-
My goal:
- Diagnose why refresh tokens are being invalidated despite the "until revoked" setting.
- Recommend any Retool-side or Salesforce-side configuration changes to ensure persistent connectivity.
- Advise on best practices for maintaining long-lived integrations with Salesforce via Retool.
-
Issue: Our Retool Project Board integration with Salesforce is experiencing recurring token expiry issues. The SFDC refresh token, configured as "valid until revoked," is being invalidated by Salesforce after several days (typically weekly), causing the integration to break until we manually re-authenticate using our service account. This prevents Retool from auto-refreshing the access token, resulting in production disruptions.
No changes have been made to the Salesforce app config, and the integration worked reliably for years until this started a few months ago. Weβve confirmed the Salesforce Connected App is set to allow refresh tokens indefinitely, and there are no obvious config errors. The pattern suggests Salesforce is revoking the refresh token unexpectedly, not due to explicit admin action.
-
Steps I've taken to troubleshoot:
- The team confirmed that Salesforce is expiring the refresh token after a set period, which prevents Retool from auto-refreshing the access token.
- Attempts were made to find a Salesforce configuration that would keep the refresh token alive indefinitely and allow Retool to refresh the access token silently.
- The Salesforce Connected App was reviewed and is set to "refresh token is valid until revoked," which should prevent automatic expiry unless manually revoked.
- The integration was stable from 2022 until a few months ago, when the recurring expiry began.
- No configuration issues were found on the Salesforce side after multiple reviews.
- The team is monitoring for a pattern and noted that expiry typically occurs on Mondays.
- Manual re-authentication has been used as a temporary workaround.
- The suggestion was made to contact Retool support for further guidance, as no root cause has been identified on the Salesforce side.
No evidence of explicit admin revocation or config changes was found, and the issue appears to be new and recurring despite a previously stable setup.
-
Additional info: (Cloud or Self-hosted, Screenshots)
Hey @Aditya_Sharma, thanks for the detailed write-up, this gives a good starting point! 
Before diving into recommendations, a couple of quick questions to make sure we're looking in the right place:
- Are you on Retool Cloud or self-hosted? If self-hosted, what version?
- Can you share the specifics of how your resource is configured? If you could share a screenshot that would be awesome, feel free to redact any private and confidential information if needed.
Hi @ChiEn ,
Retool support team reached out to me in another thread and helped me get this resolved. I appreciate the help and check in.
Sounds good, I saw that Kenny was able to help you out! 
Running into a similar, albeit not identical issue. Any chance you could share the root cause if itβs not sensitive?
@ikiss
No problem, This is the recommendation I received from the Retool support team, I hope this helps:
Thanks for sharing the details of the issue and your attempts of troubleshooting in the Community thread. My impressions of the issue seems to be an issue stemming from the Salesforce end and I'm hoping we can take a look at this. According to Salesforce, Refresh token is valid until revoked, the refresh token is used indefinitely, unless revoked by the user or Salesforce admin, but your team has confirmed there's no Admin action taken from your end to revoke this.
This leads me to believe that you may be running into a similar issue mentioned in this article from Paragon: Silently running into the 5-Token Concurrent Grant Limit set by Salesforce. What may be happening is that every time someone manually re-authenticates, a new grant is issued without the old one being explicitly revoked. Over several re-authentications, you silently hit the 5-grant ceiling. Salesforce automatically revokes the oldest token β which is the one Retool has stored and is actively using β with no notifications and erroring your Retool queries when trying to used a revoked token. You should be able to confirm this by checking and tracking which tokens Retool is sending to re-authenticate(and failing) and which is active in the oauth connected app sessions in Salesforce.