In Salesforce, a security token is a unique, alphanumeric key that enhances security when connecting to Salesforce from external applications or API tools (such as Data Loader, integrations, or Salesforce CLI) outside of trusted IP ranges. This Salesforce tutorial covers everything admins and developers need to know about security tokens.
What is a Salesforce Security Token?
A Salesforce security token is a 24-character, case-sensitive alphanumeric string that serves as an additional authentication layer. When you access Salesforce from an untrusted IP address, the system requires you to append the security token to your password. This mechanism protects your org from unauthorized access attempts from unknown networks.
Key characteristics of security tokens:
- 24 characters long
- Case-sensitive alphanumeric string
- Automatically generated by Salesforce
- Single-use per session
- Invalidated when password changes
How Security Tokens Work in Salesforce
When logging in from an untrusted IP address, Salesforce requires you to append the security token to your password. This ensures that only authorized users can access Salesforce data from outside the company’s IP range.
Example: If your password is MyPassword123 and your security token is XYZ456789, you’d enter MyPassword123XYZ456789 as the password in your integration tool.
Trusted IP Ranges vs Security Tokens
Security tokens are only required when accessing Salesforce from IP addresses outside your organization’s trusted IP ranges. If your IP address is within the trusted range defined in Setup > Network Access, no security token is needed.
When Security Tokens are Required
Security tokens are mandatory in these scenarios:
- Accessing Salesforce APIs from external applications
- Using Data Loader from untrusted networks
- Integrating with third-party tools that don’t support OAuth
- Connecting via Salesforce CLI from new environments
- Web services API calls from external servers
Note: Modern integration patterns prefer OAuth 2.0 flows over username-password-token authentication for enhanced security.
How to Reset Your Security Token in Salesforce
To receive or reset your security token, follow these steps:
- Go to Setup in Salesforce
- Enter My Personal Information in the Quick Find box
- Select Reset My Security Token
- Click Reset Security Token

Salesforce will immediately send the new security token to your registered email address. The token is delivered instantly and remains valid until your password changes or you reset it again.
Alternative Path for Lightning Experience
In Lightning Experience:
- Click your profile picture in the top right
- Select Settings
- Choose Reset My Security Token from the left sidebar
- Click Reset Security Token
Security Token Best Practices for Salesforce Admins
API-Only Users for Integrations
For external applications and integrations, create dedicated “API-only” users instead of using personal accounts. This approach provides several benefits:
- Isolates integration access from personal user accounts
- Prevents disruption when personal passwords change
- Enables specific permission set assignments
- Simplifies troubleshooting integration issues
Password and Token Management
Critical considerations for admin interview scenarios:
- Changing a user’s password automatically invalidates their security token
- Always coordinate password resets with integration teams
- Set integration user passwords to never expire
- Document which integrations use specific user accounts
Security Token in Salesforce Integration Patterns
Different integration patterns handle security tokens differently:
| Integration Pattern | Security Token Required | Recommended Approach |
|---|---|---|
| OAuth 2.0 Web Server Flow | No | Preferred for web applications |
| OAuth 2.0 Username-Password Flow | Yes (if outside trusted IPs) | Use for server-to-server |
| SOAP API with Session ID | Yes (for login) | Legacy pattern, migrate to OAuth |
| REST API with Session ID | Yes (for login) | Legacy pattern, migrate to OAuth |
Troubleshooting Security Token Issues
Common Security Token Problems
Invalid Login Error: Occurs when the security token is incorrect, expired, or missing. Verify the token was appended correctly to the password.
Integration Failures: Often caused by password changes that invalidate tokens. Check integration logs and reset tokens as needed.
Email Delivery Issues: Security tokens are sent to the user’s registered email. Verify email settings and check spam folders.
Security Token Validation
To test if your security token is working:
- Use Salesforce Workbench (workbench.developerforce.com)
- Enter username, password + token combination
- Successful login confirms token validity
Security Considerations and Interview Questions
Salesforce Security Interview Questions
Common security token questions in Salesforce admin interviews:
- “When are security tokens required?” – Outside trusted IP ranges
- “What happens when you change a user’s password?” – Security token is invalidated
- “How long is a security token valid?” – Until password changes or manual reset
- “Best practice for integration users?” – Create API-only users with non-expiring passwords
Relationship to Other Security Features
Security tokens work alongside other Salesforce security features:
- Trusted IP Ranges: Define networks that don’t require tokens
- Login Hours: Restrict when users can access the system
- Session Settings: Control session timeout and security
- Two-Factor Authentication: Additional security layer beyond tokens
Migration from Security Tokens to Modern Authentication
Salesforce recommends migrating from username-password-token authentication to OAuth 2.0 flows:
OAuth Benefits Over Security Tokens
- No need to manage security tokens
- Better security with refresh tokens
- Granular scope control
- Support for modern authentication standards
Migration Strategy
- Audit existing integrations using security tokens
- Implement OAuth 2.0 flows for new integrations
- Gradually migrate legacy integrations
- Update documentation and training materials
Frequently Asked Questions
What happens to my security token when I change my password?
When you change your password in Salesforce, your existing security token is automatically invalidated. You must reset your security token to get a new one, which will be sent to your registered email address.
How long is a Salesforce security token?
A Salesforce security token is exactly 24 characters long and consists of alphanumeric characters. It is case-sensitive and must be entered exactly as received in the email.
Do I need a security token if I’m using OAuth?
No, OAuth 2.0 authentication flows do not require security tokens. OAuth uses access tokens and refresh tokens instead, providing better security and user experience than the username-password-token method.
Can I use the same security token for multiple integrations?
Yes, the same security token can be used across multiple integrations for the same user account. However, best practice is to create separate API-only users for different integrations to isolate access and simplify management.
Why am I not receiving my security token email?
Check your spam folder first. Verify your email address is correct in your Salesforce user settings. If the email still doesn’t arrive, contact your Salesforce administrator to check email deliverability settings and your user profile configuration.
What’s the difference between trusted IP ranges and security tokens?
Trusted IP ranges are network addresses defined by administrators where users don’t need security tokens. If you access Salesforce from outside these trusted ranges, you must append your security token to your password for authentication.