Salesforce OAuth “Invalid Scopes” Issue

Salesforce OAuth “Invalid Scopes” Issue

Oct 29, 2025

The Fix

If your integration using the OAuth 2.0 Client Credentials Flow suddenly stopped working after the latest Salesforce release, you’re not alone.

Many teams began seeing this error in preview sandboxes and later in production:


{
  "error": "invalid_grant",
  "error_description": "no valid scopes defined"
}


This caught a lot of admins and developers off guard — especially since the same configuration had worked for months.


⚙️ What’s Happening


In the Winter ’26 release, Salesforce tightened enforcement around OAuth scopes for the client credentials flow.


The endpoint /services/oauth2/token will now reject any request that doesn’t include at least one supported scope.


Previously, if no scopes (or unsupported ones) were specified, Salesforce might still issue an opaque access token that appeared valid. That behavior is now blocked for security and standards compliance.


The flow no longer supports the following scopes:
  • web
  • refresh_token
  • full


If your Connected App isn’t explicitly configured with a valid scope, the call fails with:


invalid_grant: no valid scopes defined


🚀 The Fix


As confirmed in the Salesforce Release Notes and highlighted by Eric Praud’s LinkedIn post, the practical fix is simple:


✅ Add the “Access and manage your data (api)” OAuth scope to your Connected App.


This ensures at least one supported scope is defined, allowing Salesforce to issue a valid token again.


Step-by-Step in Salesforce Setup

  1. Go to Setup → App Manager.
  2. Locate your Connected App used for the integration.
  3. Click the ▼ dropdown next to it and select Edit.
  4. In the Edit Connected App screen:
  • Ensure Enable OAuth Settings and Enable Client Credentials Flow are both checked.
  • Scroll to Selected OAuth Scopes and add:
  • ✅ Access and manage your data (api)
  • (Optional) Remove unsupported scopes such as web, full, or refresh_token.
  1. Click Save.
  2. (Optional) From App Manager → Manage → Edit Policies, verify Permitted Users and IP Relaxation settings match your integration’s needs.
  3. Re-run your integration or token request — it should now return a valid access token.


🧠 Why This Matters


This update aligns Salesforce with the OAuth 2.0 specification and prevents integrations from using ambiguous or insecure tokens.

It’s also part of the broader tightening of Connected App Usage Restrictions rolling out through 2025.

📖 Learn more: 👉 Get Ready for Changes to Connected App Usage Restrictions


💡 Pro Tips


  • Ensure all orgs (sandbox, staging, production) have the same scope configuration, otherwise integrations may pass in one environment and fail in another.
  • Avoid adding deprecated scopes,they’ll be ignored or stripped automatically.
  • If you use JWT Bearer Flow instead of client credentials, you’ll now see the same clear invalid_grant error instead of the previous generic message.


✅ TL;DR


  • Error: invalid_grant: no valid scopes defined
  • Cause: Connected App missing supported OAuth scopes
  • Fix: Add “Access and manage your data (api)” to Selected OAuth Scopes in the Connected App
  • Avoid: web, full, refresh_token
  • Test: Always validate in sandbox before production deployments


By Ciarán Fitzgerald