OAuth Access Token Expiration

Sessions expire based on your organization's policy for sessions. Basically, as long as the app is in active use, the session won't expire. Once the session is logged out, the timeout has elapsed, or it is otherwise expired (e.g. an administrator expires all sessions for the Connected App).

There's no way to know how long it will be until your session expires. It's not exactly "trial and error," it is simply a normal process. Even if you were told that your session expired in two hours, it might not last two hours if an administrator revokes the session, the session remains in use, etc.

If you use refresh tokens, your code should first try the regular API call, and if you get a 4xx result, try using the refresh token to get a new session token, and if that fails, then you've been kicked out, and the user needs to re-authenticate to continue. If you don't use refresh tokens, you can skip the middle step, obviously.


There's an introspection endpoint that's been introduced recently, that allows you to ask for info about a refresh token or access token.

OpenID Connect Token Introspection Endpoint

More details here at Salesforce

The following is a sample request to the token introspection endpoint:

POST /services/oauth2/introspect HTTP/1.1
Host: myorg.salesforce.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Basic client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82HnFVVX19KY1
uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&client_secret=
1955279925675241571

token=00DR00000009GVP!ARQAQE5XuPV7J4GoOu3wvLZjZI_TxoBpeZpRb6d8AVdII6cz
_BY_uu1PKxGeAjkSvO0LpWoL_qfbQWKlXoz1f2ICNiy.6Ndr&
token_type_hint=access_token

and here's a sample response

HTTP/1.1 200 OK
Content-Type: application/json

{
"active":true,
"scope":"id api web full refresh_token openid",
"client_id":"OAuthSp",
"username":"[email protected]",
"sub":"https://login.salesforce.com:
6109/id/00Dxx0000001gEREAY/005xx000001Sv6AAAS",
"token_type":"access_token",
"exp":1528502109,
"iat":1528494909,
"nbf":1528494909
}

Tags:

Oauth2