Tokens

As part of both authentication flows, you work with access tokens and refresh tokens.

Using Access Tokens

To make a successful Connect REST API request, you must include a valid access token in the request. Use the HTTP Authorization header.
Authorization: OAuth <access token>

If the request yields an error response due to an expired token, the refresh token can be used to get a new access token. The session timeout value in Setup governs the expiration of access tokens. To change the timeout value, go to Setup, in the Quick Find box, enter Session Settings, and then select Session Settings.

If the request yields an error because an access token has been revoked, the client application must be re-authorized by the user in order to gain access.

Using Refresh Tokens

If the client application has a refresh token, it can use it to send a request for a new access token.

To ask for a new access token, the client application sends a POST request to https://login.instance_name/services/oauth2/token with the following query parameters.

Parameters Description
grant_type Value must be refresh_token for this flow.
refresh_token The refresh token the client application already received.
client_id Consumer key from the connected app definition.

You can also include the following optional parameters.

Parameters Description
client_secret Consumer secret from the connected app definition.
format Expected return format. The default is json. Values are:
  • urlencoded
  • json
  • xml

If this request is successful, the server returns a payload holding the access_token.

The following additional parameters are also returned, however, they aren't used with this flow and Connect REST API.

  • instance_url
  • id
  • signature
  • issued_at