I'm pushing back on the claims I've read that security tokensĀ "only change when user changes the password, or regenerates the token."
My API access stopped working unexpectedly, and I couldn't get any API requests to go through. (This was a big problem for the business I work for.)
When I tried to log in normally the website kicked me over to a password change page, as if Salesforce had expired my password and was demanding that I make a new one.
The API only started working again when I changed my password and generated a new token. Changing these was the ONLY change I made, and it has worked fine since then.
In other words, I experienced the token expiring or changing, WITHOUT the user changing the password or regenerating the security token. There was no warning of any kind.
How can I set up my API access to function more reliably, so that I'm not blindsided by the sudden enforced failure of my requests by Salesforce?
Best Answer
Your token didn't expire, your password did. As an administrator, you can make a Permission Set with the Password Never Expires permission, and assign it to your user account (affects only yourself), or you can change the Password Policies so that passwords never expire (affects all users in your org). You'll never have to worry about expired passwords again. Just remember to change it periodically, as a matter of being recommended security practice. Depending on your API/integration, if you set up an OAuth2 session with a Refresh Token, the application that authenticates this way will be able to use the Access Token/Refresh Token indefinitely until the session is explicitly logged out or revoked, even if the user's user name, password, or token changes.