OAuth 2.0 Refresh Token Flow

After a client—via a connected app—receives an access token, it can use a refresh token to get a new session when its current session expires. The connected app’s session timeout value determines when an access token is no longer valid and when to apply for a new one using a refresh token.

The refresh token flow involves the following steps.

  1. The connected app uses the existing refresh token to request a new access token.
  2. After verifying the request, Salesforce grants a new access token to the client.

Mobile SDK apps can use the SmartStore feature to store data locally for offline use. SmartStore data is inherently volatile. Its lifespan is tied to the authenticated user as well as to OAuth token states. When the user logs out of the app, SmartStore deletes all soup data associated with that user. Similarly, when the OAuth refresh token is revoked or expires, the user’s app state is reset, and all data in SmartStore is purged. Carefully consider the volatility of SmartStore data when designing your app. This warning is especially important if your org sets a short lifetime for the refresh token.

Note

We've Moved

Welcome to the new home of the Mobile SDK Developer Guide! For now, the Japanese guide can be found in PDF form.

Introduction to Mobile Development
Introduction to Salesforce Mobile SDK Development
What’s New in Mobile SDK 13.1
Getting Started With Mobile SDK 13.1 for iOS and Android
Updating Mobile SDK Apps (5.0 and Later)
Native iOS Development
Native Android Development
HTML5 and Hybrid Development
React Native Development
Offline Management
Files and Networking
Push Notifications and Mobile SDK
Configure WebSockets
Authentication, Security, and Identity in Mobile Apps
OAuth Terminology
OAuth 2.0 Authentication Flow
OAuth 2.0 Web Server Flow
OAuth 2.0 User-Agent Flow
OAuth 2.0 Refresh Token Flow
Mobile SDK Login and Authentication Flow—Detailed Look
Scope Parameter Values
Using Identity URLs
Setting Custom Login Servers in Android Apps
Setting Custom Login Servers in iOS Apps
Revoking OAuth Tokens
Refresh Token Revocation in Android Native Apps
Connected Apps
Native Login for Experience Cloud
Portal Authentication Using OAuth 2.0 and Salesforce Sites
QR Code Login with Single Access UI Bridge API
Using MDM with Salesforce Mobile SDK Apps
Using Advanced Authentication
Upgrading Android Single Sign-On Apps to Google Login Requirements
Using OpenID Tokens to Access External Services
Secure Key Storage in iOS
Secure Key Storage in Android
Login Screen Customization
Identity Provider Apps
REST Wrappers for SFAP APIs
Using Key-Value Stores for Secure Data Storage
Dark Mode and Dark Theme Settings
Using Experience Cloud Sites With Mobile SDK Apps
Multi-User Support in Mobile SDK
Mobile SDK Tools for Developers
Logging and Analytics
Migrating from the Previous Release
Reference
Deprecations and Removed APIs