OAuth2 refresh token expiry in Integration Hub causes scheduled sync failures

BPM Appian
, , , , , , , ,
1

Our scheduled integrations with Salesforce CRM fail after approximately 90 days with authentication errors. We’re using OAuth2 with refresh tokens in Appian 22.2 Integration Hub, but the refresh token itself seems to be expiring.

Error from integration logs:


HTTP 401: Unauthorized
OAuth2 refresh token invalid or expired
Integration: SalesforceDataSync

The initial OAuth2 setup works perfectly, and the integration runs successfully for about 3 months. Then it suddenly fails with this error. We have to manually re-authenticate through the OAuth2 flow to get it working again. Is there a way to configure the refresh token management to handle long-lived scheduled integrations without manual intervention?

2

We’re running Appian on-premises, so IP addresses haven’t changed. I’m looking at the integration logs more closely and I see the refresh token was last successfully refreshed about 89 days ago. It seems like the automatic refresh isn’t happening even though the scheduled integration runs daily. Could there be a configuration issue with the scheduled integration setup?

3

Appian stores OAuth2 tokens in its credential store, but there’s a known behavior where if the token refresh fails even once (network blip, temporary API outage), Appian may not automatically retry. The integration then continues using the cached access token until it expires, and when it tries to refresh, the refresh token has also expired due to the failed refresh attempt. You need to implement error handling in your scheduled integration to detect 401 errors and trigger a re-authentication flow.

4

Thanks for the pointer. I checked our Salesforce Connected App and the refresh token policy is set to “Refresh token is valid until revoked”. So it shouldn’t be expiring based on Salesforce settings. Could this be an Appian-side issue with how it stores or refreshes the token?

5

This is a common issue with OAuth2 providers. Salesforce’s refresh tokens expire after 90 days of inactivity by default. Even though your integration runs regularly, the refresh token itself has a separate expiration policy. Check your Salesforce Connected App settings - there should be an option to adjust refresh token policies or set them to never expire.

6

That’s interesting - if the integration runs daily but the refresh token hasn’t been refreshed in 89 days, it means the access token is being reused without triggering a refresh. Check the access token expiration time in your Salesforce Connected App. If it’s set to something long like 12 hours or 24 hours, and your integration runs less frequently than that, Appian won’t attempt a token refresh. The solution might be to reduce the access token lifetime to force more frequent refreshes, which keeps the refresh token active.

7

I’ve dealt with this exact scenario multiple times. The issue involves all three aspects you mentioned:

1. OAuth2 Refresh Token Management: The 90-day expiration you’re seeing is actually Salesforce’s refresh token inactivity timeout, not the “valid until revoked” policy. Here’s what’s happening:

  • Salesforce refresh tokens expire after 90 days if they haven’t been USED to obtain a new access token
  • Your integration uses the access token (not refresh token) for API calls
  • If the access token never expires during those 90 days, the refresh token goes unused and expires

Solution for refresh token management: In your Connected Object configuration in Appian, verify the token refresh strategy:

  • Go to Integration Hub > Connected Systems > Your Salesforce Connection
  • Check “Token Refresh” settings
  • Enable “Proactive Token Refresh” if available in 22.2
  • Set refresh buffer to 300 seconds (5 minutes) before expiration

2. Scheduled Integration Setup: Your scheduled integration needs proper error handling and retry logic:


Integration Error Handling:
- Catch HTTP 401 responses
- Log authentication failure
- Trigger re-authentication workflow
- Notify administrators

In your process model that calls the scheduled integration:

  • Add an exception flow from the integration smart service
  • Check for authentication errors: `if(fv!error.code = “401”, …)
  • Implement a fallback that triggers OAuth2 re-authentication

3. CRM Connection Configuration: The core issue is your Salesforce access token lifetime. Salesforce Connected Apps default to very long access token lifetimes (up to 12-24 hours), which means:

  • Daily integrations reuse the same access token
  • Refresh token never gets exercised
  • After 90 days of non-use, refresh token expires

Immediate fix: In Salesforce Setup:

  1. Go to App Manager > Your Connected App > Edit Policies
  2. Set “Refresh Token Policy” to “Refresh token is valid until revoked” (already done)
  3. Critical step: Set “Access Token Timeout” to 15 minutes (not hours)
  4. This forces Appian to refresh the token multiple times per day
  5. Frequent refresh token usage prevents the 90-day inactivity expiration

Appian-side configuration (22.2 specific):


Connected System Configuration:
- Authentication: OAuth 2.0 Authorization Code
- Refresh Token Handling: Automatic
- Token Expiration Buffer: 300 seconds
- Retry Failed Refresh: Enabled (3 attempts)

Long-term solution: Implement a token health monitoring process:

  1. Create a daily process that checks token expiration dates
  2. If refresh token age > 80 days, proactively trigger a manual refresh
  3. Store last successful refresh timestamp in a database
  4. Send alerts when refresh fails

Alternative approach - Service Account: For critical scheduled integrations, consider using Salesforce JWT Bearer Flow instead of OAuth2 Authorization Code:

  • JWT tokens don’t have refresh token expiration issues
  • Better for server-to-server integrations
  • Requires certificate-based authentication setup
  • More complex initial setup but eliminates 90-day expiration problem

Monitoring query for future prevention: Add this to your integration logging:


Log on each integration call:
- Access token age
- Refresh token last used date
- Next expected refresh time
- Alert if refresh token unused > 75 days

Implement the Salesforce access token timeout reduction first - this is the quickest fix that addresses the root cause. The 15-minute access token lifetime ensures your daily integration will refresh the token at least once per day, keeping the refresh token active and preventing the 90-day expiration.