+ Start a Discussion

Session expired or invalid immediately after successful OAuth login

Hey everyone,


I'm working on an application, and I got the OAuth2 workflow working right away, but I've been struggling with making requests afterward.


I get the access_token and instance_url back, and when I make a call like this:



curl -v https://__instance_id__ (na7).salesforce.com/services/data/v20.0/ -H "Authorization: OAuth access_token_from_earlier"


the server responds with a 401 with the following body:

[{"message":"Session expired or invalid","errorCode":"INVALID_SESSION_ID"}]


I've scoured the forum for solutions already, and made sure that I have API access turned on, signed up for the REST API through the developer preview form, but am still having errors all over the place.


Any help would be greatly appreciated.




What's your access token look like?  You should mess up at least one of the characters so you're not posting a usable access token here (wouldn't want anybody to steal your org).


here's my token (a few chars off, for reasons you've described):




Looks like you escaped the ! sign into %21.  Don't do that.  Try replacing %21 with ! and send it again (you may have to escape the ! in your shell).


Still getting the same error with this curl call:


curl -v https://na7.salesforce.com/services/data/v20.0/ -H "Authorization: OAuth 00DA0000000A5PO\\!AR8AQDhmqnLeeN6EFBl2uVFBOp.iBJPA1l3k8xptxcABMPjZZasNES_ynyJ3i3iv9meJjWKMBz0QskG0jvq8Xo4Q3BC.OvHU"
Thanks for the help :)



Can you PM me your actual token you're getting?  I work for salesforce.  I promise not to do anything bad. :)


the escaping and quoting will drive you nuts, IIRC, use single quotes and don't escape anything in the sid, or stick in an env variable and reference that (which is what i normally do)


I am still facing the same problem. I am using curl on windows. What could be the problem? Appreciate your help.




I figured out the problem. http://boards.developerforce.com/t5/forums/forumtopicprintpage/board-id/integration/message-id/221/print-single-message/false/page/1 had the solution.


Note from Pat Patterson provided the solution I was looking for. The salesforce instance should be the instance_url you got along with access_token (something like na3.salesforce.com, not login.salesforce.com). Thanks Pat



Aboorvaraja RamarAboorvaraja Ramar

down vote
I faced the similar issue. We passing ConsumerKey, ConsumerSecret, username and password.

It is working fine initially. after 3 months we faced the sessionid issue. We tried and spent around 1month to resolve it.

Solution for this issue:

Concatenate the security token with your existing password. Security token will be created for a user.

Sample: passwordsecuritytoken

we tried this option and worked successfully.
Paul Oginni 2Paul Oginni 2
I faced the same problem.

I was using the API to obtain a token, and I started getting the same error message after a while. I still haven't figured out what caused it, but I'm using a workaround for now.

I tried Aboorvaraja Ramar's solution, but that did not fix it for me.
Amit Ghodke 4Amit Ghodke 4
What was the workaround? API access is enabled for the profile. 
Ayisha BegumAyisha Begum
I had to switch on "Follow Authorization header" in Postman under "Settings" for the REST endpoints to work. I was using a Bearer Token generated through oAuth.

I think there is some sort of redirect happening during the request during which the token is lost if you do not choose this option.

User-added image
Fermin EsquivelFermin Esquivel
Hi @Ayisha your response was helpfu for me :)
Jill Hertzman 17Jill Hertzman 17
@Ayisha Begum, thank you. That did it for me.