INVALID_SESSION_ID: Invalid Session ID found in SessionHeader: Illegal Session

[Ben Egan]

TLDR if experiencing this token refresh error, create a user environment variable SF_TEMP_SHOW_SECRETS to true.

There appears to have been an update in the sf cli package that changes how IC2 needs to interact with it for OAuth connections.

I started getting this error when IC2 was trying to refresh access token to any of my environments.
org.apache.cxf.binding.soap.SoapFault: INVALID_SESSION_ID: Invalid Session ID found in SessionHeader: Illegal Session

I was able to interact with the sf commands in a prompt.

I tried all sorts of things, recreating all connections, even reinstalling sf. I deleted all IC2 files in the intellij appData/Roaming IC2 and options directories. None of that worked.

I noticed this looked odd in the illuminatedCloudSfdxCache.xml file:

<option name="accessToken" value="[REDACTED] Use 'sf org auth show-access-token' to view" />

which I am also seeing now when doing an 'sf org list'

and under the warnings section...

<option name="warnings">
          <list>
            <option value="Secrets are now hidden from 'sf org list' command output. Use the 'sf org auth' commands instead. As a temporary workaround, you can set SF_TEMP_SHOW_SECRETS=true to render these secrets. This workaround will be removed in an upcoming release." />
          </list>
        </option>

So I created a user variable SF_TEMP_SHOW_SECRETS set to true and everything started working again. Connections could refresh and we're back in business. There is now a different warning:

<option name="warnings">
          <list>
            <option value="The SF_TEMP_SHOW_SECRETS env var is set. This is a temporary env var to continue to show secrets in the 'sf org list' command output. This workaround will be removed in an upcoming CLI release. Switch to use the 'sf org auth' commands to avoid future disruption." />
          </list>
        </option>

[Scott Wells]

Hi. Salesforce introduced breaking changes last week in the CLI commands traditionally used to get the access token. IC has already been updated for these changes:

https://illuminatedcloud.blogspot.com/2026/05/2405-release-notes.html

Please let me know if aligning on the latest versions of both IC and the Salesforce CLI doesn't resolve the issue for you.

Note that I do not recommend using that environment variable as it is intended as a short-term workaround for this rather abrupt breaking change, and IC already includes the proper fix.

Regards,

Scott Wells

[Ben Egan]

I had updated the plugin but intelliJ was behind a bit so the latest IC2 plugin available was 2.4.0.0.

After updating everything refreshing the list of connections and using the Test function, I got a few different errors.

Failed to update the cached access token for 'ConnectionId{connectionName='DevB', connectionType=OAUTH}'.

No metadata API server URL. You must call login() first.

I removed a connection and recreated it and all of them now Test ok, refresh has no issues.

I think I'm good to go.

Thanks for the quick response!

Ben

[Gunther]

Hi Scott,

Updated Salesforce CLI to the latest version @salesforce/cli/2.136.8 win32-x64 node-v22.22.2 and IC updated to the latest version (build: 20260526140411, combined with Webstorm)

Error Message: 

Failed to initialize the metadata describe index for cust1_dev:

No metadata API server URL. You must call login() first.

Removed the connection and reinit the connection again (like Ben did), but no success. 

Kind Regards,
Gunther

Op vrijdag 29 mei 2026 om 23:11:31 UTC+2 schreef Ben Egan: