OAuth Maximum 4 or 5 refresh tokens per connected app? - Answers - Salesforce Trailblazer Community
Trailblazer Community
Ask Search:
Jim ChimJim Chim 

OAuth Maximum 4 or 5 refresh tokens per connected app?


I have been hitting a problem where the refresh token obtained through OAuth2 web server flow is expiring without manual revoke. After some digging I believe it is caused by the limitation of 5 access token for each application (Link: https://help.salesforce.com/apex/HTViewHelpDoc?id=remoteaccess_request_manage.htm).

Now according to the above doc, I assume I should be able to get 5 pairs of Refresh & access tokens before Salesforce revoking them. However my testing showed that I can only obtain 4 pairs of Refresh & acess tokens. On my 5th request, the oldest refresh token will be revoked.

So, is this something expected or not? How many refresh tokens I can have for a connected app, 4 or 5? And is there any way to raise this 5 access tokens per application limiation?

Pritam ShekhawatPritam Shekhawat
Hello Jim,
              I'm pretty sure the limit for concurrent sessions is 5 per user. 1 web session + 4 active OAuth tokens would put you at the limit. For more information follow cilck here http://salesforce.stackexchange.com/questions/65590/what-causes-a-connected-apps-refresh-token-to-expire

Pritam Shekhawat
Sumit KawSumit Kaw
Can you provide more insights into the use case and is it possible to keep the token alive for a longer duration rather than expiring it immediately? 
Sharif ShaalanSharif Shaalan
You should post this question to the developer boards as well, the users there focus on code so you may get quicker answers as well as a wider variety of options.   

Jim ChimJim Chim

I run my test with an account that is not log into Salesforce web. But still I can only have 4 refresh & access token pair.

No, I cannot keep the refresh token alive longer. It is Salesforce revoking my refresh token.
And my use case is that my user will use the same Salesforce account to authorize my app running on mulitple machines, so that my app have access to user's data on Salesforce.

Sumit KawSumit Kaw
Salesforce would work as per your preferences. If you want to keep token alive for longer, You can have a look a look at the below configuration. go to your connected App - > Manage - > Change the Oauth Policies.

Even if there are separate applications and you are using same creds, every application would get its separate Session Id and can work individually.

User-added image
Jim ChimJim Chim

Thanks. This is exactly my connected app settings. However my problem is that if I use the same account to OAuth for the same connected app on different machines, I found that I can concurrently log in at a maximum of 4 machines. Logging in on the 5th machine, I found that Salesforce would revoke my refresh token on the first machine, which I think the settings you posted have no control on this behavior.
Priyanka pawarPriyanka pawar
HI I am facing the same issue.Is there any work aroung Since the log in user is always going to be the same e.g Integration user.