Why is my Salesforce refresh token expiring unexpectedly?

Why is my Salesforce refresh token expiring unexpectedly?

On June 23, 2025, Posted by , In Salesforce Technical Questions, With Comments Off on Why is my Salesforce refresh token expiring unexpectedly?
Connected App User's Usage

Question:

We have configured our web application to use OAuth2 with our Salesforce Connected App, ensuring that the refresh token never expires unless manually revoked. The app stores the refresh token received after the admin connects to the application, allowing us to communicate with Salesforce’s APIs on behalf of the user later. We have set the “offline_access” and “refresh_token” scopes properly during the admin login process.

Initially, the application works well throughout the day, but suddenly, when attempting to retrieve a new access token using the stored refresh token, we receive the following response:

{
  "error_description": "expired access/refresh token",
  "error": "invalid_grant"
}

After reviewing the settings, everything appears configured to prevent the refresh token from expiring. However, we are experiencing token expiration. Are there any other conditions that can cause a refresh token to expire? Can the frequency of using the refresh token to request new access tokens cause it to expire? Should the refresh token itself be refreshed periodically?

Currently, the only recovery process involves the user reauthorizing the app, which is far from ideal, as it causes all communication attempts to fail in the meantime. We also have normal (non-admin) users who authenticate via OAuth into our web app. Should we avoid requesting “offline_access” and “refresh_token” for normal users who only need authentication?

Furthermore, we’ve encountered hints from other discussions suggesting a limit on the number of refresh tokens, stating that only five refresh tokens can be issued before the previous ones expire. Although we’ve attempted to reproduce the issue by signing in as both an admin and a user multiple times, we haven’t been able to trigger the problem. Could IP address restrictions or other configurations be involved?

User Session Information.png

Answer:

Refresh tokens in Salesforce can expire under certain conditions, such as excessive usage or reaching the limit of active refresh tokens per user. Re-authenticating without proper sign-out can cause the creation of multiple sessions, leading to the expiration of older tokens. It’s crucial to manage session limits and refresh tokens effectively to avoid disruptions in your application’s authentication flow.

CRS Info Solutions provides expert Salesforce training in Nagpur with real-world projects, certification support, and career-focused guidance.

1.Refresh Token Expiration:

Salesforce refresh tokens can expire under certain conditions, even if configured not to expire.
These conditions include:

  • Revocation of the refresh token by an administrator.
  • If the user changes their password or their account is locked.
  • Use of a refresh token on multiple devices or multiple times, which may create new sessions.
  • Exceeding the limit of refresh tokens issued per user (5 refresh tokens). Once this limit is reached, Salesforce revokes the oldest tokens.

2.Token Refresh:

Refresh tokens are not meant to be refreshed. Instead, you should continue using the same refresh token to obtain new access tokens. However, Salesforce’s session management limits the number of concurrent refresh tokens that can be active per user.

3.Use Count Behavior:

The “Use Count” increments every time the refresh token is used to generate a new access token. If this number exceeds a certain threshold , Salesforce will invalidate previous sessions, leading to the “expired access/refresh token” error. This could be seen as an indication of multiple sessions for the same user being created, even if they aren’t signing out between attempts.

4.Re-authentication:

Signing in repeatedly without proper sign-out may cause Salesforce to treat each login as a separate session. This can lead to the creation of multiple OAuth sessions, and once the maximum session count is reached, older sessions might be invalidated.

To avoid this, ensure that the application properly signs out and revokes tokens between each OAuth exchange. Also, check if you’re hitting the refresh token limit of 5 active tokens. For normal users, it’s typically safe to avoid requesting “offline_access” and “refresh_token” unless they need persistent access across sessions.

If the “Use Count” drops to a lower value after several logins without refreshing the token, this could be the source of the issue.

Accelerate Your Career with Salesforce Training in Nagpur

Unlock the doors to a rewarding career with our Salesforce training in Nagpur! Our program is carefully crafted to provide you with expert-level certification guidance, in-depth interview preparation, and a comprehensive curriculum covering essential tracks like Admin, Developer, and AI. With detailed class notes and practical hands-on experience, you’ll gain the skills necessary to excel within the Salesforce ecosystem.

Our Salesforce training offers more than just theoretical knowledge. Experience personalized mentorship, industry-focused projects, and expert-led sessions to prepare you for real-world challenges. Whether you’re just starting or looking to upskill, our program ensures you’re equipped to thrive in a competitive job market.

Join us today and take the first step towards mastering Salesforce and shaping your professional future!!!

Comments are closed.