[SalesForce] Salesforce Sandbox Security Token

You cannot reset the token directly, as the administrator. However, administrators have ways to make this happen. As an administrator, you could:

• Reset the user's password, and have them log in; they'll be emailed a new token after setting their password.
• Get the user's password, and login as them.
• Call setPassword on the user, thus giving you the ability to log in as them and then reset their password.
• Change the user's email to your own, reset the password, login, and you'll have a new token (a token is issued when a permanent password is set).
• Use the login access granted by the user to reset their security token.
• Administrators with organizations that have "Administrators can log in to any user" can also use login access to reset the token.

Note that in all cases, it will be sent to the email address on file; there's no way to show the token in the UI. In most cases, the administrator has to destroy the user's password as part of the reset process. Only by logging in as the user legitimately (either login access or with the user's password) can they avoid destroying the existing password.

A session ID identifies a user using the UI or an API/integration tool. It has a set time to live and may be manually expired by explicitly logging out. It may also be tied to a specific IP address, if configured. Session ID values are valid across all APIs, including SOAP and REST endpoints.

Access Tokens are used by Connected Apps and other OAuth-enabled apps (such as Chatter Mobile). These tokens also have a similar life span, but can also be refreshed with a Refresh Token if granted permission. This allows services to have long-lived connections to the user account, even if they log out of other devices. Like session IDs, you can use access tokens anywhere a session ID is valid.

Security Tokens are the only type of token a user actually needs to "remember". A security token grants access to the user's account from outside of their normal domain. This token is only necessary if the user's current IP address is not whitelisted, and will not allow users to access salesforce.com outside of their IP restrictions or login times. The token is always provided as part of the password: passwordtoken. There is no intervening space or other symbol that separates the two.