Salesforce Refresh Token

Secure integration

Salesforce API requires a session id or an access token to consume web services. You can get a session id with the login() method providing a username and password + security token. It has lots of constraints, such as a password policy that will expire your password, breaking your integration.
Storing a user and password expose more information than storing just a token. With a refresh token, you can convert it at any time to an access token. An access toekn is in fact the session id required to use the API.
One user can have multiple refresh tokens; with a logic of not sharing the refresh token, you can avoid impacting all your servers if one of them is compromised. You will just need to deactive the refresh token used by the compromised integration server.
The difficulty is that Salesforce does not provide any tool to generate such token. You need to implement the oAuth Web server flow to be able to get one. That is the purpose of this tool: just activate the generation process on this page, and you will retrieve your token.
Don't forget to store it in a secure way on your server.
You can use your own Salesforce connected app by changing the input fields below, or passing "client_id" and "client_secret" url parameters to this page; redirect uri must still remain to (this page).


Converting a Refresh Token to an Access Token

If you already have a refresh token, you can code an http POST to the API endpoint to get and access token, or just use the button below.
Fill the right value for the client id above, and enter below the access token and instance url.

developers: you can prefill above fields with url parameters of this page : refresh_token and instance_url.