Print this page

INVALID_SESSION_ID is returned when using the REST API with an access token retrieved in the same transaction if "Lock sessions to the IP address from which they originated" is enabled

Knowledge Article Number 000205360
Description When "Lock sessions to the IP address from which they originated" is enabled, if an OAuth2 access token is used to perform a Salesforce REST API call, INVALID_SESSION_ID might be returned even if the token is obtained in the same Apex transaction.
Resolution "Lock sessions to the IP address from which they originated" is strict, and internal IP addresses are not automatically whitelisted in this case. Since the login callout and subsequent REST API callouts might be performed via different internal IP addresses, INVALID_SESSION_ID might be returned when using the access token if the mentioned preference is enabled.

To solve this you may use the continuous IP enforcement feature (introduced in Summer '15):

1) Turn "Lock sessions to the IP address from which they originated" OFF, 
2) Turn "Enforce login IP ranges on every request" ON, 
3) Select the connected app's IP relaxation policy "Enforce IP restriction", and 
4) Add Salesforce's internal IP range 10.0.0.0 to 10.255.255.255 to the list of profiles needing to use Salesforce's REST API.

or simply relax the IP restrictions:

1) Turn "Lock sessions to the IP address from which they originated" OFF, and 
2) Select the connected app's IP relaxation policy "Relax IP restrictions"




promote demote