<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Workflows Connection Fails with "The refresh token is invalid or expired" Error and Requires Reauthorization
Jun 25, 2025
Workflows
Okta Classic Engine
Okta Identity Engine
Overview

Attempting to execute any Okta action cards in a workflow returns the following error when the workflow was previously executing successfully:

{
    "error": {
        "status": 500,
        "message": {
            "statusCode": 400,
            "data": "{\"error\":\"invalid_grant\",\"error_description\":\"The refresh token is invalid or expired.\"}"
        }
    }
}

 

Applies To
  • Workflows
  • Okta Connector
Cause
This will occur if the session for the account used to authorize the Okta connection is cleared, and the OAuth tokens are revoked. This can happen when the session is inadvertently cleared by a Workflow that uses the Clear User Sessions card.
Solution

To determine if the session was deliberately cleared by Okta, use the following query to search the system logs (Okta Admin console > Reports > System Log) for the ID of the account used to authorize the connection during the time frame when the connection stopped working:

eventType eq "user.session.clear" and target.id eq "00urduzspHCdrPdL25d6"

 

If any events are found, the Actor object can be used to identify the user who cleared the session. If the Client > UserAgent > RawUserAgent attribute is set to Azuqua, the action was initiated by Workflows. In this case, the Actor will also be the account used for the Okta connection.
 

session clear event


To prevent the issue from reoccurring after reauthorizing the connection, determine which workflows are using the Clear User Sessions card and add logic to the flow to avoid clearing the session of the account used for the Okta connection.


Related References

Recommended content

Still looking for help?
Loading
Okta Workflows Connection Fails with "The refresh token is invalid or expired" Error and Requires Reauthorization