Google OAuth invalid grant: Token has been expired or revoked — What it means & how to fix it
How to resolve refresh token errors with Google's OAuth
“invalid_grant: Token has been expired or revoked.”
If you work with any Google OAuth access token and refresh token pair long enough, you’ll see this error at some point.
Below is the quick-start explanation developers search for, plus proven tactics to minimize Google refresh token revoked surprises in production.
Spot the error
When your backend POSTs to https://oauth2.googleapis.com/token to swap a Google OAuth refresh token for a new access token, Google can answer with HTTP error code 400:
That single JSON payload means the refresh token is unusable.
Retrying the same request will keep failing until the root cause is fixed.
Why was the refresh token revoked?
Google maintains a long list of reasons why they revoke refresh tokens.
Most common: Your Google OAuth app is in “Testing” mode
If you encounter the issue during development, or if tokens get revoked almost exactly after one week, the most like cause is test mode.
How to check if your app is in test mode:
- Go to https://console.cloud.google.com/auth/audience (change the project of your GCP Cloud Console if necessary)
- Check what it says under “Publishing Status”
If your publishing status is “Testing”, and the user type setting below is “External”, Google will revoke refresh tokens after 7 days.
How to fix it:
Ask your users to re-authorize, or change the publishing status of your app to “Production” (see details on this below).
User revoked access
The end-user removed your application from their Google Account, which immediately invalidates all associated tokens.
Unused for six months
A refresh token that is not used for six consecutive months is automatically invalidated.
Password change with Gmail scopes
If the token includes Gmail scopes and the user resets their password, the refresh token is revoked.
Per-client token limit reached
Each user can hold up to 100 live refresh tokens for a given OAuth client. When the limit is exceeded Google silently invalidates the oldest token.
Admin or time-bounded policies
Workspace administrators can restrict specific scopes (admin_policy_enforced), and users can grant access that expires on a schedule. Once the policy triggers, the token is revoked.
Other undocumented reasons
Google occasionally flags tokens for security heuristics that aren’t published. Bugs, race conditions, and other edge cases could also lead to your token getting revoked.
Ultimately, it’s impossible to know exactly why the refresh token was revoked.
In our experience, a rate ~1% of revoked tokens per month is normal.
How to fix it
1. Check your publishing status
Check the OAuth Consent Screen. If the publishing status is Testing, upgrade to Production. Expect a verification and, for sensitive or restricted scopes, a security review.
2. Not a Testing issue? Ask your users to re-authenticate
A Google refresh token revoked event is final. There’s no endpoint to revive it.
Show an in-app prompt and ask the user to run the OAuth flow again. Persist the new Google OAuth refresh token that Google returns.
How to prevent refresh token issues
A few engineering habits go a long way:
- Refresh on a schedule
Touch the token at least every few days so it never sits idle for six months. - Discard stale access tokens
Once you refresh, throw the old Google access token away. Re-using it can trip Google’s anomaly detection. - Store any new refresh token Google sends back
Some APIs rotate them silently. - Monitor
invalid_grantspikes
Retry once; if it fails again, mark the account “re-auth required” and alert the user. If a large number of access tokens fail to refresh you need to take a closer look.
Skip the headache, let Nango refresh for you
Nango’s open-source authentication layer offers:
- 400 + pre-built OAuth flows, including every Google API
- Automatic OAuth access token refreshing and rotation
- Webhooks that fire the moment a refresh token is revoked, so you can prompt the user instantly.
Focus on product features and Nango handles the token lifecycle.
-min.avif)
.png)