Salesforce OAuth refresh token invalid_grant — What it means & how to fix it

Salesforce API users often encounter the "invalid_grant" OAuth error, particularly when dealing with expired or revoked access or refresh tokens. Common causes include exceeding the access token limit per user, specific OAuth policy settings like "Immediately expire refresh token," user password changes, or user deactivation. To resolve such errors, users need to re-authenticate, as all errors are permanent and can only be fixed by obtaining a new access and refresh token pair. Best practices to prevent these issues include configuring appropriate token policies, scheduling regular token refreshes, discarding stale access tokens, and monitoring for spikes in the "invalid_grant" errors. Tools like Nango can simplify managing the Salesforce OAuth token lifecycle by handling token refreshes, supporting rotated refresh tokens, and providing real-time webhooks for revoked tokens, allowing developers to focus on building product features without the headache of token management.