Platform SOAP API login() Retirement

Updated - April 30, 2026

Original Publication Date - August 25, 2025

What is the status of SOAP API login()?

SOAP API login() in API versions 31.0 through 64.0 is currently supported.

Salesforce will end support for and retire SOAP API login() in API versions 31.0 through 64.0 with the Summer ’27 release. We recommend that you migrate to External Client Apps and OAuth to authenticate your external applications before that release. See this Release Note.

SOAP API login() is not available in API versions 65.0 and later. See this Release Note.

SOAP API login() is disabled by default in newly created orgs. An admin must enable SOAP API login() in these orgs before it can be used. See this Release Note and documentation.

From the Summer ‘26 release, an additional admin control is in place to secure the use of SOAP API login().  In newly created orgs, once SOAP API login() is enabled, users must have the new Use Any API Auth user permission to authentication using SOAP API login().  In existing orgs admins can optionally enable and disable this enforcement.  See this Release Note and documentation.

Note: API version 30.0 and lower are already retired and unavailable.

Why are we retiring SOAP API login()? 

As part of our ongoing efforts to help customers protect their Salesforce accounts in the current threat landscape, Salesforce is adopting a secure-by-default posture for authenticating external applications that requires the use of External Client Applications. To support this change, the SOAP API login() operation to authenticate with your org is being retired.

What does this SOAP API login() retirement impact? 

This retirement impacts any code, package, application, or integration that authenticates with a Salesforce org using SOAP API login().

What actions do I need to take?

1. Identify any components and applications that use SOAP API login() to authenticate with your org.

2. If the component or application is custom developed by you, then you need to upgrade the component or application to use External Client Apps and OAuth to authenticate.

Salesforce recommends that you use either the OAuth Client Credentials Flow or the OAuth Web Server Flow, depending on your use case.

3. If the component or application is from a Third Party vendor, contact the vendor to upgrade to the version that supports External Client Apps and OAuth.

What happens if I don’t take action?

If components and applications using SOAP API login() are not upgraded by the Summer ‘27 retirement date, then those components and applications will fail to authenticate with your Salesforce org, resulting in all subsequent API calls made by those components and applications to your org failing.

How do I identify affected components and applications?

Create an inventory of all components and applications that use SOAP API login() to authenticate with your org. This can be done using the approaches described below.

First, contact the developers and vendors of these components and applications to determine if they use SOAP API login(). Second, for applications that use SOAP API login(), search the Salesforce logs for those applications to find the usernames of users who logged in. Contact those users to identify the application.

To identify applications making SOAP API login() calls

To identify SOAP API login() calls made by applications, navigate to the “Login History” page within Setup and review the entries with a LoginType field of "Other Apex API" or "Partner Product", and a Login Subtype field of "SOAP API."

The username field identifies the user that the application authenticated using. Contact that user to identify the application.

To identify applications that authenticated using SOAP API login() from API calls

In addition, you can identify applications that use SOAP API login() to authenticate from the API calls they make by reviewing API events in the free API Total Usage EventLogFile that report SOAP, REST, and Bulk API activity. To review these API events you first need to download them to a CSV files using one of the following three methods described below.

The first method is to use the Event Log Browser in your org.  With this, you can browse the API Total Usage event log files on your org and download them as CSV files to view the individual API events.

1. From within Setup, navigate to Security → Event Monitoring → Event Log Browser.  Here you can view the event log files for the last 24 hours (or the last 30 days* if you have purchased and activated Event Monitoring).  You can then download individual event log files as CSV files to view the API events in them.

From within Setup, navigate to Security → Event Monitoring → Event Log Browser.  Here you can view the event log files for the last 24 hours (or the last 30 days if you have purchased and activated Event Monitoring).  You can then download individual event log files as CSV files to view the API events in them.

2. The second method is to use the API Total Usage CSV Tool Extractor provided by Salesforce to automate the download of API Total Usage data on a daily basis to retrieve the last 24 hours of data. This is a Python script that extracts the data in the API Total Usage EventLogFile and downloads it into CSV Files. The Python script uses the Salesforce CLI for authentication and data retrieval. 

3. The third method is to manually use a client such as the Salesforce CLI to run a SOQL query against the EventLogFile object, providing the event log files for the last 24 hours (or the last 30 days* if you have purchased and activated Event Monitoring). 

sf data query -q "SELECT Id, LogFile, EventType, CreatedDate FROM EventLogFile WHERE EventType IN ('ApiTotalUsage')" -o <your-username>

For each result, perform a REST API request to the endpoints in the query result to retrieve the event log data in that event log file*.

/services/data/v65.0/sobjects/EventLogFile/0AT3i000005vXpWGAU/LogFile

Paste the response body into an application to easily inspect the event log data as a CSV file.

When the API events in the API Total Usage EventLogFile have been downloaded to CSV files, review each CSV file to determine the API calls from applications that used SOAP API login() to authenticate. Review all the API Total Usage events where the CONNECTED_APP_ID field is empty*, which indicates that the application used either SOAP API login() or a Session Id to authenticate. The USER_NAME field identifies the user that the application authenticated using. Contact that user to identify the application and then investigate whether the application uses SOAP API login().

*The Event Log Retention period can be increased up to one year through Event Monitoring Settings or using the EventSettings Metadata API.

**If the CONNECTED_APP_ID field is not empty and contains an id, then the id indicates the Connected App or External Client Application that the application used to authenticate.

The API events in the API Total Usage EventLogFile will also indicate API authentication calls to SOAP API login(). These API events will have an API_FAMILY field of “SOAP” and an API_RESOURCE field of “login”.  These API events correspond to the SOAP API login() calls shown on the “Login History” page within Setup as described above.

Which features are impacted by SOAP API login() disabled by default in new orgs?

The features listed below use SOAP API login() and they will be impacted in new orgs where SOAP API login() is disabled by default.  Ensure that SOAP API login() is enabled per the instructions in this Release Note and documentation.

• Salesforce Connect Cross-Org Adapter

• CRMA Connector

Where can I learn about External Client Applications?

Use this trail to learn how to use External Clients Apps to build integrations.

If you have any questions or need assistance, refer to Salesforce Help or contact your Salesforce account team. To view all current and past retirements, see Salesforce Product & Feature Retirements.

For more information about Salesforce’s approach to retiring products and features, read our Product & Feature Retirement Philosophy.