function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Session expired or invalid immediately after successful OAuth login

Hey everyone,


I'm working on an application, and I got the OAuth2 workflow working right away, but I've been struggling with making requests afterward.


I get the access_token and instance_url back, and when I make a call like this:



curl -v https://__instance_id__ (na7) -H "Authorization: OAuth access_token_from_earlier"


the server responds with a 401 with the following body:

[{"message":"Session expired or invalid","errorCode":"INVALID_SESSION_ID"}]


I've scoured the forum for solutions already, and made sure that I have API access turned on, signed up for the REST API through the developer preview form, but am still having errors all over the place.


Any help would be greatly appreciated.




What's your access token look like?  You should mess up at least one of the characters so you're not posting a usable access token here (wouldn't want anybody to steal your org).


here's my token (a few chars off, for reasons you've described):




Looks like you escaped the ! sign into %21.  Don't do that.  Try replacing %21 with ! and send it again (you may have to escape the ! in your shell).


Still getting the same error with this curl call:


curl -v -H "Authorization: OAuth 00DA0000000A5PO\\!AR8AQDhmqnLeeN6EFBl2uVFBOp.iBJPA1l3k8xptxcABMPjZZasNES_ynyJ3i3iv9meJjWKMBz0QskG0jvq8Xo4Q3BC.OvHU"
Thanks for the help :)



Can you PM me your actual token you're getting?  I work for salesforce.  I promise not to do anything bad. :)


the escaping and quoting will drive you nuts, IIRC, use single quotes and don't escape anything in the sid, or stick in an env variable and reference that (which is what i normally do)


I am still facing the same problem. I am using curl on windows. What could be the problem? Appreciate your help.




I figured out the problem. had the solution.


Note from Pat Patterson provided the solution I was looking for. The salesforce instance should be the instance_url you got along with access_token (something like, not Thanks Pat



Aboorvaraja RamarAboorvaraja Ramar

down vote
I faced the similar issue. We passing ConsumerKey, ConsumerSecret, username and password.

It is working fine initially. after 3 months we faced the sessionid issue. We tried and spent around 1month to resolve it.

Solution for this issue:

Concatenate the security token with your existing password. Security token will be created for a user.

Sample: passwordsecuritytoken

we tried this option and worked successfully.
Paul Oginni 2Paul Oginni 2
I faced the same problem.

I was using the API to obtain a token, and I started getting the same error message after a while. I still haven't figured out what caused it, but I'm using a workaround for now.

I tried Aboorvaraja Ramar's solution, but that did not fix it for me.
Amit Ghodke 4Amit Ghodke 4
What was the workaround? API access is enabled for the profile. 
Ayisha BegumAyisha Begum
I had to switch on "Follow Authorization header" in Postman under "Settings" for the REST endpoints to work. I was using a Bearer Token generated through oAuth.

I think there is some sort of redirect happening during the request during which the token is lost if you do not choose this option.

User-added image
Fermin EsquivelFermin Esquivel
Hi @Ayisha your response was helpfu for me :)
Jill Hertzman 17Jill Hertzman 17
@Ayisha Begum, thank you. That did it for me.
Eduardo del CorralEduardo del Corral

@alarch 2022 and your comment saved my bacon, thank you!!!

(Yes it was an issue with the way the SF Url changes; "lightning" exchanged for "my") 

Dongzhi Yang 27Dongzhi Yang 27

@ayisha begum, thanks!

It is crazy. It was working on an org where I have set up a custom domain, but when I switch to a new org where there is no custom domain it stopped working. I guess, the custom domain played a role in it.  Happy to further discuss about this to completely understand the behavior

Kritika Tyagi 07Kritika Tyagi 07
@Ayisha Begum , Thanks! Thats working now :-)
Ashish BurnwalAshish Burnwal
Thanks @Ayisha , your suggestion worked for me.
christian bakerchristian baker
I was actually facing the problem with lots of problems. Thanks, @Ayisha begum for providing your valuable idea, it will surely work for me. I currently work as a tutor and help many students online with the help of Do My Homework (
Sandy Smith 3Sandy Smith 3
It is really helpful. Since 2020, we have also implemented SSO (single sign-on) and it provides efficiency and more cyber security.
Amidou CisseAmidou Cisse
The error message "Session expired or invalid" typically means that the access token you're using has become invalid. This could happen for a number of reasons, such as the user revoking the app's access, the session timing out, or a change in the user's security settings.
Here are some things you can try to resolve the issue:
Make sure that you are using the correct instance URL for your organization.
Check if the access token has expired by looking at its expiration time, and request a new token if necessary.
Make sure that the user who granted access to the app still has the necessary permissions, and that their security settings haven't changed.
Verify that the API access is still enabled for your organization, and that you have signed up for the REST API through the developer preview form.
Try refreshing the token or logging in again to see if that resolves the issue.
If none of these steps work, you may want to reach out to Salesforce Support for further assistance.
Hi everyone, 
I am also facing the same issue and I solve that.
In your authorization section you have to add type= Bearer Token and In Token = add token number User-added image