Salesforce Error Solutions

Salesforce invalid_grant expired access/refresh token

Trying to debug the Salesforce expired access/refresh token error? Here's how to fix it.

What can cause this error?

There are several reasons why a Salesforce [.inline-code-highlight]invalid_grant[.inline-code-highlight] error with an [.inline-code-highlight]expired access/refresh token[.inline-code-highlight] description can happen. Here are a few common causes:

  1. Too many access grants to a Connected App for a given user - Salesforce allows only 5 access grants for a Connected App per user. After the user tries to log in for more than the fifth time, their oldest approval will be revoked. For more information, check out this document.
  2. Missing [.inline-code-highlight]refresh_token[.inline-code-highlight] or [.inline-code-highlight]offline_access[.inline-code-highlight] OAuth 2.0 scope - you must explicitly include either in your authorization request. For more information, check out this document on Salesforce Auth Tokens and Scopes.
  3. "Immediately expire refresh token" is enabled.

Resolutions for the "expired access/refresh token" error

Here are the ways to resolve the Salesforce [.inline-code-highlight]invalid_grant[.inline-code-highlight] error based on the cause you identify.

1. If you are getting this error because of too many approvals for a user:

Make sure you have less than 5 access grants per user. Here are additional suggestions to mitigate this:

  • Do not request a refresh token if you don’t plan on using it
  • Use the OAuth 2.0 JWT Bearer Flow instead of keeping a refresh token obtained through user interaction.

2. If you are getting this error because of missing scopes:

Add [.inline-code-highlight]refresh_token[.inline-code-highlight] or [.inline-code-highlight]offline_access[.inline-code-highlight] to your list of scopes. Here’s an example request that includes [.inline-code-highlight]api[.inline-code-highlight], [.inline-code-highlight]id[.inline-code-highlight], and [.inline-code-highlight]refresh_token[.inline-code-highlight] scopes:

3. If you are getting this error due to incorrect Refresh Token Policy:

In your Salesforce account, go to Apps → Connected Apps → Manage Connected Apps → {{YOUR APP}} → Edit Policies.

Make sure Refresh token is valid until revoked is selected.

Hopefully this helps you solve the [.inline-code-highlight]{"error":"invalid_client: Invalid client_id or client_secret"}[.inline-code-highlight] error!

If you want to avoid dealing with auth errors again while building a native Salesforce (or any other) integration for your app, try out Paragon.

Access/refresh token management is handled by Paragon's authentication layer for any 3rd party SaaS integration you need to build, so you can focus on implementing your integration logic instead of fixing errors such as the Salesforce invalid_grant - expired access/refresh tokens error.

With a single [.inline-code-highlight]paragon.connect('salesforce');[.inline-code-highlight] call, the Paragon SDK will handle the entire authorization flow and refreshes tokens on behalf of your customers.

Learn more about Paragon's embedded integration platform for developers and sign up for a free trial here.

Ready to get started?

Book a demo or start building with Paragon today.