Trying to debug the Salesforce expired access/refresh token error? Here's how to fix it.
TABLE OF CONTENTS
What can cause this error?
There are several reasons why a Salesforce invalid_grant
error with an expired access/refresh token
description can happen. Here are a few common causes:
Too many access grants to a Connected App for a given user - Salesforce allows only 5 access grants for a Connected App per user. After the user tries to log in for more than the fifth time, their oldest approval will be revoked. For more information, check out this document.
Missing
refresh_token
oroffline_access
OAuth 2.0 scope - you must explicitly include either in your authorization request. For more information, check out this document on Salesforce Auth Tokens and Scopes."Immediately expire refresh token" is enabled.
Resolutions for the "expired access/refresh token" error
Here are the ways to resolve the Salesforce {"error":"invalid_grant", "error_description": "expired access/refresh token"
error based on the cause you identify.
1. If you are getting this error because of too many approvals for a user:
Make sure you have less than 5 access grants per user. Here are additional suggestions to mitigate this:
Do not request a refresh token if you don’t plan on using it
Use the OAuth 2.0 JWT Bearer Flow instead of keeping a refresh token obtained through user interaction.
2. If you are getting this error because of missing scopes:
Add refresh_token
or offline_access
to your list of scopes. Here’s an example request that includes api
, id
, and refresh_token
scopes:
3. If you are getting this error due to incorrect Refresh Token Policy:
In your Salesforce account, go to Apps → Connected Apps → Manage Connected Apps → {{YOUR APP}} → Edit Policies.
Make sure Refresh token is valid until revoked is selected.
Hopefully this helps you solve the {"error":"invalid_grant", "error_description": "expired access/refresh token"}
error!
If you want to avoid dealing with auth errors again while building a native Salesforce (or any other) integration for your app, try out Paragon.
Access/refresh token management is handled by Paragon's authentication layer for any 3rd party SaaS integration you need to build, so you can focus on implementing your integration logic instead of fixing errors such as the Salesforce invalid_grant - expired access/refresh tokens error.
With a single paragon.connect('salesforce');
call, the Paragon SDK will handle the entire authorization flow and refreshes tokens on behalf of your customers.
Learn more about Paragon's embedded integration platform for developers and sign up for a free trial here.