“Decryption Exception” errors on Named Credential

I have callouts that use a Named Credential and a Custom Oauth2 Auth Provider fail with this error response:

Invalid parameter value “[hidden]” for parameter “Decryption

A similar error is sometimes shown when I resave the Named Credential

Unable to Access Page The value of the “Decryption Exception”
parameter contains a character that is not allowed or the value
exceeds the maximum allowed length. Remove the character from the
parameter value or reduce the value length and resubmit. If the error
still persists, report it to our Customer Support team. Provide the
URL of the page you were requesting as well as any other related

When I simulate the Oauth Flow and Callout in Postman it always works. I’m quite sure this is a Platform bug.


The root cause was that the OAuth Access Token returned by our own Keycloak AuthServer returned was too complex, lengthy. Salesforce is currently not able to handle it. This was assessed and confirmed by Salesforce.com. They just used https://jwt.io/ to decyper one of our acccess tokens an saw a lot of useless stuff in there.

enter image description here

By reducing access_token size (remove useless waste) we could fix the problem.

Besides that, the team at Salesforce responsible for Named Credentials will try to allow longer access tokens from Spring ’20 on. #SafeHarbor

Source : Link , Question Author : Robert Sösemann , Answer Author : Robert Sösemann

Leave a Comment