+ Start a Discussion
Mario LimMario Lim 

{ [invalid_grant: expired access/refresh token] name: 'invalid_grant' }

I store the accessToken and refresh token so I can refresh it at some point in the future when the access token is no longer valid.  However, it seems that the refresh token would expired at some point or get invalidated automatically.  Can someone explain the lifetime of a refresh token?

in Digging_Deeper_into_OAuth_2.0_on_Force.com (https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com).  It is mentioned that it is only revoked by the user:
The refresh token represents the user's authorization to the application, and is valid until explicitly revoked by the user, via My Settings ➤ Personal ➤ Advanced User Details ➤ OAuth Connected Apps.
However, there is an edit in the same doc that mentiones that refresh token also have an expiration time:

The refresh token may have an indefinite lifetime, persisting for an admin-configured interval or until explicitly revoked by the end-user. The client application can store the refresh token, using it to periodically obtain fresh access tokens, but should be careful to protect it against unauthorized access, since, like a password, it can be repeatedly used to gain access to the resource server.
Since refresh tokens may expire or be revoked by the user outside the control of the client application, the client must handle failure to obtain an access token, typically by replaying the protocol from the start.
You have to update your session settings. Below is from the salesforce doc

Keep in mind the following considerations when using the refresh token OAuth process:
The session timeout for an access token can be configured in Salesforce from Setup by clicking Security Controls | Session Settings.


Vaughan Coder 6Vaughan Coder 6
@BalajiRanganathan I believe Mario Lim is talking about refresh tokens expiring where as your documentation is talking about the access token expiration.
Rameshvar Dayal 48Rameshvar Dayal 48
sfdx force:auth:web:login -d -a <alias> -r [<https://test.salesforce.com>,<https://login.salesforce.com>]