Agentforce Headless 360: The API Quota & Security Risks Nobody Mentions
I’ve spent the last few weeks going deep on the Headless 360 documentation and auditing early deployment patterns. And I keep having the same conversation with architects who built it and leadership who approved it where I ask one question and get the same uncomfortable pause. “What’s your API quota strategy for when the agent is live?” Silence. Then: “We assumed it would be fine.” That assumption is the problem. Headless 360, announced at Salesforce TDX in April 2026, is a genuinely significant platform shift - it opens your entire CRM to AI agents via APIs, MCP tools, and CLI commands, no browser required. The marketing is compelling. The demo is clean. What the launch deck doesn’t show you is what happens on day one when real users start talking to your agent, or what happens when someone figures out your agent will do whatever it’s told by anyone. ...