Understanding refresh tokens in Salesforce

Integrating one app with another is a pretty easy process for the average user, but there’s a lot going on behind the scenes you may not know about. For example, both apps usually need to access protected resources and exchange some sort of permissions list so each can access the appropriate information.

Apps give one another the ability to access and talk to each other through tokens. There are different types of tokens, but we’re going to discuss refresh tokens. As an admin of connected apps, you’ll need to learn how tokens work, why refresh tokens are important, and which refresh token policies will best suit your organization’s needs.

Token basics

A token is essentially a list of permissions one app gives to another so they can authorize access to each other and work together successfully. Access tokens — more specifically, refresh tokens — are important because they allow you to easily integrate your apps with Salesforce.

A refresh token essentially gives an app the ability to get a new access token without any input on the user’s part. It works a lot like a password. Refresh tokens also allow you to access an app within Salesforce without having to manually give the app access every time you connect to it. Users can store a refresh token in Salesforce’s ecosystem and use it when they need to obtain access.

Tokens need to speak the same language. Salesforce uses OAuth to issue access tokens. If you’re curious about other types of OAuth tokens, check out this article.

OAuth

OAuth is an open protocol that authorizes a client application to access data from a protected resource through an exchange of tokens. OK, that was a lot of technical jargon, so let’s break that down.

OAuth is a protocol that no specific company owns, and its use isn’t limited to a specific product — so you can basically use it for any app. This means you can use OAuth to allow two different apps to connect and essentially speak the same language.

Because OAuth protocols use tokens to talk and exchange permissions and access, it’s important to make sure your access and refresh tokens are using timeout and access policies that suit your organization’s specific needs. If you want to learn more about OAuth and open protocols in Salesforce, check out Salesforce’s help article on authorizing apps with OAuth.

The importance of refresh tokens for Jotform

Admins can control access to apps by changing their refresh token policies. For example, if an admin wants to end a user’s session because they haven’t used the app in a certain number of days, they can configure their app’s token refresh policies to automatically do just that. Controlling users’ access through tokens helps eliminate unnecessary users, which helps reduce security risks.

Tokens also make it easier for folks to integrate with apps like Jotform. When you give Jotform permission to access your information via a token, you can eliminate almost all data entry and cut down on the mistakes that often occur when entering data manually. It’s a move that can save you a lot of time and money.

With that in mind, let’s talk about how to access your tokens and change your permissions when you need to.

The steps to access your tokens

1. Make sure you’re in Setup Home. Under Platform Tools, click Apps.

2. Click the dropdown menu under Connected Apps, and then click on Connected Apps OAuth Usage.

3. If you haven’t done so already, click Install. 
4. Find the app you’d like to edit and click on the Manage App Policies link next to it.

5.  Next, click the Edit Policies button.

6. Here, you can see your refresh token policies.

7. Scroll to OAuth Policies. From here, you can change your token policies as you see fit. But be careful — changing token policies may lead to permissions issues.

Options for changing your refresh token policies

If you want to change token policies to better fit your organization’s needs, you can easily do that by going through the steps listed above. Here’s a little more information on refresh token policy options in Salesforce:

• Refresh token is valid until revoked: This is the default policy. A refresh token can be used indefinitely, unless the user or a Salesforce admin revokes it. You can revoke tokens on a user’s detail page under OAuth Connected Apps or on the OAuth Connected Apps Usage Setup page.
• Immediately expire refresh token: The refresh token is invalid immediately. The user can use the access token already issued for the current session, but they can’t start a new session.
• Expire refresh token if not used for X amount of time: The refresh token is valid as long as it’s used within the specified amount of time. The expired token can’t generate new sessions. If the refresh token is exchanged within seven days, the token is valid for another seven days. The monitoring period of inactivity also resets.
• Expire refresh token after X amount of time: The refresh token is valid for a fixed amount of time. For example, if the policy states one day, the user can start new sessions for 24 hours only.

If you’re having trouble with access and want to do a hard restart of sorts on your refresh tokens, you can manually refresh your tokens by going through the first four steps above and clicking block and unblock. Blocking an app will end all current user sessions, forcing your user to restart their session.

Leveraging refresh tokens is a great way to improve the Salesforce user experience and ensure you’re keeping on top of security.