Loading

Data 360: Impact of using grant_type 'password' on API Calls to the Data 360 Token Endpoint

Publish Date: Oct 23, 2025
Description

Getting Started outlines the steps to request a Salesfore Access Token and then use that token to request a Data 360 Token, which is then required to authenticate many Data 360 (formerly Data Cloud) API calls.

OAuth Authorization Flows outlines the various authorization methods available to request a Salesforce Access Token from the /services/oauth2/token endpoint.



One such method is OAuth 2.0 Username-Password Flow for Special Scenarios. This authorization flow uses password as the grant_type parameter and requires the client to have access to a valid username and password. The following example shows how these parameters are passed in the request body to the /services/oauth2/token endpoint:


grant_type=password&
client_id=3MVG9lKcPoNINVBIPJjdw1J9LLM82HnFVVX19KY1uA5mu0QqEWhqKpoW3svG3XHrXDiCQjK1mdgAvhCscA9GE&
client_secret=1955279925675241571&
username=testuser@salesforce.com&
password=mypassword


When the call to /services/oauth2/token is authorized, a Salesforce Access Token is returned in the response, which can then be used to request a Data 360 Token from the /services/a360/token endpoint. However, when using the password grant type, it is observed that the /services/a360/token only returns a Data 360 Token the first time a Salesforce Access Token is used in the request. If you attempt to reuse the Salesforce Access Token in a second call to /services/a360/token without making a new request to /services/oauth2/token then the Data 360 Token endpoint fails to return a token. Instead, the response from /services/a360/token will return a HTML document with the following content.


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<script>
function redirectOnLoad() {
if (this.SfdcApp && this.SfdcApp.projectOneNavigator) { SfdcApp.projectOneNavigator.handleRedirect('...'); } else
if (window.location.replace){
window.location.replace('...');
} else {
window.location.href ='...';
}
}
redirectOnLoad();
</script>
</head>


Note: requests that return HTML content due to this restriction have a 200 status code. It is planned in a future release that an error status code and an error message will instead be returned when this issue is encountered.
Resolution
It has been confirmed by the Data 360 product team that for security reasons, when using password as the grant_type it is expected that you cannot reuse a Salesforce Access Token to request a Data 360 Token without making a new call to the /services/oauth2/token endpoint before every call to /services/a360/token endpoint.


This restriction is only applied when the grant_type is password. Review the different authorization options available in OAuth Authorization Flows. Based on your requirements, you can use a grant_type other than password. If the Salesforce Access Token is requested using another grant type, such as client_credentials (see OAuth 2.0 Client Credentials Flow for Server-to-Server Integration) then requests to /services/a360/token will return a Data 360 Token every time without needing to make a new request to /services/oauth2/token before every request to the Data 360 Token endpoint.
Knowledge Article Number
005104785
 
Loading
Salesforce Help | Article