APEX REST + oAuth

We are building an integration between and a custom iPhone application.  The system has the following high level requirements:

1) will stand up a custom API for communication with the iPhone.  Apex Rest web services will be used.

2) oAuth will be used for the iPhone to authenticate into

There were enough nuances in building the application that I thought this subject deserved its own post.  I use a few tools tools as a test client for the API:

1) Firefox RESTClient (  (I will illustrate this in the blog entry)

2) cURL ( (this is a little finicky, especially in windows)

3) Custom Java application (perhaps a later post can be on the client side.  It is just a test harness though)

Step 1 – Building the custom RESTful API

I am going to make the round-robin on this system as simple as possible.  So all this API will do is return a SOQL query of all accounts in the system.  The API is not bulkified or tested, so keep that in mind as you build your actual production application.


global with sharing class resttest1 {
global static List<Account> doGet()
      return Database.query('select AccountNumber from Account');

@RestResource – defines the endpoint that we will later use to hit the URL of the custom API.

@HttpGet – defines the function to be called when issuing an HTTP GET command from the client.

return (Database.query(….); – APEX rest will automatically handle the tokenizing of this list into JSON or XML format.

Upon saving (and successful compilation) the APEX class generates the RESTful endpoint.  That’s it!

Step 2 – Set Up to be an oAuth provider

External applications could utilize a session variable or oAuth to authenticate into the API.  I am using oAuth: I can’t determine any other way to authenticate myself using solely RESTful styles.  Session based authentication would require me to use the Enterprise WSDL and a SOAP client to login first.


After creating a remote access record, you are given your oAuth consumer key and oAuth consumer secret.  Those are required in the client application to authenticate.


That’s it – you are ready to connect to the web service.   Pretty easy!

Step 3 – Accessing the RESTful web service using RESTClient

I love using Firefox’s RESTClient Add-on.  It is a perfect debugging tool for issuing RESTful commands and processing the return.


The next step is to authenticate into SFDC.  Using RESTClient “POST” to the following URL:
  • where ABCDEF is the consumer key from above
  • where 1234567890 is the consumer secret above
  • where USERNAME@CLOUDPREMISE.COM is the user you want to log in as
  • where SFDCPW&TOKEN is the users password and security token appended together
Use the following HTTP Headers:
  • Accept: */* (Lack of this header returns the response in XML for some reason)
  • X-PrettyPrint: 1 (optional – will help you to read the response)

After POSTing this to, you should receive a response such as:


Take note of the following parameters in the response:

  • “instance_url” : “; (all future http requests would be made to this URL location)
  • “access_token” : “00DE000……” (all subsequent http requests should include this as the oAuth authentication token)
Now you are ready to call your web service.  Because the web service annotation was @HttpGet, you need to use a GET command:
  • URL=
  • Headers:
    • Accept: */*
    • X-PrettyPrint: 1 (Optional – If you want to be able to read the response)
    • Authorization: OAuth 00DE000….
Wa la – you have built a RESTful integration to

Using this method you can now:

  1. Write an actual production web service
  2. Write an actual client that can easily access the methods of the web service

It is very simple and very powerful.  Have fun!

ApexRest is generally new and I have found the documentation to be sub-par.  However, here is what I used to find my way around: (Official site) (Official documentation) (CloudSpokes has some great coverage) (Official forums) (Model Metrics has a good blog posting on oAuth with SFDC)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: