OAuth interactions: do they count as API calls?

After hammering the login.salesforce.com endpoints today (and getting blocked a couple of times), I've established (at least to my satisfaction) that the OAuth interactions around granting access tokens and refreshing them do not count against the API limits.

More specifically, I've hit the following endpoints 1,000 times each today.

  • https://login.salesforce.com/services/oauth2/authorize
  • https://login.salesforce.com/services/oauth2/token (both grant_type=password and grant_type=refresh_token)

... and the results. Unhandled rejection Error

Wait... that's not the result you want, this is. 0 API Usagee

PS. It's also worth noting that grants and token authorisation are not always human interactions, the Username-Password flow requires no user interaction.