function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Problem with refresh_token

I am unable to refresh an access_token using the rest api.  I am making the following POST:


POST /services/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded



with appropriate vales for <cid>, <cis> and <rt>.  I am getting a 400 error with the following values returned:


"error": "invalid_grant",
"error_description": "token validity expired"


Does anyone know what is going on?  When I pass in a known invalid refresh_token I get a different error:


"error": "invalid_grant",
"error_description": "expired access/refresh token"


So, I think my refresh token is valid.  I can't find any information explaining the meaning of "token validity expired".  I have tried the refresh immediately after receiving the refresh_token and after waiting for a few hours.  Any help would be appreciated.





If a single user grant access to the same app multiple times, after 5 grants, older grants are being revoked by salesforce automatically, thus the previously issued refresh token are not longer valid.







I had come across the 5 grants limitation when searching for a solution to my problem.  However, I am trying to use the very latest refresh_token and not an older token.  As well, I checked the remote access application grants and there were less than 5 issued. When I try to use a refresh_token that I have explicitly revoked, I get the error "expired access/refresh token" and not "token validity expired".



Ben IpsenBen Ipsen
In case someone else stumbles upon this in the future - I was having a problem due to a setting in the Manage Apps > Connected Apps > My application (edit).  Under oAuth settings there is a set or raiods called "Refresh Token Policy".  Mine was set to expire immediately by default for the app I am developing.  Hopefully this was due to the fact originally I was not using refresh_token in my oAuth scope and not a default for customers when I go live
Durai PandiDurai Pandi
Edit app policy--> Refresh Token Policy:
       Refresh token is valid until revoked

Above settings fixed the issue for me.
Does this mean that regardless of how many tokens were given out, you are still able to use the refresh token to get a new access token? For instance, you have 10 separate users in the OAuth usage. Even the 10th user was able to use the refresh token?