How to Fix Salesforce OAuth Token Refresh Failures
Step-by-step fix guide with AI-powered diagnosis from BuildForce.
Salesforce OAuth refresh token failures occur when: the session timeout policy for a connected app is set too short, the 'Refresh token is valid until revoked' policy is not configured, the user who originally authorized the connected app is deactivated, or the connected app's IP relaxation policy forces re-authentication when called from a server IP. The fix requires checking the connected app's OAuth policies and ensuring the refresh token policy matches your integration's requirements.
Symptoms
Integration logs showing INVALID_SESSION_ID errors at regular intervals
Integrations working intermittently — failing then recovering after re-authentication
Scheduled jobs failing with 'Authentication failure' after running successfully for weeks
Connected apps requiring manual re-authentication every few hours or days
Bulk sync jobs starting then stopping mid-run with session errors
Root Causes
Connected app session timeout too short
By default, Salesforce connected apps inherit the org's session timeout (typically 2 hours). For server-to-server integrations, this means the access token expires every 2 hours requiring a refresh. If the refresh token is also limited, the integration breaks entirely.
Refresh token policy not set to 'until revoked'
The default connected app policy expires refresh tokens after a set period. For long-running integrations, the policy must be set to 'Refresh token is valid until revoked' to prevent periodic authentication failures.
Authorizing user deactivated
When the Salesforce user who authorized an integration is deactivated, all tokens issued to that user are immediately revoked. Integrations stop working with no warning.
IP relaxation policy forcing re-auth
If the connected app's IP relaxation is set to 'Enforce IP restrictions' and your integration server's IP isn't in the org's trusted IP ranges, every access attempt triggers a re-authentication challenge.
How to Fix It — Step by Step
Check the connected app OAuth policy
In Setup → App Manager, find your connected app and click Edit. Under OAuth Policies, set 'Refresh Token Policy' to 'Refresh token is valid until revoked'. Set 'Session Timeout' to the longest available option or 'None'.
Set IP relaxation to 'Relax IP restrictions'
In the same OAuth Policies section, set 'IP Relaxation' to 'Relax IP restrictions'. This is required for server-to-server integrations where the calling server's IP isn't in Salesforce's trusted IP list.
Verify the authorizing user is active
Check whether the Salesforce user who originally authorized the integration is still active. In Setup → Users, search for the integration user account. If deactivated, reactivate it or re-authorize using an active user.
SELECT Id, Name, IsActive, LastLoginDate FROM User WHERE Id = '[integration_user_id]'Re-authorize the connected app
After updating OAuth policies, revoke existing tokens and re-authorize the integration. In your integration platform, remove the Salesforce connection and re-authenticate. The new tokens will have the updated expiration policy.
Implement proactive token refresh
Configure your integration to proactively refresh access tokens every 90 minutes rather than waiting for a 401 response. This prevents mid-run authentication failures in long-running jobs.
POST https://login.salesforce.com/services/oauth2/token
grant_type=refresh_token
&client_id={consumer_key}
&client_secret={consumer_secret}
&refresh_token={refresh_token}Set up token health monitoring
Use BuildForce's token lifecycle monitoring to track all connected app token expiry dates and receive alerts 48 hours before tokens are scheduled to expire or be revoked.
Let BuildForce diagnose and fix this automatically
Instead of following manual steps, connect your org and let our AI identify exactly what's broken and how to fix it — in minutes.
Book a DemoCommon Questions
More answers about this issue and how to resolve it.
Stop debugging manually. Let AI do it.
BuildForce runs 200+ automated checks across your Salesforce org and tells you exactly what's broken and how to fix it.