName() { return name; }
	public void setName(String name) { = name; }
	public Double getAnnualRevenue() { return annualRevenue; }
	public void setAnnualRevenue(Double value) { annualRevenue = value; }
	public String getExternalId() { return externalId; }
	public void setExternalId(String externalId) { this.externalId = externalId; }

Create SObject

Account a = new Account();
a.setName("Test account");
String id = api.createSObject("account", a);

Update SObject

a.setName("Updated Test Account");
api.updateSObject("account", id, a);

Create or Update SObject

a = new Account();
a.setName("Perhaps existing account");
api.createOrUpdateSObject("account", "externalId__c", "1234", a);

Delete an SObject

api.deleteSObject("account", id);

Query SObjects

QueryResult<Account> res = api.query("SELECT id FROM Account WHERE name LIKE 'Test account%'", Account.class);

Working with API versions

You can inspect supported API versions and get more detailed info for each version using SupportedVersions:

SupportedVersions versions = api.getSupportedVersions();
System.out.println(versions.oldest());          // prints v20.0
System.out.println(versions.contains("v25.0")); // prints true

The set of supported versions may vary based on where your organization is located. New versions are introduced 3 times a year and are rolled out gradually. During the rollout period, some organizations will have the latest version while others will not. The oldest supported version for REST API is v20.0. Salesforce API versions go further back than v20.0, but REST API does not support those older versions.

There is a direct mapping between season/year and version numbers. You can translate between season/year and version number in this way:

ExtendedApiVersion v = new ExtendedApiversion(ExtendedApiVersion.Season.SPRING, 2012);
System.out.println(v.getVersionString());       // prints v21.0

ExtendedApiVersion is called "Extended" because it goes beyond what ApiVersion offers and can represent more details about an API version, e.g. its season, year and URL base.

Run Tests

This project has a mix of unit tests and integration tests that hit the actual API. To make the integration tests work copy src/test/resources/ to src/test/resources/ and replace the properties in the file with actual values.

Login and password

Add your developer org login and password. Needless to say, don't use credentials for a production org containing sensitive data. If you don't have a developer org, sign up for one. It's free.

Client ID and Secret

Once you have signed up for an org, navigate to the Remote Access Setup:

  • Click on "Admin User" drop-down in upper-right
  • Select Setup
  • In the left-side navigation pane, under "App Setup", click on "Develop"
  • Select "Remote Access"

Now create a new Remote Access Application:

  • Click on "New"
  • Choose any name for your application
  • Choose any callback URL (you'll need to set this properly when web server flow is supported)
  • Choose some contact email
  • Click "Save"
  • Copy "Consumer Key" to the property "clientId" in
  • Click on "Click to reveal" and copy "Consumer Secret" to "clientSecret" in

Add externalId__c to Account SObject

Use the Web UI to add a custom field called externalId__c and mark it as an external ID field:

  • (sorry, you have to figure out how to do this yourself. Will add instructions or automate it later)

Create a second user for IP restrictions test

To test IP restrictions failure handling you need additional test setup:

  • Go to Manage Users --> Profiles and create a new profile based on "Standard Platform User". Call it "IP Restricted User"
  • Set Login IP Ranges for the new profile to something obscure like Hit save and confirm that it's ok even though your user is not logged in from this range.
  • Create a new user and reset password
  • Log in as the new user and generate a security token
  • Set username and password (with token appended) in
  • Log back in with the admin user and go to Manage Users --> Profiles

Run Tests

Now run tests with

$ mvn test

You will see some log messages that look like errors or warnings. That's expected and does not indicate test failures.

Interactive end-to-end OAuth handshake Test

This test is not run as part of the test suite because it requires manual intervention. Run it like this:

mvn -Dtest=com.force.api.EndToEndOAuthFlowExample test

Cutting a Release

This project now uses Alex Fontaine's release process because the release plugin is a pretty insane piece of software that should never exist. The pom.xml version number checked into SCM is always 0-SNAPSHOT. Mapping releases back to source code now relies on git tags only.

The project is set up to release to Maven Central. If you have forked it and want to deploy your own version, you will need to update groupId and set up your own Sonatype credentials and GPG. Assuming this is all correctly set up. Here's how you cut a new release:

First ensure all your code is checked in (with git status or the like). Then run tests one extra time and also test javadoc generation since it's easy to introduce errors in javadoc comments that will break the deploy:

$ mvn test javadoc:javadoc

Now find the latest version number with git tag (or in Maven central depending on what you trust most). Bump the version number to that plus one:

$ mvn versions:set -DnewVersion=<new-version>

For example:

$ mvn versions:set -DnewVersion=0.0.50

This will update pom.xml locally to the new version and leaving it uncommitted (which is what you want). Now run

$ mvn scm:tag

This tags the local and remote repository with the full module name, e.g. force-rest-api-0.0.50. Now deploy:

$ mvn clean deploy -DperformRelease

When you're done, reset the local version change to pom.xml with:

$ mvn versions:revert

Just as a validation, try to push local changes including tags:

$ git push origin master --tags

There should be nothing to push. If something is messed up, delete the tags in Github and in your local repo and start over.

Release History


  • Remove specific response code checks from generic REST api calls. Different resources may return different response codes on the same verb, e.g. POST to chatter resources returns 201, but POST to /process/approvals/ return 200. The library already checks the bounds of the response code and throws an exception if it is not between 200 and 299. The strict check on response codes is considered a bug introduced in 0.0.35 and fixed with this release.


  • Introduced SessionRefreshListener so you can register a listener and be notified when ForceApi refreshes the access token. See the test for sample code.


  • Introduced generic REST api calls get, delete, post, put and patch on ForceApi for any arbitrary path. This allows force-rest-api to be used for the many non-sObject resources exposed in REST API. See ChatterTest for an example.
  • Added getSession() convenience method on ForceApi as requested by several people. It took me a little while to become comfortable with it.
  • Added curlHelper() convenience method on ForceApi to easily print a curl command string with valid access token for debugging purposes.


  • Introduced ForceApi.getSupportedVersions and friends to enabled more advanced version handling. Thanks to @cswendrowski for the contributions. See "Working with API versions" in this README.


  • Update to Salesforce API v39


  • Add explicit authentication error handling. Addresses issue #32


  • Update to v37
  • Add queryAll


  • Fix NullPointerException in ApiConfig.setForceURL. Thanks steventamm.


  • Update to API version 36


  • No feature changes
  • Project now configured to release to Maven Central
  • No longer uses maven-release-plugin
  • Version number in source code is always 0-SNAPSHOT
  • Use git tags to map from Maven Central version to corresponding source code


  • Upgrade to Jackson 2. Thanks to emckissick for the pull request.


  • Include Javadoc in release jars


  • Made various fixes to get tests passing again after a long period of inactivity
  • end-to-end oauth test has been renamed to exlude it from test suite. Run it manually instead. It no longer uses HtmlUnit but instead requires manual intervention
  • ApiVersion is now up to date up to v33.0.
  • API version can now be set as a string. Setting it as an ApiVersion enum has been deprecated. There doesn't seem to be much value in strongly typing the api version.


  • thysmichels noticed that Spring 14 broke this library because was set to strictly map to the underlying JSON resource. This class now uses ignoreUnknown=true so it should be more robust to changes.



  • Some relationship queries work now. See QueryTest for an example.
  • Tested with Jackson 1.9.7


  • Modified deserialization of query results to better supper queries that return graphs of records.


  • Added more testing, including an end-to-end oauth flow test using HtmlUnit
  • Scope is now an enum


  • ApiSession now serializable, so it can be cached in Memcached and similar


  • Fixed bug in DescribeSObject. Had inlineHelpText as boolean instead of String


  • More complete DescribeSObject. Can now be used to generate Java classes. An example can be found in the tests based on PojoCodeGenerator


  • 0.0.11 broke describeSObject. Fixed now and added test


0.0.10 was botched. Missed a checkin


  • Basic exceptions
  • Some internal refactorings
  • First attempt at session renewal


  • Minimalistic Describe


  • Added revoke support (read more)
  • Refactored refreshToken out of ApiConfig


  • Added support for OAuth refresh_token flow
  • Added a bit more debug info to createSObject
  • Should work with Jackson 1.9.1 and 1.9.2. Both are accepted in the version range


  • Tested with Winter '12, API version 23
  • Requires (and explicitly declares dependency on) Jackson 1.9.1. Not tested with other Jackson versions.
  • Basic CRUD and query functionality for SObjects
  • OAuth functionality that covers all options
  • Only happy path tested, almost no error scenarios or edge cases covered except for some sporadic debug output
  • Focused on typed access. But you must build SObject classes manually for now (or use builders available elsewhere)

Project Goals:

  • Make it as thin as possible
    • Status: Both ForceApi and Auth classes are very thin wrappers on top of the APIs.
  • Few or no dependencies
    • Status: Currently only depends on Jackson. Could consider supporting gson as well for added flexibility
  • Other projects will handle generation of typed SObject classes and it should work here
  • Automatic session renewal
    • Status: Added in 0.0.10 and testable in 0.0.12. Waiting for feedback to see if it works.
  • Pluggable JSON kit
    • Status: Not yet. This is currently low priority
  • Make sure it's Spring friendly. This solution may be necessary.
    • Status: No Spring work has been done yet
  • Consider adding newrelic hooks.


BSD 2-clause license


Jesper Joergensen