I usually close the door of my house when I leave. Are you doing the same in your Salesforce org, or are you leaving many doors open and putting your org at risk?

Unrevoked tokens can create security blind spots, which are often overlooked and can lead to points of failure, especially in integrations with systems that do not have fixed IP addresses.

In this article, I will highlight the security impact of revoking access and refresh tokens in Salesforce orgs.

What are Access and Refresh Tokens?

Take the example of a very cool Airbnb that lets you access your room using your phone. All you have to do is install an app, enter some information provided by the host, and then enter a code you received in the email used to make the reservation.

Every time you open the app, a code is generated that you can use to unlock the door. That code is like an access token: it gives you direct access to the room.

The app itself has a hidden code that is used to generate a new code every time you open it. This hidden code is received when you first connect to the app, and it acts as your refresh token, responsible for generating valid access tokens whenever you need them.

Why Should Access and Refresh Tokens be Revoked?

Imagine someone sees you enter the code you just generated on your phone. They could wait for you to leave the room and then re-enter using that same code. For that reason, the code should work only once and should only be valid for a few minutes. Otherwise, generated tokens could pile up, and someone who obtains a leaked or observed code could gain access.

There are other examples where an access token could be used multiple times and over an extended period of time, for example, if the Airbnb has access to a pool area with a bar as well and you need a code to walk around there, the same code could be used multiple times for a few hours.

When your stay ends, you should no longer be able to generate valid codes (or any codes at all). To ensure that, the refresh token must also be revoked.

How This Applies in Salesforce

After a successful OAuth authentication, Salesforce returns an access token and, optionally, a refresh token. These tokens are part of the mechanism that allows a client to access Salesforce, and revoking them is how you cut off that access.

Making sure you don’t leave any token hanging around after it has served its purpose is a

simple but critical way to keep your org secure.

Revoking Tokens in Salesforce

You can revoke both access and refresh tokens.

Revoking Access Tokens

Access tokens are usually revoked using an API, and this revocation should be part of the implemented process. Just like in the Airbnb example, the access token should be revoked as soon as it serves its purpose.

In some cases, you can manually revoke access tokens by revoking the user’s access altogether, such as by changing the password or deactivating or freezing the user.

Revoking Refresh Tokens

Refresh tokens should also be revoked as part of the process whenever it makes sense. Just like with the Airbnb, you don’t want old clients to still be able to access the room.

Refresh tokens can also be revoked through the UI, which is useful in emergency situations where access needs to be removed immediately.

Revoking a refresh token also revokes any access tokens that are still active. For example, in the Airbnb scenario, without this behavior, you could open the app, generate a code, write it down, and then use it later even after your stay has ended. That’s not what happens. In reality, any access token generated will be automatically revoked when the refresh token is revoked.

Delete Tokens

For some OAuth sessions Salesforce can also expose Delete Tokens. Their sole purpose is to revoke both access and refresh tokens. They are mainly used to give someone or something the ability to cut off access without giving them the ability to gain access.

Continuing with the Airbnb example, this token could be used by a service representative who has the authority to revoke access in case of an emergency or generate a new one if needed, but who should never have access to a code that opens the room.

Important Note

Revoking access or refresh tokens does not automatically log out users who are already signed in. Active sessions may continue until they expire or are manually ended. Token revocation primarily prevents future access. Think of it like locking the door for new codes. Anyone already inside the room may still be there until they leave.

Connect with me on LinkedIn to share ideas or provide feedback Vítor Batista | LinkedIn.