function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
RoelofsRoelofs 

Invalid session ID when calling apex REST service

Hi! I'm trying to do a GET request to an Apex. I followed the OAuth 2.0 procedure to get an access token from Salesforce by using my username and password.
When using this token in the GET request to the Apex REST endpoint, I get a 401 error with the message '[{"message":"Session expired or invalid","errorCode":"INVALID_SESSION_ID"}]'.

What am I doing wrong?

I use the PHP code below. $token is the access token I got from the https://login.salesforce.com/services/oauth2/token request, and it is executed directly after receiving the token (xxxx is replaced): 
$curl = curl_init();

curl_setopt_array( $curl, array(
    CURLOPT_URL => 'https://xxxx.salesforce.com/services/apexrest/xxxx',
    CURLOPT_POST => false,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HEADER => array( 'Authorization: Bearer ' . $token )
) );

$response = curl_exec( $curl );
curl_close( $curl );
mike4adaymike4aday
Have you already selected 'api' or 'all' for the scopes in the Connected App definition?
https://help.salesforce.com/articleView?id=remoteaccess_oauth_scopes.htm&type=5
RoelofsRoelofs
Thanks for your reply. Yes, the scope 'Access and manage your data (api)' is enabled for the Connected App.
RoelofsRoelofs
Some other info about the request: 
HTTP/1.1 401 Unauthorized
Date: Fri, 16 Mar 2018 15:14:18 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: upgrade-insecure-requests 
X-Robots-Tag: none
Cache-Control: no-cache,must-revalidate,max-age=0,no-store,private
Set-Cookie: BrowserId=xxxx;Path=/;Domain=.salesforce.com;Expires=Tue, 15-May-2018 15:14:18 GMT;Max-Age=5184000
Expires: Thu, 01 Jan 1970 00:00:00 GMT
WWW-Authenticate: Token
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
mike4adaymike4aday
Are you using the server URL as returned by the login request?
Or (less likely since you say you make the request right away after authorization): is it possible that your IP address is changing and "Lock sessions to the IP address from which they originated" is enabled?
RoelofsRoelofs

Tried using the URL as returned in the login request, but then I get a slightlight different response (notice: X-Content-Type-Options, X-XSS-Protection). Still the INVALID_SESSION_ID notice:

HTTP/1.1 401 Unauthorized
Date: Mon, 19 Mar 2018 07:50:13 GMT
Strict-Transport-Security: max-age=31536002; includeSubDomains
Public-Key-Pins-Report-Only: pin-sha256="xxxx"; pin-sha256="xxxx"; pin-sha256="xxxx"; max-age=86400; includeSubDomains; report-uri="https://calm-dawn-26291.herokuapp.com/hpkp-report/xxxx";
Expect-CT: max-age=0; report-uri="https://calm-dawn-26291.herokuapp.com/Expect-CT-report/xxxx";
X-Robots-Tag: none
Cache-Control: no-cache,must-revalidate,max-age=0,no-store,private
Set-Cookie: BrowserId=xxxx;Path=/;Domain=.salesforce.com;Expires=Fri, 18-May-2018 07:50:13 GMT;Max-Age=5184000
Expires: Thu, 01 Jan 1970 00:00:00 GMT
WWW-Authenticate: Token
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
RoelofsRoelofs
I'm using the same IP for both requests.
RoelofsRoelofs
Okay.. Tried it by using PostMan, and it just worked.. Found out that CURLOPT_HEADER had to be CURLOPT_HTTPHEADER 😶.