ERR_SF_AUTH_EXPIRED on Salesforce: Salesforce Connected App Returns Authentication Failure After Token Expiry. Root cause: Salesforce OAuth authentication token has expired or refresh token is invalid. Common causes: OAuth token expired (default 2 hours), refresh token revoked, user password changed, security token reset, connected app authorization revoked, IP address changed (if IP restrictions enabled). Step 1: Implement the Refresh Token Flow. In your integration code, catch 401 authentication errors and automatically POST to https://login.salesforce.com/services/oauth2/token with grant_type=refresh_token and your stored refresh_token value. Store the new access_token returned and retry the original request. Step 2: Check Connected App Session Policy. In Salesforce Setup, navigate to Connected Apps > Your App > Edit Policies. Set "Refresh Token Policy" to "Refresh token is valid until revoked" to prevent refresh tokens from expiring during normal use. Step 3: Verify IP Restrictions. If your Salesforce org has IP range restrictions, ensure the server IP making API calls is in the trusted IP range. IP restriction failures return the same authentication error as token expiry, making them easy to confuse. Step 4: Re-authorise the Integration. If the refresh token itself has expired, the user must re-authorise the connected app. Build a re-authorisation flow in your application that detects refresh token failures (error: invalid_grant) and redirects the user through the OAuth flow.