Loading

Oauth token does not auto refresh when named credential is used

Udgivelsesdato: Apr 24, 2026
Beskrivelse

When a Salesforce Named Credential is used with a Salesforce SOAP API endpoint, the credential merge field {!$Credential.OAuthToken} does not automatically refresh the OAuth token when it expires. This is because Named Credentials rely on the external service returning HTTP 401 to trigger the token refresh flow. However, when a Salesforce SOAP API session is expired, the SOAP response returns HTTP 500 (not HTTP 401), so the automatic refresh is never triggered.
The following example demonstrates a callout using a Named Credential with the SOAP API. When the token is expired, the SOAP API response contains <sf:exceptionCode>INVALID_SESSION_ID</sf:exceptionCode> rather than HTTP 401, which prevents the Named Credential from auto-refreshing the token.

Example Callout (Apex):

The code sets the endpoint using the Named Credential callout prefix (callout:sfa/services/Soap/...), sets the Content-Type to text/xml; charset=utf-8, and embeds {!$Credential.OAuthToken} in the SOAP envelope's SessionHeader. When the token expires, the response is INVALID_SESSION_ID rather than a token refresh.

HttpRequest req = new HttpRequest();
req.setEndpoint('callout:sfa/services/Soap/u/37.0/00DA0000000Ah7w');
req.setMethod('POST');
req.setHeader('Content-Type','text/xml; charset=utf-8');
req.setHeader('SOAPAction','wewew');
String payload='<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:partner.soap.sforce.com">'+
   '<soapenv:Header>'+
         '<urn:SessionHeader>'+
         '<urn:sessionId>{!$Credential.OAuthToken}</urn:sessionId>'+
      '</urn:SessionHeader>'+
   '</soapenv:Header>'+
   '<soapenv:Body>'+
      '<urn:query>'+
         '<urn:queryString>select id from contact limit 10</urn:queryString>'+
      '</urn:query>'+
   '</soapenv:Body>'+
'</soapenv:Envelope>';
System.debug('');
req.setBody(payLoad);
Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody()); 
Løsning

The reason for this behavior is that Salesforce SOAP API returns HTTP 500 for expired sessions, not HTTP 401. Named Credentials can only automatically refresh the OAuth token when the service returns HTTP 401.

Workaround: Force Token Refresh via REST API Dummy Call

To force the Named Credential to refresh the OAuth token, first make a dummy REST API call to the same Named Credential. REST API returns HTTP 401 on token expiry, which triggers the Named Credential refresh flow. After the refresh completes, re-execute the SOAP API callout — it will now use the refreshed token.

 

Step 1 — Make a dummy REST API call to trigger the OAuth token refresh:
The following code makes a GET request to the REST API endpoint using the Named Credential. If the token is expired, REST API returns HTTP 401, causing Named Credentials to automatically refresh the OAuth token.
Http h = new Http();
HttpRequest req = new HttpRequest();
req.setEndpoint('callout:sfa/services/data/v22.0/query/?q=SELECT+id+from+contact');
req.setMethod('GET');
HttpResponse res = h.send(req);
Step 2 — Re-initiate the SOAP API call. After the dummy REST call completes, initiate the original SOAP API call again. The Named Credential now contains the refreshed token and the SOAP call will succeed.
Vidensartikelnummer

000381864

 
Indlæser
Salesforce Help | Article