Salesforce has updated the OAuth 2.0 Client Credentials flow in the Winter ’26 Release to return a clear error when a token request has no valid scopes. This makes debugging integration issues much simpler.

🔐 The Change

When a token request is made using grant_type=client_credentials and Salesforce finds that none of the effective scopes are supported, it now returns the following descriptive error:

{
  "error": "invalid_grant",
  "error_description": "no valid scopes defined"
}

What It Means

• Applies only to the Client Credentials flow — other OAuth 2.0 flows are unaffected.
• If a request includes both supported and unsupported scopes, Salesforce drops the unsupported ones and issues a token for the valid scopes.
• If all scopes are unsupported, Salesforce rejects the request with the error above.

Unsupported scopes (examples):

• full → Full access
• refresh_token / offline_access → Perform requests at any time

Typical supported scope for integrations:

• api → Manage user data via APIs

🧊 Release Timeline

This update is part of Salesforce Winter ’26, with production rollouts starting September 19, 2025.

❓ Why You Might See This Error

Many integrations using the Client Credentials flow don’t send the scope parameter — and that’s fine.
In such cases, Salesforce uses the scopes configured in the Connected App’s Selected OAuth Scopes section.

If that Connected App contains only unsupported scopes, the request resolves to no valid scopes, resulting in:

invalid_grant: no valid scopes defined

✅ Fix: Ensure at least one supported scope (like Manage user data via APIs (api)) is selected in your Connected App, even if your integration doesn’t explicitly send a scope.

🧭 How to Find and Fix

Step 1: Inventory

• Identify all integrations using grant_type=client_credentials (e.g., Named Credentials, middleware, background jobs).
• Locate the corresponding Connected Apps.
• Review their Selected OAuth Scopes.

Step 2: Remediate

1. Go to Setup → App Manager → Manage Connected Apps → [App Name] → Edit Policies
2. Under Selected OAuth Scopes, add:
   • Manage user data via APIs (api)
3. Remove unsupported scopes (full, refresh_token, etc.).
4. Ensure the Run As user has:
   • API Enabled
   • Required object CRUD/FLS permissions

Step 3: Add Guardrails

• Don’t send scope in the request — rely on Connected App scopes.
• Monitor for token errors containing invalid_grant and “no valid scopes defined.”
• Document your Connected App scope policy and integration user permissions.

🧠 Summary

💡 Pro Tip

If you’re using Azure Logic Apps, MuleSoft, Boomi, or Postman collections with grant_type=client_credentials, review your Connected Apps now and ensure at least one supported scope is configured before Winter ’26 rolls out.

🏁 Final Thought

This update impacts only the Client Credentials flow, improving clarity for integration developers.
By ensuring every Connected App includes the api scope, you’ll keep your machine-to-machine integrations running smoothly through Winter ’26 and beyond.