OAuth Access Token Expiration

  • I have read many places that the access token session length is controlled by the client application and will expire "from time to time", but I cannot find a way for my application to calculate the expiration date/time.

    I have used other non-Salesforce systems and they pass along an expires_in value to help determine the expiration.

    Salesforce does pass along an issued_at value, which doesn't help me much.

    Is there a way to determine when the access token will expire, or is it only based on trial and error?

  • sfdcfox

    sfdcfox Correct answer

    6 years ago

    Sessions expire based on your organization's policy for sessions. Basically, as long as the app is in active use, the session won't expire. Once the session is logged out, the timeout has elapsed, or it is otherwise expired (e.g. an administrator expires all sessions for the Connected App).

    There's no way to know how long it will be until your session expires. It's not exactly "trial and error," it is simply a normal process. Even if you were told that your session expired in two hours, it might not last two hours if an administrator revokes the session, the session remains in use, etc.

    If you use refresh tokens, your code should first try the regular API call, and if you get a 4xx result, try using the refresh token to get a new session token, and if that fails, then you've been kicked out, and the user needs to re-authenticate to continue. If you don't use refresh tokens, you can skip the middle step, obviously.

    Thanks. That is very helpful. So, if I have a scheduled service/cron running Bulk Api actions and also real time Rest Api actions, should I use multiple connected apps? Is there a standard way to manage the access token usage so one process does not invalidate the access token while the other process is "working"? Would it make sense for this to be its own question?

    You should probably ask a separate question for a longer answer, but yes, each app should use its own connected app. 1. You can only have five active sessions per app. 2. Sharing tokens can cause failures on all apps if one is logged out. 3. You can identify misbehaving apps easier if they each use their own session token.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM

Tags used