How to fix INVALID_LOGIN in Salesforce deployments
The credentials or session a CI pipeline uses to authenticate to Salesforce were rejected before the deployment could even start.
Surfaces during: authentication, before any deploy or DML logic runsWhat it means
INVALID_LOGIN is an authentication error, not a metadata error: Salesforce rejected the login attempt itself, so no deployment logic ever ran. In a CI/CD context this almost always means an expired session, a revoked connected app, or an IP restriction blocking the pipeline's login request.
Because authentication happens before anything else, this error tells you nothing about the deployment's content, a package that's never failed a real deploy can still trip INVALID_LOGIN if the credential connecting to the org is bad.
Common causes
The fix
- Re-authenticate and refresh the stored credentialReconnect the CI pipeline's OAuth authorization or generate a fresh session for the integration user.
sf org login jwt --client-id $CONSUMER_KEY --jwt-key-file server.key --username [email protected] --instance-url https://login.salesforce.com - Add the CI runner's IP range to trusted IPsUpdate the org's network access settings, or the connected app's IP relaxation policy, to allow the pipeline's IP range.
- Rotate credentials in the pipeline the same day they change in SalesforceUpdate the CI secret store immediately whenever the integration user's password, token, or connected app is changed.
How Serpent prevents this
Serpent manages org connections and re-authentication for its own pipelines, so an expired session surfaces as a clear reconnect prompt on the org instead of a cryptic login failure buried in CI logs. See the Salesforce deployment error library.

Prevention
Related errors
INVALID_LOGIN, answered
Start free. No credit card, no install, no commitment.
Set up in under 15 minutes. No DevOps hire needed.
