Find your content:

Search form

You are here

Is it possible to store and reuse a refresh token ad infinitum?


I want to be able to insert records into a custom object on behalf of users from my web app without their direct involvement aside from their initial granting my app permission to do so. The events that will trigger these inserts could happen at any time (not necessarily when the user is logged into my app).

So, I plan to ask the users of my app to create a remote app in their Salesforce environment and then provide me with the Consumer Key and Secret. Then, have them "authorize" my app which should make an auth request to Salesforce and return an auth token or a refresh token that I assume I can store in my db for later use? I realize I could just ask them to provide me with their Salesforce username and password directly, but I'm also aware this is bad security practice.

Am I missing anything? Will I be able to reuse the refresh token ad infinitum even after the user of my app has ended their session, etc?

My app is written in PHP.

Attribution to: Micah Bolen

Possible Suggestion/Solution #1

The refresh token doesn't expire, but can be manually revoked, so you do need to be prepared for the case when your refresh token is no longer valid, but generally this should work fine.

But, there's no need for all your customers to create their own remote access settings, you can create one in your own Developer edition org, and it will be valid for use in the customer orgs as well.

Attribution to: superfell

Possible Suggestion/Solution #2

You may like to refer this excellent resource on the Oauth and how to revoke the access token.

You will need to create a record in remote access settings in the salesforce to allow your app to access salesforce.

Just one time you may need to set up this and then you can use the client secret and consumer key obtained in the process to establish authorization to salesforce .

And yes taking username and password from users defeats the whole purpose of authentication.

Attribution to: Mohith Shrivastava
This content is remixed from stackoverflow or stackexchange. Please visit

My Block Status

My Block Content