+ Start a Discussion
Veera GoriparthiVeera Goriparthi 

Session expired or invalid

I am using REST API call to get SF account details. I am able to get OAuth token, but when I use this token to get Account details it gives below rror.

[{"message":"Session expired or invalid","errorCode":"INVALID_SESSION_ID"}]

Here  is the flow


{"id":"https://login.salesforce.com/id/00D28000000KMl1EAG/00528000000MwpQAAS","issued_at":"1428631322872","scope":"id full custom_permissions api web openid visualforce refresh_token chatter_api","instance_url":"https://ap2.salesforce.com","token_type":"Bearer","refresh_token":"5Aep861TSESvWeug_wBae_.NiEYtLVbgA9FW1UDMAq7zqGYpEeyCgRS1jLbqFuSuC2vJd5RyDOmpU.pSPn.Q1zV","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjE5NCJ9.eyJleHAiOjE0Mjg2MzE0NDIsInN1YiI6Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20vaWQvMDBEMjgwMDAwMDBLTWwxRUFHLzAwNTI4MDAwMDAwTXdwUUFBUyIsImF0X2hhc2giOiJlbF9iOXBzSlJCMVFOMGI5cXJib0V3IiwiYXVkIjoiM01WRzlaTDBwcEdQNVVyQng4TFUudkFQZDgwb3pJbzRKTUI2Nk4zcjFJUHpzaU1NUHpJWW0zcHRsYXBORGhpMjR3Y2QzSWs4SnRsUVpxcl9vcGF0SCIsImlzcyI6Imh0dHBzOi8vbG9naW4uc2FsZXNmb3JjZS5jb20iLCJpYXQiOjE0Mjg2MzEzMjJ9.XXfxxvNwQgWrSP-eFoUhFbzDfqxsASntM1slTjhQXN_vgHAp-Wv0rJYBWg6QXcIWwQEsvfCAvGi9JkbRIZ5UYqLPSrnhxsje4StPfvwwHMBMarimqeKKWt24Xb6Hri0DMdp6FjN9y9RneJpVcZeLHbkFnOIUf11cgMk1d3kI9KrgmkoDn8TI1yfPU0NLbJtafnYw2S9cdHrcju31i-9eLjy-yeMrJtinS5TqUdWcalEL1uqZq_KGEnsWkmN8sjEaSgtCio33ZZwDL6IKTgdHeDZedEZfRqhUoyBni14qYdpRX9ANSd1B61HtCVLiAeetc156KB4KYr-oR0Byg7oqAswhU41OQ9RmNp5VDQVVKspgwImauJzhpLs59W64SH5dP

token 00D28000000KMl1!ARAAQPLIuaRCKyXQPB1LDjuiF4Bg1QAVfzXNFpq7C4zYRVurh3JxqYpcu5IIf98P1XOB7oEwLkbSJwdq4Mc0pxkmaQCbjbgd
Authorization:Bearer 00D28000000KMl1!ARAAQPLIuaRCKyXQPB1LDjuiF4Bg1QAVfzXNFpq7C4zYRVurh3JxqYpcu5IIf98P1XOB7oEwLkbSJwdq4Mc0pxkmaQCbjbgd

Error while sending Salesforce request {}HTTP_401 : [{"message":"Session expired
 or invalid","errorCode":"INVALID_SESSION_ID"}]

Best Answer chosen by Veera Goriparthi
Anupam RastogiAnupam Rastogi
Hi Veera,

Two things - 

1. I see that the instance URL returned along with the Access Token is: https://ap2.salesforce.com, but you are using ap1 in the final query request. You should use ap2 over there.

2. If the above still does not work then give a try with the endpoint as: http://ap2.salesforce.com/services/data/v31.0/sobjects/Account/00528000000MwpQAAS (http://ap1.salesforce.com/services/data/v31.0/sobjects/Account/00528000000MwpQAAS)


If the reply solves your problem then please mark it as best answer.

All Answers

Anupam RastogiAnupam Rastogi
Hi Veera,

Are you doing all this through Apex code (getting the code, then the access token and then making the call)?

Veera GoriparthiVeera Goriparthi
Rest Api using Java http client
Anupam RastogiAnupam Rastogi

See, I also faced this error when I tried to use 'Web Server OAuth Authentication Flow' programatically. Therefore I switched to 'Username-Password OAuth Authentication Flow'.

The difference in these two flows is that - 
     - The latter uses a User credentials who has API access to the Salesforce instance. The benefit it provides is that this user is used only for Integration purpose and therefore we can restrict the access it has to the SFDC objects etc.
     - Using the latter approach, we do not require any web server redirection in place and the number of round trips are reduced by one because the extra trip of taking the authorization code and retrieving the access token is removed

These are the steps that you can implement for this flow ('Username-Password OAuth Authentication Flow') in your application to invoke REST Api - 

1. Make a HTTP POST call to the endpoint: https://login.salesforce.com/services/oauth2/token with the following body - 
      String reqbody = 'grant_type=password&client_id='+clientId+'&client_secret='+clientSecret+'&username='+username+'&password='+password;       Here, replace the clientId, clientSecret, username and password with the Connected App Consumer Key, Secret, SFDC Username and SFDC Password+Security Token

2. The response to this call will be the access token.

3. Use the access token to make the required GET call with the endpoint similar to: https://[SFDCOrg/services/data/v32.0/sobjects/Account/[AccountId]

4. The response is the JSON or XML (depending on Content-Type set by you) with the Account Details.

And you are done.


If the reply solves your problem then please mark it as best answer.

For your reference I am also pasting the APEX code that I used to make a REST API call from one SFDC Org to another SFDC Org.


public class SendAccountUsingRESTAPI
    //---Class Variables
    private final String clientId = 'XXXXXXX...........XXXXX';
    private final String clientSecret = 'XXX123...XXX';
    private final String username = 'XXX...@...XX';
    private final String password = 'PasswordSecurityToken';
    //---Inner Class to be used for deserializing
    public class deserializeResponse
        public String id;
        public String access_token;
        public String Name;
        public String Description;

    //---Class Method: For authentication and access token extraction, Uses Username-Pwd OAuth Authentication Flow
    public String ReturnAccessToken (SendAccountUsingRESTAPI acount)
        String reqbody = 'grant_type=password&client_id='+clientId+'&client_secret='+clientSecret+'&username='+username+'&password='+password;        
        Http h = new Http();
        HttpRequest req = new HttpRequest();
        HttpResponse res = h.send(req);
        //---Researched in SFDC books: Method 2 for parsing JSON and extracting a Token value without looping, Uses a class as written above
        deserializeResponse resp1 = (deserializeResponse)JSON.deserialize(res.getbody(), deserializeResponse.class);        
        //System.debug('Access Token = ' + resp1.access_token);
        return resp1.access_token;
    //---Class Method: For REST API call to the Target, uses access token extracted above, asynchronous
    public static void callcreateAcc (String accName, String accId) 
        SendAccountUsingRESTAPI acount1 = new SendAccountUsingRESTAPI();
        String accessToken = acount1.ReturnAccessToken (acount1);
        if(accessToken != null){
            String endPoint = 'https://na16.salesforce.com/services/data/v32.0/sobjects/Account/' + accId;       

            Http h1 = new Http();
            HttpRequest req1 = new HttpRequest();
            req1.setHeader('Authorization','Bearer ' + accessToken);
            HttpResponse res1 = h1.send(req1);
            deserializeResponse resp2 = (deserializeResponse)JSON.deserialize(res1.getbody(), deserializeResponse.class);
Veera GoriparthiVeera Goriparthi
Hi AR,Thanks a lot for reply, but we have to use 'Web Server OAuth Authentication Flow'  only as per security reasons. Is there any security config which is causing this issue? It was working fine for Apps created a couple of months back. Regards,Veera.
Anupam RastogiAnupam Rastogi
Hi Veera,

Two things - 

1. I see that the instance URL returned along with the Access Token is: https://ap2.salesforce.com, but you are using ap1 in the final query request. You should use ap2 over there.

2. If the above still does not work then give a try with the endpoint as: http://ap2.salesforce.com/services/data/v31.0/sobjects/Account/00528000000MwpQAAS (http://ap1.salesforce.com/services/data/v31.0/sobjects/Account/00528000000MwpQAAS)


If the reply solves your problem then please mark it as best answer.
This was selected as the best answer
Veera GoriparthiVeera Goriparthi
Hi AR,Thanks a lot for your reply. After using the Instance URL I am able to get details. But I end up with another issue, i.e, how do I now the instance URL to post Authorization code? If I use different instance URL the I am getting invalid code error. Thanks,Veera.
Anupam RastogiAnupam Rastogi
Hi Veera,

I am a little unclear about the step on which you are receiving this error now. I am listing down the steps that are there in 'Web Server OAuth Authentication Flow'. Please let me know on which step you are getting the error now. (Also, check once that you are actually following this flow.)

1. Send request to end point https://login.salesforce.com/services/oauth2/authorize with the following parameters
          client_id=[Consumer Key of the destination SFDC Instance]
          redirect_uri=[Callback URL as mentioned in the Connected App record]
    This should redirect you to the call back URL appended with the code.

2. Extract the code programatically from the call back URL.

3. Send request to end point https://login.salesforce.com/services/oauth2/token with the following parameters
          client_id=[Consumer Key of the destination SFDC Instance]
          client_secret=[Consumer Secret of the destination SFDC Instance]
          redirect_uri=[Callback URL as mentioned in the Connected App record]
          code=[Authorization Code returned after Step 1 and extracted in Step 2]
    If everything works fine then you should get a response that contains the access_token, instance_url etc. And I guess you are already getting this as per your initial question here.

4. Extract the access_token and instance_url.

5. Finally, make the required call to the end point extracted in Step 4 using the access_token extracted in Step 4.

Meenakshi PMeenakshi P
Hi Anupam,

I am also trying to authorize and getting same error. (Username-password authentication)
my curl command to authorize is:
curl https://na24.salesforce.com/services/data/v20.0/ -H 'Authorization: Bearer 00D1a000000Jb4Z!ARkAQChPkjf9B0psZYY7tQIJRl3SgrIyher9mDTJ3PnjI6fU_KN8pMbbCKtYPSaZUwll.9St7WFjWqJtY0J5ld.3XTrBxp_x'

I received below response after username-password authentication:


Can you please tell me what is missing here?

Meenakshi PMeenakshi P
I also tried other curl passing AccountId which I got from authentication response but it did not work:
curl -k https://na24.salesforce.com/services/data/v32.0/sobjects/Account/0051a000000IWqcAAG' -H 'Authorization: Bearer 00D1a000000Jb4Z!ARkAQChPkjf9B0psZYY7tQIJRl3SgrIyher9mDTJ3PnjI6fU_KN8pMbbCKtYPSaZUwll.9St7WFjWqJtY0J5ld.3XTrBxp_x'
Anupam RastogiAnupam Rastogi
Hi Veera,

What is the error that you are receiving?

Share the complete code that you are using to interface using Username-Password OAuth Authentication Flow.

Meenakshi PMeenakshi P
I am testing thru curl as of now. Can you please tel me is I am giving wrong url here in the request.
Here is the complete request and response:
REQUEST:curl -k -v https://na24.salesforce.com/services/data/v32.0/sobjects/Account/
0051a000000IWqcAAG' -H 'Authorization: Bearer 00D1a000000Jb4Z!ARkAQChPkjf9B0psZY

* Connected to na24.salesforce.com ( port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2, TLS Unknown, Unknown (22):
* TLSv1.2, TLS handshake, Client hello (1):
* SSLv2, Unknown (22):
* TLSv1.2, TLS handshake, Server hello (2):
* SSLv2, Unknown (22):
* TLSv1.2, TLS handshake, CERT (11):
* SSLv2, Unknown (22):
* TLSv1.2, TLS handshake, Server finished (14):
* SSLv2, Unknown (22):
* TLSv1.2, TLS handshake, Client key exchange (16):
* SSLv2, Unknown (20):
* TLSv1.2, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* TLSv1.2, TLS handshake, Finished (20):
* SSLv2, Unknown (20):
* TLSv1.2, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* TLSv1.2, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*        subject: C=US; ST=California; L=San Francisco; O=Salesforce.com, Inc.;
OU=Applications; CN=*.salesforce.com
*        start date: 2014-10-21 00:00:00 GMT
*        expire date: 2015-10-22 23:59:59 GMT
*        issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of
use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 International Ser
ver CA - G3
*        SSL certificate verify result: unable to get local issuer certificate (
20), continuing anyway.
* SSLv2, Unknown (23):
> GET /services/data/v32.0/sobjects/Account/0051a000000IWqcAAG' HTTP/1.1
> Host: na24.salesforce.com
> User-Agent: curl/7.42.0
> Accept: */*
* SSLv2, Unknown (23):
< HTTP/1.1 401 Unauthorized
< Date: Thu, 30 Apr 2015 20:14:43 GMT
< Set-Cookie: BrowserId=WzAVgL6hSaSgfnIBPg8IaQ;Path=/;Domain=.salesforce.com;Exp
ires=Mon, 29-Jun-2015 20:14:43 GMT
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< WWW-Authenticate: Token
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
[{"message":"Session expired or invalid","errorCode":"INVALID_SESSION_ID"}]* SSL
v2, Unknown (23):
* Connection #0 to host na24.salesforce.com left intact
* Rebuilt URL to: Bearer/
* Could not resolve host: Bearer
* Closing connection 1
curl: (6) Could not resolve host: Bearer
* Rebuilt URL to: 00D1a000000Jb4Z!ARkAQChPkjf9B0psZYY7tQIJRl3SgrIyher9mDTJ3PnjI6
* Could not resolve host: 00D1a000000Jb4Z!ARkAQChPkjf9B0psZYY7tQIJRl3SgrIyher9mD
* Closing connection 2
curl: (6) Could not resolve host: 00D1a000000Jb4Z!ARkAQChPkjf9B0psZYY7tQIJRl3Sgr

Anupam RastogiAnupam Rastogi
Hi Meenakshi,

You must have created a connected app in Salesforce. Did you give appropriate access in it?

I have also used curl earlier and it works fine. Even today I am able to create or search Account records using it. Here are the URLs for your reference - 

curl https://login.salesforce.com/services/oauth2/token -d "grant_type=password" -d "client_id=[replace with the Consumer Key from Step 1]" -d "client_secret=[replace with Consumer Secret from Step 1]" -d "username=[SFDC Username]" -d "password=[SFDC Password along with the security token]" (http://curl https://na12.salesforce.com/services/data/v20.0/sobjects/Account/ -H "Authorization: Bearer [sessionId from step 2]" -H "Content-Type: application/json" -d "@newaccount.json")

curl https://na24.salesforce.com/services/data/v20.0/sobjects/Account/ -H "Authorization: Bearer [sessionId from above URL]" -H "Content-Type: application/json" -d "@newaccount.json" (http://curl https://na12.salesforce.com/services/data/v20.0/sobjects/Account/ -H "Authorization: Bearer [sessionId from step 2]" -H "Content-Type: application/json" -d "@newaccount.json")

Here newaccount.json is a json file containing a new account record to be created like shown below - 
    "Name" : "Account From cURL using JSON"

Hope this will help you,

I am calling

and I received the code in the response.

When I call the second url usinf advanced RESRT client chrome plugin, I get
"error": "invalid_client"
"error_description": "invalid client credentials"

What am I doing wrong?
I had a typo in the url. It is working for me now. Thanks.
Does calling the url https://test.salesforce.com/services/oauth2/authorize?response_type=code&client_id=3MVG9eQyYZ1h89He3VvnqPCFegrhOQskN00qhVU4NN5hMcuseXkWModAtjOyf4Wltf4tg1h2ANobcOQJMDp.j
&redirect_uri=callbackurl from the java  application requires the user to login into salesforce?