invalid_grant-expired access/refresh token error when authenticating access via REST
I'm facing a strange scenario - I'm using a REST Client to authenticate access to SF. I'm using
"grant_type": "password"the client key, client secret, username and password concatenated with the token. my request URL is: https://cs17.salesforce.com/services/oauth2/token
I checked the parameters and they are correct
I don't have a clue why but I'm getting this error:
"error": "invalid_grant", "error_description": "expired access/refresh token"
In the past it worked fine and now I don't know what went wrong.
Double check your `Content-type` header - if it isn't `application/x-www-form-urlencoded` you can see all sorts of weird errors.
access_tokenlikely needs to be refreshed or the user re-authenticated. They will expire based on your session settings in Salesforce. For Web Server and User-Agent flows, you can request that the token be refreshed by using the
refresh_token. For Username-Password flow, you will likely need to authenticate the user again to get a new
FYI: for Web Server flows (getting a similar message while trying to use
I had this issue and it was difficult to figure out the solution. Salesforce doesn't make this easy because there are two different places to change the settings for your connected app that affect different settings (through Create Apps and Manage Apps)! The likely cause of the issue is the setting for "Require users to log in". The proper setting for this to be able to use a
refresh_tokenproperly is "The first time they use this application".
Currently this setting can be accessed by getting to the Setup menu and finding Manage Apps in the left hand nav. After you log in click on your user name in the upper right and select Setup. On the resulting page, in the left hand nav, select Manage Apps > Connected Apps. In the list of connected apps, select the Edit link for the app in question.
On the Connected App Edit page, under the OAuth Policies section, make sure you have "The first time they use this application" selected.
This will allow you to actually use a
refresh_tokento refresh the
access_tokento make authenticated requests.
I think they need to work on documentation.
In my case, this error message is returned on the first login attempt, so this response is N/A
Are you setting the client_id and secret ?
Those are the parameters you should send:
client_id=XXXXXX &client_secret=XXXX &password=passTOKEN &username=XXX &grant_type=password
Ensure you are setting the header
BTW, user-password flow doesn't support refresh_token flow. More info see this reply