invalid_grant-expired access/refresh token error when authenticating access via REST

  • I'm facing a strange scenario - I'm using a REST Client to authenticate access to SF. I'm using "grant_type": "password" the client key, client secret, username and password concatenated with the token. my request URL is:

    I checked the parameters and they are correct

    I don't have a clue why but I'm getting this error:

    "error": "invalid_grant", "error_description": "expired access/refresh token"

    In the past it worked fine and now I don't know what went wrong.

    Are you sure the token didn't change? It updates with every password change.

    Double check your `Content-type` header - if it isn't `application/x-www-form-urlencoded` you can see all sorts of weird errors.

    @LaceySnr what was the solution?

    @PhilB I just fixed editing, have no idea about the solution!

    @LaceySnr haha thats your excuse huh?

    @Dedo any update?

  • Your access_token likely needs to be refreshed or the user re-authenticated. They will expire based on your session settings in Salesforce. For Web Server and User-Agent flows, you can request that the token be refreshed by using the refresh_token. For Username-Password flow, you will likely need to authenticate the user again to get a new access_token.|StartTopic=Content%2Fintro_understanding_username_password_oauth_flow.htm|SkinName=webhelp

    FYI: for Web Server flows (getting a similar message while trying to use refresh_token).

    I had this issue and it was difficult to figure out the solution. Salesforce doesn't make this easy because there are two different places to change the settings for your connected app that affect different settings (through Create Apps and Manage Apps)! The likely cause of the issue is the setting for "Require users to log in". The proper setting for this to be able to use a refresh_token properly is "The first time they use this application".

    Currently this setting can be accessed by getting to the Setup menu and finding Manage Apps in the left hand nav. After you log in click on your user name in the upper right and select Setup. On the resulting page, in the left hand nav, select Manage Apps > Connected Apps. In the list of connected apps, select the Edit link for the app in question.

    On the Connected App Edit page, under the OAuth Policies section, make sure you have "The first time they use this application" selected.

    This will allow you to actually use a refresh_token to refresh the access_token to make authenticated requests.

    I think they need to work on documentation.

    In my case, this error message is returned on the first login attempt, so this response is N/A

    Link seems to be outdated.

  • Are you setting the client_id and secret ?

    Those are the parameters you should send:


    Ensure you are setting the header Content-Type: application/x-www-form-urlencoded.

    BTW, user-password flow doesn't support refresh_token flow. More info see this reply

    I was having this issue, and I was providing the wrong client id and the wrong client secret.

  • I had this too. urldecoding (urldecode()) the refresh_token before storing it, and then encoding (urlencode()) for the POST fixed it.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM