salesforce rest api INVALID_SESSION_ID error

I am using salesforce rest api to access the salesforce account from my rails app.I created a remote access app and got the key N the id. I was able to authenticate the user and get the auth_token, instance url and all that. But, when I send request at "instance_url/services/data/v20.0" along with the access token , I get this error:

[{"message":"Session expired or invalid","errorCode":"INVALID_SESSION_ID"}]

I have a developer salesforce account and have API enabled true for every profile, except for the "Authenticated website" profile(which is not accessible).

Please, can anybody help me with this?

I'm au开发者_Python百科thenticating the user with following request

HTTParty.post "login.salesforce.com/services/oauth2/token";, :body=>{"grant_type"=>"authorization_code","code"=>"abc}","client_secret"=>"abc"‌​, "client_id"=>"abc","format"=>"json","redirect_uri"=>"localhost:3000/salesforce/callback";}

which is returning signature, id, instance_url, issued_at, access_token and refresh_token

HTTParty.get "ap1.salesforce.com/services/data/v20.0";, :headers=>{"Authentication"=>"OAuth access_token", "Content-Type"=>"application/json"}

which responds with

[{"errorCode"=>"INVALID_SESSION_ID", "message"=>"Session expired or invalid"}]

How are you passing the sessionId to the /services/data/v20.0 request?, if your access_token is abc123 then you need a http header of Authorization: OAuth abc123 in the request.

API session in salesforce expires regardless if there are activities or not. to set the duration of each session go to Setup > Administration Setup > Security Controls > Session Settings>

the max is 8hours.

cheers!

Additionally to the other possible problems identified by the other answers, the Lock sessions to the IP address from which they originated setting in Salesforce is a possible contributing factor to otherwise valid code. From the following Salesforce KB article:

Description
When "Lock sessions to the IP address from which they originated" is enabled, if an OAuth2 access token is used to perform a Salesforce REST API call, INVALID_SESSION_ID might be returned even if the token is obtained in the same Apex transaction.

Resolution
"Lock sessions to the IP address from which they originated" is strict, and internal IP addresses are not automatically whitelisted in this case. Since the login callout and subsequent REST API callouts might be performed via different internal IP addresses, INVALID_SESSION_ID might be returned when using the access token if the mentioned preference is enabled.

To solve this you may use the continuous IP enforcement feature (introduced in Summer '15):

1. Turn "Lock sessions to the IP address from which they originated" OFF,
2. Turn "Enforce login IP ranges on every request" ON,
3. Select the connected app's IP relaxation policy "Enforce IP restriction", and
4. Add Salesforce's internal IP range 10.0.0.0 to 10.255.255.255 to the list of profiles needing to use Salesforce's REST API.

or simply relax the IP restrictions:

1. Turn "Lock sessions to the IP address from which they originated" OFF, and
2. Select the connected app's IP relaxation policy "Relax IP restrictions"

If you are using Oauth you need to use Refresh Token flow, on this error to get a new renewed token. Here are more details : http://wiki.developerforce.com/index.php/Digging_Deeper_into_OAuth_2.0_on_Force.com

Please search for "refresh token" in the WIKI page link above.

Issues I ran into:

• Make sure to include the scope "web" in the authorize request, e.g.

  https://login.salesforce.com/services/oauth2/authorize?response_type=code&clientId=xxx&redirect_uri=http://www.example.com&scope=id+api+refresh_token+web

• Use the instanceUrl that is returned in the authorize response. In my case this was https://eu2.salesforce.com and I always tried to use https://na1.salesforce.com which didn't work

Faced the same issue and in my case < > characters in the password were causing the problem.

I am adding this answer because any of other answers above helped me. My problem was actually that I was using access_token as I received it in the JSON response during login.salesforce.com/services/oauth2/token requests.

You have to remove ID from access_token, as it is described in SalesForce documentation: "Substitute the ID for the token value"