Genesys Cloud - Developer Community!

We're integrating the Genesys Web Messaging SDK into a Salesforce Community Portal (Experience Cloud) that requires authentication. The portal itself serves as our web app, and Salesforce is also acting as our OAuth provider.

The integration is functioning through a Genesys OIDC-type integration, and initial authentication works correctly. However, when we attempt to refresh the access token, the second JWT returned by Genesys Cloud is valid but has a time-to-live (TTL) that far exceeds expected limits, causing API rejections and a re-authentication loop in the widget.

Note: I apologize for the length and formality of this post.  It's a complicated issue which has stymied us for more than a week now.  I'll try to distill it to the basics!

Setup Summary

1. Salesforce OAuth Client Configuration

• App Type: External Client App

• Flows Enabled: Authorization Code and Credentials Flow

• Scopes:

  • openid, id, profile, email, address, phone

  • offline_access, refresh_token

• Token Settings:

  • ID Token duration: 2 minutes (for testing)

  • Refresh Token policy: Expires after 365 days

• Session Timeout: 14 minutes (configured)

• No PKCE, No JWT-based access tokens, and No custom claims or audiences configured.

• Callback URLs validated and confirmed multiple times.

2. Genesys Cloud Integration

• Integration Type: OpenID Connect (OIDC)

• Authorization Server URL: Salesforce well-known OIDC endpoint

• Refresh Token Duration: 900 minutes (15 hours)

• Client ID/Secret: Matches Salesforce external client app configuration

3. Genesys Cloud Messenger Configuration

Within Genesys Cloud Admin → Messenger Configurations, we created a dedicated configuration for our Salesforce-based deployment. The setup is kept simple to minimize variables during authentication testing.

Channel Setup

• Channel Type: Web Messaging

• Version: Draft (not yet deployed to production)

• Language: English (default and only supported language)

Messaging Behavior

• Humanize Conversation: Disabled

• Clear Conversation: Enabled

• Conversation Disconnect: Display conversation status and disconnect session

• Rich Text Formatting: Enabled

• Typing Indicators: Enabled (both agent and end-user)

• Attachments: Disabled

• Automatic Start: Disabled

Authentication

• Authentication Enabled: ✅ Yes

• Integration Type: OpenID Connect Messenger Configuration (points to our OIDC integration tied to Salesforce)

• Upgrade Anonymous to Authenticated Conversation: Disabled

• Notifications: Disabled

This configuration ensures authentication is handled exclusively through the OIDC flow and that no secondary conversation or attachment features interfere with token refresh testing.

4. SalesForce Portal Configuration

• The portal is an LWR (Build Your Own) template in Salesforce Experience Cloud.

• We've added the Web Messaging SDK snippet to the portal's <head> tag for initialization and authentication.

• The SDK successfully exchanges the Salesforce authorization code for a valid JWT through Genesys Cloud's /token endpoint.

Problem Description

• The first JWT returned by Genesys Cloud (after exchanging the Salesforce authorization code) is valid and has the expected 2-minute TTL, matching our Salesforce configuration.

• After that token expires, the SDK invokes the refresh token command.

• Genesys Cloud returns a new JWT that appears valid but has a TTL between ~50,000 and 90,000 seconds (roughly 14–25 hours).

• This token fails validation against Genesys Cloud APIs (which enforce a maximum of 900 seconds / 15 minutes TTL), causing the Web Messenger widget to enter a re-authentication loop.

• Once in this state, the SDK keeps receiving the same long-lived JWT with each refresh, preventing recovery until the refresh token is revoked or the session is reset.

We've replicated the exact same workflow using Auth0 as the OAuth provider, and the problem does not occur - the JWTs issued through Genesys Cloud respect the expected TTL from Auth0 every time.

Example JWT

Troubleshooting Steps Attempted

1. Validated all callback URLs and scope configurations in both Salesforce and Genesys Cloud.

2. Re-issued client credentials and re-authenticated.

3. Shortened and lengthened session timeouts in Salesforce.

4. Adjusted refresh token lifetime in Genesys Cloud integration (no change).

5. Attempted forced logout and SDK re-init; token still re-issued with incorrect TTL.

6. Confirmed the problem only occurs when the refresh flow is used; initial code exchange works fine.

Request for Help

Has anyone seen this behavior where Genesys Cloud issues a JWT with an excessively long TTL after exchanging a Salesforce refresh token?

• Is there any known incompatibility or additional configuration required on the Salesforce side for OIDC refresh flows?

• Does Genesys Cloud interpret Salesforce's exp or iat differently when calculating TTL during refresh?

• Any recommended debugging steps or logs we can capture to confirm the root cause?

Thanks in advance for your assistance!

Hi @Matthew Pfluger, we have the same issue, first we are able to authenticate properly and get the JWT correctly and establish an authenticated connection with messenger, and then when the refresh  happens, we end up in a loop. We have an open ticket with Genesys support for over 1.5 months but they have not yet been able to help and regularly pointing to examples which we have anyway looked at. The code we have is the same as on messenger examples that Genesys has provided and we use PING OIDC provider.

Regards

We're integrating the Genesys Web Messaging SDK into a Salesforce Community Portal (Experience Cloud) that requires authentication. The portal itself serves as our web app, and Salesforce is also acting as our OAuth provider.

The integration is functioning through a Genesys OIDC-type integration, and initial authentication works correctly. However, when we attempt to refresh the access token, the second JWT returned by Genesys Cloud is valid but has a time-to-live (TTL) that far exceeds expected limits, causing API rejections and a re-authentication loop in the widget.

Note: I apologize for the length and formality of this post.  It's a complicated issue which has stymied us for more than a week now.  I'll try to distill it to the basics!

Setup Summary

1. Salesforce OAuth Client Configuration

• App Type: External Client App

• Flows Enabled: Authorization Code and Credentials Flow

• Scopes:

  • openid, id, profile, email, address, phone

  • offline_access, refresh_token

• Token Settings:

  • ID Token duration: 2 minutes (for testing)

  • Refresh Token policy: Expires after 365 days

• Session Timeout: 14 minutes (configured)

• No PKCE, No JWT-based access tokens, and No custom claims or audiences configured.

• Callback URLs validated and confirmed multiple times.

2. Genesys Cloud Integration

• Integration Type: OpenID Connect (OIDC)

• Authorization Server URL: Salesforce well-known OIDC endpoint

• Refresh Token Duration: 900 minutes (15 hours)

• Client ID/Secret: Matches Salesforce external client app configuration

3. Genesys Cloud Messenger Configuration

Within Genesys Cloud Admin → Messenger Configurations, we created a dedicated configuration for our Salesforce-based deployment. The setup is kept simple to minimize variables during authentication testing.

Channel Setup

• Channel Type: Web Messaging

• Version: Draft (not yet deployed to production)

• Language: English (default and only supported language)

Messaging Behavior

• Humanize Conversation: Disabled

• Clear Conversation: Enabled

• Conversation Disconnect: Display conversation status and disconnect session

• Rich Text Formatting: Enabled

• Typing Indicators: Enabled (both agent and end-user)

• Attachments: Disabled

• Automatic Start: Disabled

Authentication

• Authentication Enabled: ✅ Yes

• Integration Type: OpenID Connect Messenger Configuration (points to our OIDC integration tied to Salesforce)

• Upgrade Anonymous to Authenticated Conversation: Disabled

• Notifications: Disabled

This configuration ensures authentication is handled exclusively through the OIDC flow and that no secondary conversation or attachment features interfere with token refresh testing.

4. SalesForce Portal Configuration

• The portal is an LWR (Build Your Own) template in Salesforce Experience Cloud.

• We've added the Web Messaging SDK snippet to the portal's <head> tag for initialization and authentication.

• The SDK successfully exchanges the Salesforce authorization code for a valid JWT through Genesys Cloud's /token endpoint.

Problem Description

• The first JWT returned by Genesys Cloud (after exchanging the Salesforce authorization code) is valid and has the expected 2-minute TTL, matching our Salesforce configuration.

• After that token expires, the SDK invokes the refresh token command.

• Genesys Cloud returns a new JWT that appears valid but has a TTL between ~50,000 and 90,000 seconds (roughly 14–25 hours).

• This token fails validation against Genesys Cloud APIs (which enforce a maximum of 900 seconds / 15 minutes TTL), causing the Web Messenger widget to enter a re-authentication loop.

• Once in this state, the SDK keeps receiving the same long-lived JWT with each refresh, preventing recovery until the refresh token is revoked or the session is reset.

We've replicated the exact same workflow using Auth0 as the OAuth provider, and the problem does not occur - the JWTs issued through Genesys Cloud respect the expected TTL from Auth0 every time.

Example JWT

Troubleshooting Steps Attempted

1. Validated all callback URLs and scope configurations in both Salesforce and Genesys Cloud.

2. Re-issued client credentials and re-authenticated.

3. Shortened and lengthened session timeouts in Salesforce.

4. Adjusted refresh token lifetime in Genesys Cloud integration (no change).

5. Attempted forced logout and SDK re-init; token still re-issued with incorrect TTL.

6. Confirmed the problem only occurs when the refresh flow is used; initial code exchange works fine.

Request for Help

Has anyone seen this behavior where Genesys Cloud issues a JWT with an excessively long TTL after exchanging a Salesforce refresh token?

• Is there any known incompatibility or additional configuration required on the Salesforce side for OIDC refresh flows?

• Does Genesys Cloud interpret Salesforce's exp or iat differently when calculating TTL during refresh?

• Any recommended debugging steps or logs we can capture to confirm the root cause?

Thanks in advance for your assistance!

Thanks for the response, Vineet.  It's good to hear that others are facing the issue as well.

We have an open support ticket with Genesys where we referenced this post.  They said the acknowledge the issue, created a bug, and are "actively working on a resolution".  I hope the ticket isn't open as long as yours! :)

Hi @Matthew Pfluger, we have the same issue, first we are able to authenticate properly and get the JWT correctly and establish an authenticated connection with messenger, and then when the refresh  happens, we end up in a loop. We have an open ticket with Genesys support for over 1.5 months but they have not yet been able to help and regularly pointing to examples which we have anyway looked at. The code we have is the same as on messenger examples that Genesys has provided and we use PING OIDC provider.

Regards

We're integrating the Genesys Web Messaging SDK into a Salesforce Community Portal (Experience Cloud) that requires authentication. The portal itself serves as our web app, and Salesforce is also acting as our OAuth provider.

The integration is functioning through a Genesys OIDC-type integration, and initial authentication works correctly. However, when we attempt to refresh the access token, the second JWT returned by Genesys Cloud is valid but has a time-to-live (TTL) that far exceeds expected limits, causing API rejections and a re-authentication loop in the widget.

Note: I apologize for the length and formality of this post.  It's a complicated issue which has stymied us for more than a week now.  I'll try to distill it to the basics!

Setup Summary

1. Salesforce OAuth Client Configuration

• App Type: External Client App

• Flows Enabled: Authorization Code and Credentials Flow

• Scopes:

  • openid, id, profile, email, address, phone

  • offline_access, refresh_token

• Token Settings:

  • ID Token duration: 2 minutes (for testing)

  • Refresh Token policy: Expires after 365 days

• Session Timeout: 14 minutes (configured)

• No PKCE, No JWT-based access tokens, and No custom claims or audiences configured.

• Callback URLs validated and confirmed multiple times.

2. Genesys Cloud Integration

• Integration Type: OpenID Connect (OIDC)

• Authorization Server URL: Salesforce well-known OIDC endpoint

• Refresh Token Duration: 900 minutes (15 hours)

• Client ID/Secret: Matches Salesforce external client app configuration

3. Genesys Cloud Messenger Configuration

Within Genesys Cloud Admin → Messenger Configurations, we created a dedicated configuration for our Salesforce-based deployment. The setup is kept simple to minimize variables during authentication testing.

Channel Setup

• Channel Type: Web Messaging

• Version: Draft (not yet deployed to production)

• Language: English (default and only supported language)

Messaging Behavior

• Humanize Conversation: Disabled

• Clear Conversation: Enabled

• Conversation Disconnect: Display conversation status and disconnect session

• Rich Text Formatting: Enabled

• Typing Indicators: Enabled (both agent and end-user)

• Attachments: Disabled

• Automatic Start: Disabled

Authentication

• Authentication Enabled: ✅ Yes

• Integration Type: OpenID Connect Messenger Configuration (points to our OIDC integration tied to Salesforce)

• Upgrade Anonymous to Authenticated Conversation: Disabled

• Notifications: Disabled

This configuration ensures authentication is handled exclusively through the OIDC flow and that no secondary conversation or attachment features interfere with token refresh testing.

4. SalesForce Portal Configuration

• The portal is an LWR (Build Your Own) template in Salesforce Experience Cloud.

• We've added the Web Messaging SDK snippet to the portal's <head> tag for initialization and authentication.

• The SDK successfully exchanges the Salesforce authorization code for a valid JWT through Genesys Cloud's /token endpoint.

Problem Description

• The first JWT returned by Genesys Cloud (after exchanging the Salesforce authorization code) is valid and has the expected 2-minute TTL, matching our Salesforce configuration.

• After that token expires, the SDK invokes the refresh token command.

• Genesys Cloud returns a new JWT that appears valid but has a TTL between ~50,000 and 90,000 seconds (roughly 14–25 hours).

• This token fails validation against Genesys Cloud APIs (which enforce a maximum of 900 seconds / 15 minutes TTL), causing the Web Messenger widget to enter a re-authentication loop.

• Once in this state, the SDK keeps receiving the same long-lived JWT with each refresh, preventing recovery until the refresh token is revoked or the session is reset.

We've replicated the exact same workflow using Auth0 as the OAuth provider, and the problem does not occur - the JWTs issued through Genesys Cloud respect the expected TTL from Auth0 every time.

Example JWT

Troubleshooting Steps Attempted

1. Validated all callback URLs and scope configurations in both Salesforce and Genesys Cloud.

2. Re-issued client credentials and re-authenticated.

3. Shortened and lengthened session timeouts in Salesforce.

4. Adjusted refresh token lifetime in Genesys Cloud integration (no change).

5. Attempted forced logout and SDK re-init; token still re-issued with incorrect TTL.

6. Confirmed the problem only occurs when the refresh flow is used; initial code exchange works fine.

Request for Help

Has anyone seen this behavior where Genesys Cloud issues a JWT with an excessively long TTL after exchanging a Salesforce refresh token?

• Is there any known incompatibility or additional configuration required on the Salesforce side for OIDC refresh flows?

• Does Genesys Cloud interpret Salesforce's exp or iat differently when calculating TTL during refresh?

• Any recommended debugging steps or logs we can capture to confirm the root cause?

Thanks in advance for your assistance!

We're integrating the Genesys Web Messaging SDK into a Salesforce Community Portal (Experience Cloud) that requires authentication. The portal itself serves as our web app, and Salesforce is also acting as our OAuth provider.

The integration is functioning through a Genesys OIDC-type integration, and initial authentication works correctly. However, when we attempt to refresh the access token, the second JWT returned by Genesys Cloud is valid but has a time-to-live (TTL) that far exceeds expected limits, causing API rejections and a re-authentication loop in the widget.

Note: I apologize for the length and formality of this post.  It's a complicated issue which has stymied us for more than a week now.  I'll try to distill it to the basics!

Setup Summary

1. Salesforce OAuth Client Configuration

• App Type: External Client App

• Flows Enabled: Authorization Code and Credentials Flow

• Scopes:

  • openid, id, profile, email, address, phone

  • offline_access, refresh_token

• Token Settings:

  • ID Token duration: 2 minutes (for testing)

  • Refresh Token policy: Expires after 365 days

• Session Timeout: 14 minutes (configured)

• No PKCE, No JWT-based access tokens, and No custom claims or audiences configured.

• Callback URLs validated and confirmed multiple times.

2. Genesys Cloud Integration

• Integration Type: OpenID Connect (OIDC)

• Authorization Server URL: Salesforce well-known OIDC endpoint

• Refresh Token Duration: 900 minutes (15 hours)

• Client ID/Secret: Matches Salesforce external client app configuration

3. Genesys Cloud Messenger Configuration

Within Genesys Cloud Admin → Messenger Configurations, we created a dedicated configuration for our Salesforce-based deployment. The setup is kept simple to minimize variables during authentication testing.

Channel Setup

• Channel Type: Web Messaging

• Version: Draft (not yet deployed to production)

• Language: English (default and only supported language)

Messaging Behavior

• Humanize Conversation: Disabled

• Clear Conversation: Enabled

• Conversation Disconnect: Display conversation status and disconnect session

• Rich Text Formatting: Enabled

• Typing Indicators: Enabled (both agent and end-user)

• Attachments: Disabled

• Automatic Start: Disabled

Authentication

• Authentication Enabled: ✅ Yes

• Integration Type: OpenID Connect Messenger Configuration (points to our OIDC integration tied to Salesforce)

• Upgrade Anonymous to Authenticated Conversation: Disabled

• Notifications: Disabled

This configuration ensures authentication is handled exclusively through the OIDC flow and that no secondary conversation or attachment features interfere with token refresh testing.

4. SalesForce Portal Configuration

• The portal is an LWR (Build Your Own) template in Salesforce Experience Cloud.

• We've added the Web Messaging SDK snippet to the portal's <head> tag for initialization and authentication.

• The SDK successfully exchanges the Salesforce authorization code for a valid JWT through Genesys Cloud's /token endpoint.

Problem Description

• The first JWT returned by Genesys Cloud (after exchanging the Salesforce authorization code) is valid and has the expected 2-minute TTL, matching our Salesforce configuration.

• After that token expires, the SDK invokes the refresh token command.

• Genesys Cloud returns a new JWT that appears valid but has a TTL between ~50,000 and 90,000 seconds (roughly 14–25 hours).

• This token fails validation against Genesys Cloud APIs (which enforce a maximum of 900 seconds / 15 minutes TTL), causing the Web Messenger widget to enter a re-authentication loop.

• Once in this state, the SDK keeps receiving the same long-lived JWT with each refresh, preventing recovery until the refresh token is revoked or the session is reset.

We've replicated the exact same workflow using Auth0 as the OAuth provider, and the problem does not occur - the JWTs issued through Genesys Cloud respect the expected TTL from Auth0 every time.

Example JWT

Troubleshooting Steps Attempted

1. Validated all callback URLs and scope configurations in both Salesforce and Genesys Cloud.

2. Re-issued client credentials and re-authenticated.

3. Shortened and lengthened session timeouts in Salesforce.

4. Adjusted refresh token lifetime in Genesys Cloud integration (no change).

5. Attempted forced logout and SDK re-init; token still re-issued with incorrect TTL.

6. Confirmed the problem only occurs when the refresh flow is used; initial code exchange works fine.

Request for Help

Has anyone seen this behavior where Genesys Cloud issues a JWT with an excessively long TTL after exchanging a Salesforce refresh token?

• Is there any known incompatibility or additional configuration required on the Salesforce side for OIDC refresh flows?

• Does Genesys Cloud interpret Salesforce's exp or iat differently when calculating TTL during refresh?

• Any recommended debugging steps or logs we can capture to confirm the root cause?

Thanks in advance for your assistance!

#WebMessaging

------------------------------
Matthew Pfluger
------------------------------

------------------------------
Jacob Shaw
Sr. Software Engineer

Original Message:
Sent: 11-03-2025 17:19
From: Matthew Pfluger
Subject: Unexpected Long-Lived JWT After Refresh in Genesys Web Messaging SDK with Salesforce OAuth Provider

We're integrating the Genesys Web Messaging SDK into a Salesforce Community Portal (Experience Cloud) that requires authentication. The portal itself serves as our web app, and Salesforce is also acting as our OAuth provider.

The integration is functioning through a Genesys OIDC-type integration, and initial authentication works correctly. However, when we attempt to refresh the access token, the second JWT returned by Genesys Cloud is valid but has a time-to-live (TTL) that far exceeds expected limits, causing API rejections and a re-authentication loop in the widget.

Note: I apologize for the length and formality of this post.  It's a complicated issue which has stymied us for more than a week now.  I'll try to distill it to the basics!

Setup Summary

1. Salesforce OAuth Client Configuration

• App Type: External Client App

• Flows Enabled: Authorization Code and Credentials Flow

• Scopes:

  • openid, id, profile, email, address, phone

  • offline_access, refresh_token

• Token Settings:

  • ID Token duration: 2 minutes (for testing)

  • Refresh Token policy: Expires after 365 days

• Session Timeout: 14 minutes (configured)

• No PKCE, No JWT-based access tokens, and No custom claims or audiences configured.

• Callback URLs validated and confirmed multiple times.

2. Genesys Cloud Integration

• Integration Type: OpenID Connect (OIDC)

• Authorization Server URL: Salesforce well-known OIDC endpoint

• Refresh Token Duration: 900 minutes (15 hours)

• Client ID/Secret: Matches Salesforce external client app configuration

3. Genesys Cloud Messenger Configuration

Within Genesys Cloud Admin → Messenger Configurations, we created a dedicated configuration for our Salesforce-based deployment. The setup is kept simple to minimize variables during authentication testing.

Channel Setup

• Channel Type: Web Messaging

• Version: Draft (not yet deployed to production)

• Language: English (default and only supported language)

Messaging Behavior

• Humanize Conversation: Disabled

• Clear Conversation: Enabled

• Conversation Disconnect: Display conversation status and disconnect session

• Rich Text Formatting: Enabled

• Typing Indicators: Enabled (both agent and end-user)

• Attachments: Disabled

• Automatic Start: Disabled

Authentication

• Authentication Enabled: ✅ Yes

• Integration Type: OpenID Connect Messenger Configuration (points to our OIDC integration tied to Salesforce)

• Upgrade Anonymous to Authenticated Conversation: Disabled

• Notifications: Disabled

This configuration ensures authentication is handled exclusively through the OIDC flow and that no secondary conversation or attachment features interfere with token refresh testing.

4. SalesForce Portal Configuration

• The portal is an LWR (Build Your Own) template in Salesforce Experience Cloud.

• We've added the Web Messaging SDK snippet to the portal's <head> tag for initialization and authentication.

• The SDK successfully exchanges the Salesforce authorization code for a valid JWT through Genesys Cloud's /token endpoint.

Problem Description

• The first JWT returned by Genesys Cloud (after exchanging the Salesforce authorization code) is valid and has the expected 2-minute TTL, matching our Salesforce configuration.

• After that token expires, the SDK invokes the refresh token command.

• Genesys Cloud returns a new JWT that appears valid but has a TTL between ~50,000 and 90,000 seconds (roughly 14–25 hours).

• This token fails validation against Genesys Cloud APIs (which enforce a maximum of 900 seconds / 15 minutes TTL), causing the Web Messenger widget to enter a re-authentication loop.

• Once in this state, the SDK keeps receiving the same long-lived JWT with each refresh, preventing recovery until the refresh token is revoked or the session is reset.

We've replicated the exact same workflow using Auth0 as the OAuth provider, and the problem does not occur - the JWTs issued through Genesys Cloud respect the expected TTL from Auth0 every time.

Example JWT

Troubleshooting Steps Attempted

1. Validated all callback URLs and scope configurations in both Salesforce and Genesys Cloud.

2. Re-issued client credentials and re-authenticated.

3. Shortened and lengthened session timeouts in Salesforce.

4. Adjusted refresh token lifetime in Genesys Cloud integration (no change).

5. Attempted forced logout and SDK re-init; token still re-issued with incorrect TTL.

6. Confirmed the problem only occurs when the refresh flow is used; initial code exchange works fine.

Request for Help

Has anyone seen this behavior where Genesys Cloud issues a JWT with an excessively long TTL after exchanging a Salesforce refresh token?

• Is there any known incompatibility or additional configuration required on the Salesforce side for OIDC refresh flows?

• Does Genesys Cloud interpret Salesforce's exp or iat differently when calculating TTL during refresh?

• Any recommended debugging steps or logs we can capture to confirm the root cause?

Thanks in advance for your assistance!

#WebMessaging

------------------------------
Matthew Pfluger
------------------------------

I'm sorry, I don't see your message.  Will you please repost?

------------------------------
Matthew Pfluger

Original Message:
Sent: 11-07-2025 15:35
From: Jacob Shaw
Subject: Unexpected Long-Lived JWT After Refresh in Genesys Web Messaging SDK with Salesforce OAuth Provider

------------------------------
Jacob Shaw
Sr. Software Engineer

Original Message:
Sent: 11-03-2025 17:19
From: Matthew Pfluger
Subject: Unexpected Long-Lived JWT After Refresh in Genesys Web Messaging SDK with Salesforce OAuth Provider

We're integrating the Genesys Web Messaging SDK into a Salesforce Community Portal (Experience Cloud) that requires authentication. The portal itself serves as our web app, and Salesforce is also acting as our OAuth provider.

The integration is functioning through a Genesys OIDC-type integration, and initial authentication works correctly. However, when we attempt to refresh the access token, the second JWT returned by Genesys Cloud is valid but has a time-to-live (TTL) that far exceeds expected limits, causing API rejections and a re-authentication loop in the widget.

Note: I apologize for the length and formality of this post.  It's a complicated issue which has stymied us for more than a week now.  I'll try to distill it to the basics!

Setup Summary

1. Salesforce OAuth Client Configuration

• App Type: External Client App

• Flows Enabled: Authorization Code and Credentials Flow

• Scopes:

  • openid, id, profile, email, address, phone

  • offline_access, refresh_token

• Token Settings:

  • ID Token duration: 2 minutes (for testing)

  • Refresh Token policy: Expires after 365 days

• Session Timeout: 14 minutes (configured)

• No PKCE, No JWT-based access tokens, and No custom claims or audiences configured.

• Callback URLs validated and confirmed multiple times.

2. Genesys Cloud Integration

• Integration Type: OpenID Connect (OIDC)

• Authorization Server URL: Salesforce well-known OIDC endpoint

• Refresh Token Duration: 900 minutes (15 hours)

• Client ID/Secret: Matches Salesforce external client app configuration

3. Genesys Cloud Messenger Configuration

Within Genesys Cloud Admin → Messenger Configurations, we created a dedicated configuration for our Salesforce-based deployment. The setup is kept simple to minimize variables during authentication testing.

Channel Setup

• Channel Type: Web Messaging

• Version: Draft (not yet deployed to production)

• Language: English (default and only supported language)

Messaging Behavior

• Humanize Conversation: Disabled

• Clear Conversation: Enabled

• Conversation Disconnect: Display conversation status and disconnect session

• Rich Text Formatting: Enabled

• Typing Indicators: Enabled (both agent and end-user)

• Attachments: Disabled

• Automatic Start: Disabled

Authentication

• Authentication Enabled: ✅ Yes

• Integration Type: OpenID Connect Messenger Configuration (points to our OIDC integration tied to Salesforce)

• Upgrade Anonymous to Authenticated Conversation: Disabled

• Notifications: Disabled

This configuration ensures authentication is handled exclusively through the OIDC flow and that no secondary conversation or attachment features interfere with token refresh testing.

4. SalesForce Portal Configuration

• The portal is an LWR (Build Your Own) template in Salesforce Experience Cloud.

• We've added the Web Messaging SDK snippet to the portal's <head> tag for initialization and authentication.

• The SDK successfully exchanges the Salesforce authorization code for a valid JWT through Genesys Cloud's /token endpoint.

Problem Description

• The first JWT returned by Genesys Cloud (after exchanging the Salesforce authorization code) is valid and has the expected 2-minute TTL, matching our Salesforce configuration.

• After that token expires, the SDK invokes the refresh token command.

• Genesys Cloud returns a new JWT that appears valid but has a TTL between ~50,000 and 90,000 seconds (roughly 14–25 hours).

• This token fails validation against Genesys Cloud APIs (which enforce a maximum of 900 seconds / 15 minutes TTL), causing the Web Messenger widget to enter a re-authentication loop.

• Once in this state, the SDK keeps receiving the same long-lived JWT with each refresh, preventing recovery until the refresh token is revoked or the session is reset.

We've replicated the exact same workflow using Auth0 as the OAuth provider, and the problem does not occur - the JWTs issued through Genesys Cloud respect the expected TTL from Auth0 every time.

Example JWT

Troubleshooting Steps Attempted

1. Validated all callback URLs and scope configurations in both Salesforce and Genesys Cloud.

2. Re-issued client credentials and re-authenticated.

3. Shortened and lengthened session timeouts in Salesforce.

4. Adjusted refresh token lifetime in Genesys Cloud integration (no change).

5. Attempted forced logout and SDK re-init; token still re-issued with incorrect TTL.

6. Confirmed the problem only occurs when the refresh flow is used; initial code exchange works fine.

Request for Help

Has anyone seen this behavior where Genesys Cloud issues a JWT with an excessively long TTL after exchanging a Salesforce refresh token?

• Is there any known incompatibility or additional configuration required on the Salesforce side for OIDC refresh flows?

• Does Genesys Cloud interpret Salesforce's exp or iat differently when calculating TTL during refresh?

• Any recommended debugging steps or logs we can capture to confirm the root cause?

Thanks in advance for your assistance!

#WebMessaging

------------------------------
Matthew Pfluger
------------------------------

Hi Matthew, I retracted my response because I posted it before I saw the replies to the original post. I retracted it because I didn't add much helpful to the discussion, only that this is a potential bug based on the documentation, which states that the JWT will have a TTL of 15 minutes, or the age of the access token, whichever is smaller. The solution as per our policies is to continue to work with Care to get this resolved, since it is a potential bug, and we are limited on how much we can investigate customer data/configuration on this forum.

------------------------------
Jacob Shaw
Sr. Software Engineer

Original Message:
Sent: 11-07-2025 15:41
From: Matthew Pfluger
Subject: Unexpected Long-Lived JWT After Refresh in Genesys Web Messaging SDK with Salesforce OAuth Provider

I'm sorry, I don't see your message.  Will you please repost?

------------------------------
Matthew Pfluger

Original Message:
Sent: 11-07-2025 15:35
From: Jacob Shaw
Subject: Unexpected Long-Lived JWT After Refresh in Genesys Web Messaging SDK with Salesforce OAuth Provider

------------------------------
Jacob Shaw
Sr. Software Engineer

Original Message:
Sent: 11-03-2025 17:19
From: Matthew Pfluger
Subject: Unexpected Long-Lived JWT After Refresh in Genesys Web Messaging SDK with Salesforce OAuth Provider

We're integrating the Genesys Web Messaging SDK into a Salesforce Community Portal (Experience Cloud) that requires authentication. The portal itself serves as our web app, and Salesforce is also acting as our OAuth provider.

The integration is functioning through a Genesys OIDC-type integration, and initial authentication works correctly. However, when we attempt to refresh the access token, the second JWT returned by Genesys Cloud is valid but has a time-to-live (TTL) that far exceeds expected limits, causing API rejections and a re-authentication loop in the widget.

Note: I apologize for the length and formality of this post.  It's a complicated issue which has stymied us for more than a week now.  I'll try to distill it to the basics!

Setup Summary

1. Salesforce OAuth Client Configuration

• App Type: External Client App

• Flows Enabled: Authorization Code and Credentials Flow

• Scopes:

  • openid, id, profile, email, address, phone

  • offline_access, refresh_token

• Token Settings:

  • ID Token duration: 2 minutes (for testing)

  • Refresh Token policy: Expires after 365 days

• Session Timeout: 14 minutes (configured)

• No PKCE, No JWT-based access tokens, and No custom claims or audiences configured.

• Callback URLs validated and confirmed multiple times.

2. Genesys Cloud Integration

• Integration Type: OpenID Connect (OIDC)

• Authorization Server URL: Salesforce well-known OIDC endpoint

• Refresh Token Duration: 900 minutes (15 hours)

• Client ID/Secret: Matches Salesforce external client app configuration

3. Genesys Cloud Messenger Configuration

Within Genesys Cloud Admin → Messenger Configurations, we created a dedicated configuration for our Salesforce-based deployment. The setup is kept simple to minimize variables during authentication testing.

Channel Setup

• Channel Type: Web Messaging

• Version: Draft (not yet deployed to production)

• Language: English (default and only supported language)

Messaging Behavior

• Humanize Conversation: Disabled

• Clear Conversation: Enabled

• Conversation Disconnect: Display conversation status and disconnect session

• Rich Text Formatting: Enabled

• Typing Indicators: Enabled (both agent and end-user)

• Attachments: Disabled

• Automatic Start: Disabled

Authentication

• Authentication Enabled: ✅ Yes

• Integration Type: OpenID Connect Messenger Configuration (points to our OIDC integration tied to Salesforce)

• Upgrade Anonymous to Authenticated Conversation: Disabled

• Notifications: Disabled

This configuration ensures authentication is handled exclusively through the OIDC flow and that no secondary conversation or attachment features interfere with token refresh testing.

4. SalesForce Portal Configuration

• The portal is an LWR (Build Your Own) template in Salesforce Experience Cloud.

• We've added the Web Messaging SDK snippet to the portal's <head> tag for initialization and authentication.

• The SDK successfully exchanges the Salesforce authorization code for a valid JWT through Genesys Cloud's /token endpoint.

Problem Description

• The first JWT returned by Genesys Cloud (after exchanging the Salesforce authorization code) is valid and has the expected 2-minute TTL, matching our Salesforce configuration.

• After that token expires, the SDK invokes the refresh token command.

• Genesys Cloud returns a new JWT that appears valid but has a TTL between ~50,000 and 90,000 seconds (roughly 14–25 hours).

• This token fails validation against Genesys Cloud APIs (which enforce a maximum of 900 seconds / 15 minutes TTL), causing the Web Messenger widget to enter a re-authentication loop.

• Once in this state, the SDK keeps receiving the same long-lived JWT with each refresh, preventing recovery until the refresh token is revoked or the session is reset.

We've replicated the exact same workflow using Auth0 as the OAuth provider, and the problem does not occur - the JWTs issued through Genesys Cloud respect the expected TTL from Auth0 every time.

Example JWT

Troubleshooting Steps Attempted

1. Validated all callback URLs and scope configurations in both Salesforce and Genesys Cloud.

2. Re-issued client credentials and re-authenticated.

3. Shortened and lengthened session timeouts in Salesforce.

4. Adjusted refresh token lifetime in Genesys Cloud integration (no change).

5. Attempted forced logout and SDK re-init; token still re-issued with incorrect TTL.

6. Confirmed the problem only occurs when the refresh flow is used; initial code exchange works fine.

Request for Help

Has anyone seen this behavior where Genesys Cloud issues a JWT with an excessively long TTL after exchanging a Salesforce refresh token?

• Is there any known incompatibility or additional configuration required on the Salesforce side for OIDC refresh flows?

• Does Genesys Cloud interpret Salesforce's exp or iat differently when calculating TTL during refresh?

• Any recommended debugging steps or logs we can capture to confirm the root cause?

Thanks in advance for your assistance!

#WebMessaging

------------------------------
Matthew Pfluger
------------------------------