Manage Session Policies for a Connected App
Configure a connected app’s session policies to define how long a user’s session can last before reauthenticating. You can also use session policies to block user access to the connected app, or to require two-factor authentication to access the app.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
Connected Apps can be created in: Group, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer Editions Connected Apps can be installed in: All editions |
| User Permissions Needed | |
|---|---|
| To read, create, update, or delete connected apps: | Customize Application AND either Modify All Data OR Manage Connected Apps |
| To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes: | Customize Application AND either Modify All Data OR Manage Connected Apps |
| To update Profiles, Permission Sets, and Service Provider SAML Attributes: | Customize Application AND Modify All Data AND Manage Profiles and Permission Sets |
| To rotate the consumer key and consumer secret: | Allow consumer key and secret rotation |
| To install and uninstall connected apps: | Customize Application AND either Modify All Data OR Manage Connected Apps |
| To install and uninstall packaged connected apps: | Download AppExchange Packages AND Customize Application AND either Modify All Data OR Manage Connected Apps |
See New connected apps can no longer be created in Spring ‘26 for more details.
- From Setup, enter Connected Apps in the Quick Find box, then select Manage Connected Apps.
- Click Edit next to the connected app that you are configuring access for.
- Under Session Policies, click the Timeout Value dropdown menu and
select when access tokens expire for a user’s connected app session.You can control how long a user’s session lasts by setting the timeout value for the connected app, user profile, or org’s session settings (in that order). If you don’t set a value or you select None (the default), Salesforce uses the timeout value in the user’s profile. If the user’s profile doesn’t specify a timeout value, Salesforce uses the timeout value in the org’s Session Settings. The current permissions for the connected app are also listed in the org’s Session Settings.
- Select High assurance session required to require users to verify
their identity with two-factor authentication when they log in to the connected app.
- Select Block this application to make the connected app inaccessible to your org’s users. Blocking an app ends all current user sessions with the connected app and prevents all new sessions.
- Select Raise the session level to high assurance to require users to verify their identity with two-factor authentication when they log in to the connected app. Only authorization flows that include a user approval step support using API logins with the High Assurance session security level. These flows are the OAuth 2.0 refresh token flow, web server flow, and user-agent flow. All other flows, such as the JSON Web Token (JWT) bearer token flow, don’t include a user approval step. For flows without a user approval step, API logins with the High Assurance session security level are blocked.
