You are here:
API (Enable OAuth Settings): Enable Refresh Token Rotation
This control invalidates and replaces each refresh token with a new one every time it is used to obtain a new access token.
Control Name
Connected Apps: API (Enable OAuth Settings): Enable Refresh Token Rotation
Recommended Configuration
Enable Refresh Token Rotation.
Control Overview
This control invalidates and replaces each refresh token with a new one every time it is used to obtain a new access token.
Security Risk If Not Configured
Without rotation, a refresh token is "static" and long-lived, meaning if it is ever stolen, it can be used indefinitely to generate new sessions without the attacker ever needing the user's password or MFA.
Threat Scenarios
An attacker exfiltrates a refresh token from a user's local device storage or a compromised logs file and uses it to maintain persistent, silent access to the Salesforce org long after the original user has logged out.
Estimated CVSS Score Range
Critical (9.0–10.0).
Risk Impact Considerations
The lack of rotation allows for "infinite session persistence," enabling an adversary to dwell in the environment undetected for months and systematically exfiltrate data.
Higher Risk When
The risk is significantly higher for public clients (mobile and single-page apps) that store tokens in less secure browser or device environments where they are more susceptible to theft by malicious software.
Low Risk When
When Refresh Token Rotation is paired with PKCE (Proof Key for Code Exchange) and short-lived access tokens, making sure that any stolen token is effectively "single-use", and the attacker can’t mathematically prove that they are the original requester to get a new one.
Business and Integration Considerations
Enabling rotation requires the client application to be capable of updating its stored refresh token after every call, as failing to save the new token will result in the app being "locked out" during its next sync attempt.
Recommended Remediation
Go to the OAuth Settings of the Connected App and select the checkbox for "Enable Refresh Token Rotation."
Security Health Review Guidance
Security Health Review identifies Refresh Token Rotation as a critical "Zero Trust" mechanism that drastically reduces the "blast radius" of a stolen credential by making every token a single-use asset.
