INVALID_LOGIN: Invalid username, password, security token; or user locked out
A login attempt failed. The platform deliberately combines four very different causes into one message — username typo, wrong password, missing/wrong security token, IP-restricted profile — to avoid leaking which one is the actual problem. Diagnosis is process of elimination.
Also seen asINVALID_LOGIN·Invalid username, password, security token·user locked out·INVALID_LOGIN: Invalid username
The bundled error message is a security feature: the platform won't tell an attacker which part of the credentials was wrong. You can still figure it out, but you have to look at signals beyond the error message.
Process of elimination
1. Username typo
Easiest to rule out. Log into the same org via the UI with the same username and password. If the UI rejects you too, the username/password combo is the problem.
2. Security token missing or stale
The SOAP API requires the password concatenated with the user's security token: if the user's password is monkey123 and their token is xyzabc..., the password to send is monkey123xyzabc....
Tokens reset whenever the user changes their password. So a working integration that suddenly fails after the user updated their password = stale token. The user goes to My Personal Settings → Reset My Security Token, the new token arrives by email, and the integration's password field is updated.
OAuth flows (recommended over SOAP) don't use security tokens. If you're using the OAuth Username-Password flow (the legacy one), you do need the token. JWT and Web Server flows don't.
3. IP restriction on the profile
The user's profile may have a Login IP Range configured. If the integration runs from outside those ranges, login fails with this error.
Diagnosis: in Setup → Profiles → user's profile → Login IP Ranges. Either widen the range or remove the restriction. For machine-to-machine integrations, add the range of your CI/server cluster.
4. User is locked out
Five wrong passwords in a row locks the account for 15 minutes. The error message for a locked account is also INVALID_LOGIN. Diagnosis: as an admin, Setup → Users, find the user, check Login Failures column. If non-zero, the user is locked.
You can unlock them from the same screen — or wait 15 minutes for auto-unlock.
5. The org is in maintenance mode
During Salesforce-initiated maintenance windows, parts of the platform reject logins. Check the Trust Status site for your instance.
The OAuth equivalents
If you're hitting OAuth endpoints (/services/oauth2/token), the equivalent error is invalid_grant. The bundled-cause behaviour is the same: it could be wrong username, wrong password, locked account, IP restriction, MFA required-but-not-supplied, or expired token. Use the techniques above plus check that MFA is satisfied (most OAuth flows now require it for human users).
A sneaky cause: MFA on a service account
Salesforce required MFA for production user logins starting Feb 2022. A connected app set up before that may have been silently grandfathered in; if your admin recently enforced MFA org-wide, every connected app login starts failing — including the ones for your service-account integrations.
The fix: switch the service account to JWT bearer flow (no interactive login, MFA n/a) or designate the integration user as API Only (Setup → Permission Sets → API Only User), which is exempt from MFA.