function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Mike McMahonMike McMahon 

how to refresh or revoke access/refresh token, when no refresh token available?

I was working in my sandbox environment trying to figure out the API calls - i had saved my refresh token during my testing but it was lost sometime later during my testing. 


Now when I try to hit the API i am receiving: 


"expired access/refresh token" 


How do I get around this now?  I do not have a refresh token so i cannot make a request to refresh my token, and i'm not sure how to expire / delete / revoke it via the UI so that I can proceed with my testing.  



my cUrl call is as follows: 



    --form client_id=3MVG92.u...2KycWe
    --form client_secret=668...930
    --form grant_type=password
    --form password=*#()@*#$@ --proxy --insecure






Hi Mike,


The session lasts as long as its set in Setup->Administration Setup->Security Controls->Session Settings


By default, the timeout value is set to 2 hours. In case you have lost the refresh token, the code needs to re-authorize using response_type, client_id and return redirect_uri.


On successfuly authorization, another request with the authorization needs to be sent to the authorization server


The authorization server then responds with a new refresh_token and access_token among other information.


I suggest you go through to understand these flows. Ideally, the code should be able to handle these flows automatically when tokens go missing.


Hope this helps.

Seth C.Seth C.

I don't think you really answered his question. I have the same issue. I failed to "take down" the refresh token when it was generated and I have no way of "starting over" because I can't

- request a new token, that fails

- request a refresh, that fails cause I don't have the refresh token


Thus the only way I've been able to "start over" is to use the My Personal Options -> Reset Security Token screen. This kind of sucks though because it forces me to use a new security token all around, and any other services I had connected to that token stop working. Wish there was a way to correct this issue using some sort of API / OATH call.