Salesforce Error: [invalid_grant] expired access/refresh token (Salesforce authorization failed)

Summary

This error indicates that the Salesforce OAuth refresh/access token Riva is using has expired or is no longer trusted. To restore syncing, you must re-validate the Salesforce connection so Riva can obtain a fresh token (and refresh related metadata if needed). 

Symptoms / Issue

When encountering this error, users may experience:

• Error message:

  Salesforce authorization failed. Re-validate application trust. Message=[invalid_grant] expired access/refresh token 

• Salesforce sync stops or fails (records/events do not update).
• Connection or impersonation test fails in Riva Cloud.
• Environment: Riva Cloud (Salesforce / CRM sync).

Cause of the Issue

• The Salesforce OAuth access token and/or refresh token are expired or no longer valid, so Riva can’t authenticate to Salesforce.
• This commonly requires the admin to re-validate the Salesforce connection to refresh authorization and restore trust.

Resolution / Steps

1. Re-validate the Salesforce connection in Riva Cloud.
   1. In the Riva Cloud Dashboard, go to Synchronization -> Connections.
   2. Find the existing Salesforce (CRM) connection -> open the connection menu -> select Edit.
   3. On the connection edit page, select Re-Validate Connection.
   4. Read the warning, then log out of all existing Salesforce browser sessions.
   5. Select Re-Validate.
   6. When the Salesforce login page appears, sign in with the Riva connection/admin (service) account (not your personal user unless that is the designated service account), then complete authorization.

2. Check Salesforce Connected App access + refresh token policy (to prevent repeated failures).

   In Salesforce, verify the connected app Riva uses is allowed and its refresh tokens are not set to expire immediately:

   1. Go to Setup -> App Manager.
   2. Find the Riva connected app -> Manage -> Edit Policies.

   3. Under OAuth Policies, ensure Refresh Token Policy is NOT set to "Immediately expire refresh token" (or other immediate-expire options), then Save.

      For more information, see Salesforce - Connected App Usage Restrictions 

If your organization is using stricter app access controls (e.g., “Admin approved users are pre-authorized”), confirm the right users/profiles/permission sets are allowed to access the app:

• Salesforce guidance: grant access via associated profiles or permission sets for the app’s policy. 
• Some organizations may see invalid_grant until the token is refreshed via re-validation. Riva recommends admin pre-authorization as a best practice.