Platform

Developers

Resources

Authentication

Authentication

Salesforce invalid_grant expired access/refresh token

Salesforce invalid_grant expired access/refresh token

Trying to debug the Salesforce expired access/refresh token error? Here's how to fix it.

HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
  "error": "invalid_grant",
  "error_description": "expired access/refresh token"
}

What can cause this error?

There are several reasons why a Salesforce invalid_granterror with an expired access/refresh tokendescription can happen. Here are a few common causes:

  1. Too many access grants to a Connected App for a given user - Salesforce allows only 5 access grants for a Connected App per user. After the user tries to log in for more than the fifth time, their oldest approval will be revoked. For more information, check out this document.

  2. Missing refresh_token or offline_access OAuth 2.0 scope - you must explicitly include either in your authorization request. For more information, check out this document on Salesforce Auth Tokens and Scopes.

  3. "Immediately expire refresh token" is enabled.

Resolutions for the "expired access/refresh token" error

Here are the ways to resolve the Salesforce {"error":"invalid_grant", "error_description": "expired access/refresh token" error based on the cause you identify.

1. If you are getting this error because of too many approvals for a user:

Make sure you have less than 5 access grants per user. Here are additional suggestions to mitigate this:

  • Do not request a refresh token if you don’t plan on using it

  • Use the OAuth 2.0 JWT Bearer Flow instead of keeping a refresh token obtained through user interaction.

2. If you are getting this error because of missing scopes:

Add refresh_token or offline_access to your list of scopes. Here’s an example request that includes api, id, and refresh_token scopes:

https://MyDomainName.my.salesforce.com/services/oauth2/authorize?
response_type=token&
client_id=$CLIENT_ID&
redirect_uri=$REDIRECT_URI&
scope=api%20id%20refresh_token

3. If you are getting this error due to incorrect Refresh Token Policy:

In your Salesforce account, go to Apps → Connected Apps → Manage Connected Apps → {{YOUR APP}} → Edit Policies.

Make sure Refresh token is valid until revoked is selected.

Hopefully this helps you solve the {"error":"invalid_grant", "error_description": "expired access/refresh token"} error!

If you want to avoid dealing with auth errors again while building a native Salesforce (or any other) integration for your app, try out Paragon.

Access/refresh token management is handled by Paragon's authentication layer for any 3rd party SaaS integration you need to build, so you can focus on implementing your integration logic instead of fixing errors such as the Salesforce invalid_grant - expired access/refresh tokens error.

With a single paragon.connect('salesforce'); call, the Paragon SDK will handle the entire authorization flow and refreshes tokens on behalf of your customers.

<Button onClick={() => paragon.installIntegration("Salesforce")}>
  Install Salesforce Integration
</Button>

Learn more about Paragon's embedded integration platform for developers and sign up for a free trial here.

Ready to get started?

Join 100+ SaaS companies that arescaling their integration roadmaps with Paragon.

Ready to get started?

Join 100+ SaaS companies that arescaling their integration roadmaps with Paragon.

Ready to get started?

Join 100+ SaaS companies that arescaling their integration roadmaps with Paragon.

Ready to get started?

Join 100+ SaaS companies that arescaling their integration roadmaps with Paragon.