Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Security: Enable Refresh Token Rotation Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Security: Enable Refresh Token Rotation Control

            This security setting invalidates and replaces each refresh token with a new, single-use token whenever a client uses it to obtain a new access token.

            Control Name

            External Client Apps: Security: Enable Refresh Token Rotation

            Recommended Configuration

            Enable Refresh Token Rotation.

            Control Overview

            This security setting invalidates and replaces each refresh token with a new, single-use token whenever a client uses it to obtain a new access token.

            Security Risk If Not Configured

            Without rotation, a compromised refresh token remains valid indefinitely or until its expiration, allowing an attacker to maintain persistent, unauthorized access to the environment without ever needing to re-authenticate.

            Threat Scenarios

            An attacker extracts a static refresh token from a local device or application log and uses it to programmatically generate a continuous stream of valid access tokens, effectively establishing a permanent backdoor into the Salesforce instance.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Failure to implement rotation facilitates long-term data exfiltration and undetected account takeover, as the attacker can stay logged in even if the legitimate user changes their password or completes a multi-factor authentication challenge.

            Higher Risk When

            The risk is higher for public clients like mobile or single-page applications that store tokens in less secure local environments and for integrations that have been granted broad administrative permissions.

            Low Risk When

            If the company enforces very short absolute lifespans for all refresh tokens and uses strict IP address filtering to ensure that tokens are only used from known, trusted networks.

            Business and Integration Considerations

            Enabling rotation requires the client application to be capable of handling the updated refresh token returned in every exchange and successfully persisting the new value to avoid synchronization failures.

            Recommended Remediation

            Go to the OAuth settings of the External Client App and select the checkbox to turn on refresh token rotation.

            Security Health Review Guidance

            Security Health Review identifies refresh token rotation as a mandatory defense-in-depth standard for session management, so that the window of opportunity for a stolen bearer token is limited to a single transaction.

            See Also

             
            Loading
            Salesforce Help | Article