oauth-token-management
Use when work depends on how Salesforce OAuth access and refresh tokens are issued, refreshed, rotated, revoked, or introspected for a Connected App or API client—including unexpected logouts, invalid_grant after refresh, or designing token incident response. NOT for choosing which OAuth grant or Connected App flow to implement (use integration/oauth-flows-and-connected-apps), Named Credential packaging (use integration/named-credentials-setup), or broad Connected App IP and PKCE policy hardening without a token-lifecycle angle (use security/connected-app-security-policies).
Best use case
oauth-token-management is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when work depends on how Salesforce OAuth access and refresh tokens are issued, refreshed, rotated, revoked, or introspected for a Connected App or API client—including unexpected logouts, invalid_grant after refresh, or designing token incident response. NOT for choosing which OAuth grant or Connected App flow to implement (use integration/oauth-flows-and-connected-apps), Named Credential packaging (use integration/named-credentials-setup), or broad Connected App IP and PKCE policy hardening without a token-lifecycle angle (use security/connected-app-security-policies).
Teams using oauth-token-management should expect a more consistent output, faster repeated execution, less prompt rewriting, better workflow continuity with your supporting tools.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
- You already have the supporting tools or dependencies needed by this skill.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/oauth-token-management/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How oauth-token-management Compares
| Feature / Agent | oauth-token-management | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when work depends on how Salesforce OAuth access and refresh tokens are issued, refreshed, rotated, revoked, or introspected for a Connected App or API client—including unexpected logouts, invalid_grant after refresh, or designing token incident response. NOT for choosing which OAuth grant or Connected App flow to implement (use integration/oauth-flows-and-connected-apps), Named Credential packaging (use integration/named-credentials-setup), or broad Connected App IP and PKCE policy hardening without a token-lifecycle angle (use security/connected-app-security-policies).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# OAuth Token Management Use this skill when the hard part is no longer “getting OAuth to work once,” but keeping tokens correct over time: refresh failures, security incidents, policy tightening, or explaining why one revocation action behaved differently than another. Salesforce ties access token lifetime to Connected App and org session settings, models refresh tokens under Connected App OAuth policies, and exposes programmatic revocation and (where licensed) introspection endpoints. Misunderstanding any of those layers produces flaky integrations, false “random” logouts, and incomplete incident cleanup. --- ## Before Starting Gather this context before working on anything in this domain: - **Which tokens exist:** access token only (some server-to-server grants), or access plus refresh (offline-style integrations). - **Where policies are set:** the specific Connected App’s OAuth settings, org-wide Session Settings, and any login policies that force re-authentication. - **What changed recently:** refresh token policy edits, session timeout reductions, user password or MFA resets, IP relaxations, or secret rotation—each can surface as `invalid_grant` or `401` on the next refresh or API call. --- ## Core Concepts ### Access token lifetime is the tighter of two clocks An OAuth access token’s usable lifetime is bounded by the **Connected App session timeout** and the **org session timeout** from Setup session settings. The effective value is the **minimum** of the two, within the platform-supported range described in Salesforce Help for Connected App session policies. Treat documentation as authoritative when quoting exact bounds; do not assume a fixed two-hour lifetime in every org. ### Refresh tokens are a separate credential with their own policy When the client requests offline access (`refresh_token` / `offline_access` scopes as applicable), Salesforce issues a refresh token subject to the Connected App **refresh token policy** (for example immediate expiry, fixed lifetime, or valid-until-revoked). That policy determines how often users or headless processes must re-run the interactive or initial grant—not the access token TTL alone. ### Revocation is target-specific: access token vs refresh token Calling the OAuth **revoke** endpoint with an access token ends the session represented by that token. Revoking a **refresh token** invalidates the refresh credential and, per Salesforce documentation for token revocation, also invalidates outstanding access tokens issued under that OAuth grant for that user and Connected App combination. Teams that only revoke access tokens during an incident can leave long-lived refresh paths active if they do not also address refresh credentials. ### Refresh token rotation hardens replay of stolen refresh tokens Salesforce documents **refresh token rotation** (see release notes for your edition) so that a consumed refresh token cannot be replayed: the authorization server returns a new refresh token alongside the new access token, and the client must persist the latest refresh secret. Clients that ignore the newly issued refresh token appear “randomly” broken after the first rotation event. --- ## Common Patterns ### Pattern: Incident response—remove stolen credentials cleanly **When to use:** A client secret, refresh token, or integration user credential may have leaked. **How it works:** Rotate or revoke the compromised artifact using the revoke endpoint or Setup actions documented for your scenario; force affected users or the integration user through a controlled re-authorization if refresh tokens were revoked; verify no long-lived `valid until revoked` refresh tokens remain where policy now requires shorter exposure. **Why not the alternative:** Rotating only the access token while leaving a compromised refresh token in the wild leaves a silent re-entry path for an attacker. ### Pattern: Long-running jobs that must survive access token expiry **When to use:** Batch or middleware holds an access token for longer than the effective session timeout. **How it works:** Obtain refresh-capable scopes only when appropriate, persist the latest refresh token when rotation is enabled, refresh before expiry, and keep the Connected App refresh policy aligned with operational reality (immediate expiry is rarely compatible with unattended jobs). **Why not the alternative:** Extending Connected App session timeout to “avoid refresh logic” widens the blast radius of a single stolen access token. --- ## Decision Guidance | Situation | Recommended approach | Reason | |-----------|----------------------|--------| | User reports “logged out of integration everywhere” after admin revoked OAuth | Confirm whether refresh token was revoked; if yes, expect full re-consent or re-login | Refresh revocation invalidates dependent access tokens for that grant | | `invalid_grant` right after policy change | Compare old vs new refresh token policy and session timeouts | Stricter policy often invalidates existing refresh tokens | | Need to verify a token before a sensitive server action | Use documented **token introspection** where available and permitted | Avoid home-grown “call `/limits` as a ping” checks that do not reflect token state semantics | | Headless integration should never hold a refresh token | Prefer JWT bearer or another flow that matches the trust model | Fewer long-lived bearer artifacts to protect | --- ## Recommended Workflow 1. **Confirm the token path:** Identify grant type, scopes, and whether refresh tokens are in play for this Connected App. 2. **Read effective timeouts:** Inspect Connected App OAuth session policy and org Session Settings; record the implied access token lifetime behavior from official Help rather than guessing. 3. **Reproduce the failure class:** Distinguish HTTP 401 from Salesforce API, `invalid_grant` from the token endpoint, and UI-driven re-authentication prompts—each maps to different fixes. 4. **Choose the smallest revocation surface:** Decide whether to revoke access only, refresh only, or reset the entire grant; document impact on parallel sessions. 5. **Update clients for rotation:** If rotation is enabled, verify the client persists the newest refresh token on every refresh response before closing the incident. 6. **Validate in a lower environment:** Re-run the integration’s token lifecycle (issue, refresh, API call, revoke) against a sandbox copy of policies. --- ## Review Checklist - [ ] Connected App refresh token policy matches the integration’s unattended vs interactive needs. - [ ] Access token lifetime assumptions are aligned with org + Connected App session settings. - [ ] Incident or rotation playbooks state whether refresh tokens are rotated or revoked, not only access tokens. - [ ] Clients handle `invalid_grant` by re-establishing the grant rather than infinite blind retries. - [ ] Any use of introspection or revoke endpoints follows current OAuth endpoint documentation (HTTPS, correct token type parameters). --- ## Salesforce-Specific Gotchas 1. **Tighter session wins** — A conservative org-wide session timeout caps a permissive Connected App timeout; debugging “why is my token short” requires both settings. 2. **Policy changes invalidate existing refresh tokens** — Moving from long-lived to stricter refresh behavior can invalidate outstanding refresh tokens immediately; plan maintenance windows. 3. **Rotation requires client discipline** — Enabling rotation without updating middleware to store the new refresh token fails at the next refresh in ways that look like Salesforce “instability.” --- ## Output Artifacts | Artifact | Description | |----------|-------------| | Token lifecycle diagram | Who holds access vs refresh, when each expires, and what revocation clears | | Runbook snippet | Ordered steps for revoke, re-auth, and verification queries after an incident | | Policy audit table | Connected App refresh policy, session timeout, and org session row for each integration | --- ## Related Skills - **integration/oauth-flows-and-connected-apps** — Selecting and implementing the correct grant and Connected App model up front. - **security/connected-app-security-policies** — IP relaxation, PKCE, high assurance, and consumer secret rotation patterns around the app shell. - **security/session-management-and-timeout** — Org-wide session and login behavior that interacts with OAuth access token lifetime. - **security/api-security-and-rate-limiting** — Scope minimization and API consumption patterns once valid tokens exist.
Related Skills
session-management-and-timeout
Use this skill when configuring session timeout values, concurrent session limits, session IP locking, or logout behavior in Salesforce. Covers org-wide session settings, profile-level overrides, Connected App session policies, and Metadata API SecuritySettings deployment. NOT for OAuth token refresh flows, login IP ranges, or MFA/identity-provider configuration.
oauth-redirect-and-domain-strategy
Design Connected App OAuth callback URLs, My Domain naming, Enhanced Domains cutover, and cross-environment redirect handling. Trigger keywords: oauth redirect uri, connected app callback, my domain, enhanced domains, sandbox url change, oauth login host. Does NOT cover: end-user login flow UX, Experience Cloud branding, or SAML-only SSO configuration.
certificate-and-key-management
Use this skill when creating, uploading, or rotating certificates in Salesforce, configuring mutual TLS (mTLS) client authentication, managing the Java KeyStore for CA-signed certificates, diagnosing certificate expiry in JWT OAuth flows, or understanding which certificate types Salesforce supports and how to migrate them between orgs. NOT for Named Credential configuration (use named-credentials-setup skill), NOT for Shield Platform Encryption key management. Trigger keywords: Certificate and Key Management, self-signed certificate, CA-signed certificate, mutual TLS, mTLS, keystore, JKS, PKCS12, certificate rotation, certificate expiry, JWT certificate.
flexcard-state-management
Use when designing FlexCard actions, conditional visibility, and state that must survive navigation, refresh, or parent/child card transitions. Triggers: 'flexcard state', 'flexcard conditional visibility', 'flexcard actions', 'flexcard refresh', 'child flexcard state'. NOT for raw LWC state or for OmniScript step state.
lwc-state-management
Share state across LWCs using pub/sub, Lightning Message Service, @wire, and reactive stores. NOT for in-component reactivity.
lwc-focus-management
Use when building LWCs that need to manage focus explicitly — modal dialogs, wizard flows, dynamic inserts, list updates, error summaries, and focus after async work. Covers focus restoration, focus traps, programmatic focus across shadow DOM, and patterns for announcing changes to assistive tech. Does NOT cover general LWC a11y audit (see lwc-accessibility).
revenue-lifecycle-management
Use this skill when implementing or troubleshooting Salesforce Revenue Lifecycle Management (RLM) — the native Revenue Cloud product covering order-to-cash lifecycle, Dynamic Revenue Orchestrator (DRO) fulfillment plan design, asset amendments, billing schedule creation via Connect API, and invoice management. Triggers on: Dynamic Revenue Orchestrator, RLM order decomposition, DRO fulfillment swimlanes, native Revenue Cloud billing schedule, asset lifecycle management Salesforce. NOT for CPQ quoting or pricing rules (use cpq-* skills), not for the legacy Salesforce Billing managed package with blng__* objects (different product entirely), not for standard Order objects without Revenue Cloud features.
oauth-flows-and-connected-apps
Use when choosing or reviewing Salesforce OAuth flows and connected-app policy for integrations, including client credentials, JWT bearer, authorization code, device flow, scopes, and token lifecycle controls. Triggers: 'OAuth flow', 'connected app', 'client credentials', 'JWT bearer', 'refresh token', 'integration user'. NOT for record-level sharing design or for simple Named Credential usage when the auth-flow decision is already settled.
loyalty-management-setup
Use this skill when setting up or extending Salesforce Loyalty Management — including program and currency creation, tier group design, qualifying vs. non-qualifying point currency separation, DPE batch job activation, partner loyalty configuration, and member portal setup on Experience Cloud. Triggers on: Loyalty Management setup, loyalty tier setup Salesforce, qualifying points vs redemption points, DPE batch job for loyalty, partner loyalty program Salesforce, loyalty member portal. NOT for Marketing Cloud engagement program design (separate product), not for B2B loyalty via Sales Cloud (standard opportunity, not loyalty program), not for general Experience Cloud site setup (use experience-cloud-setup skill).
scratch-org-management
Use this skill when designing, configuring, or troubleshooting scratch orgs: definition file structure, edition selection, allocation limits, Org Shape, CI automation via ScratchOrgInfo, and lifecycle management from the Dev Hub. NOT for SFDX CLI basics (use sf-cli-and-sfdx-essentials), sandbox management, or production org administration.
release-management
Use when planning, coordinating, or governing Salesforce releases: version numbering, rollback strategy, release notes, go/no-go criteria, release calendar, and sandbox preview alignment. NOT for deployment mechanics (use devops/post-deployment-validation or devops/change-set-deployment).
pipeline-secrets-management
Store and inject Salesforce auth URLs, JWT keys, and API credentials into CI without leaking them. NOT for runtime secrets in Apex.