'Token has been expired or revoked' - Google OAuth2 Refresh token gets expired in a few days

Asked 5/2, 2021 at 5:58 Answered 11/4, 2023 at 3:40

Solved google-analytics google-api google-developers-console google-developer-tools oauth2-playground

I am using Google Analytics API to fetch analytics data. I tried to authenticate it using following steps:

Created OAuth client ID in https://console.developers.google.com/ credentials section.
In consent screen I had set publishing status as testing
In OAuth 2.0 Playground I got the refresh token using above generated client id and client secret
Then I am using it to generate access token through it.

But after a few days, the refresh token expires although it is mentioned that the refresh token's validity is life long.

Ornamented answered 5/2, 2021 at 5:58 Comment(0)

If your app is in testing mode then user tokens will expire in 7 days. Please find this explanations here: https://support.google.com/cloud/answer/10311615#zippy=%2Ctesting

Ina answered 14/6, 2021 at 8:19 Comment(13)

This was my problem. Thanks! – Carrousel 19/11, 2021 at 14:53

Visit the OAuth consent screen and click on the publish button to change from the testing status to the published status. – Luck 26/12, 2021 at 5:21

@Luck Google wants verification to publish the app. Is there any way to by-pass the verification process? – You 4/4, 2022 at 14:0

@You IIRC, you don't need to verify to publish the app. Users will be warned about an untrusted application if you haven't verified it. For testing purposes, this is fine but if you're deploying to production, I don't think there's a way to bypass verification. – Luck 4/4, 2022 at 14:19

Just wanted to confirm what Spikatrix said as the wording in the Google Cloud Console is very misleading. You DON'T need to verify the app despite all the warnings in the console. My experiments have shown that, as long as the app "Publishing status" says "In production", the tokens will NOT expire after 7 days. – Gingergingerbread 15/4, 2022 at 16:30

Unfortunatly this doesn't seem to solve my problem.. my app has the status 'production' but the token still expires after 7 days. – Impiety 20/5, 2022 at 4:13

@AlexvanEs you solved your problem of refresh token expiring?? – Nose 30/1, 2023 at 10:26

@AlexvanEs Did you manage to find a solution for this? – Isolating 2/2, 2023 at 10:21

@NihalChandwani DId to manage to find a solution for this? – Isolating 2/2, 2023 at 10:21

@Isolating we need to verify app, no option to that, refresh token is needed, that too will expire in 7 days, and about access token, it will expire in 1 hour – Nose 3/2, 2023 at 7:6

@NihalChandwani , If we publish the app in Production mode, the Refresh token will not expire in 7 days right? – Isolating 3/2, 2023 at 10:56

@Isolating yes, according to my research – Nose 6/2, 2023 at 19:5

OMG Man u saved my life – Refrigeration 12/6 at 18:5

I needed to send mails from a gmail account that I have access to, using nodemailer. It works for a couple of days before my refresh token is mysteriously revoked, even though the account belongs to me. A google search brought me here and I had been watching for a while hoping someone would help with a solution.

As you mentioned, this seems to happen with only test/unverified apps and I'm guessing google revokes tokens for such applications in your account after a few days. After much trials and errors, here is what I did.

NOTE: This is solution is only applicable to accounts you own, otherwise you must verify your app to access other people's accounts

Generate a new refresh token (existing one is most likely revoked) as described in this SO post
Go to the security tab of your google account dashboard
Under the Recent security activity section, you should see a security alert for your app.
Click on the context menu next to the notification and click DISMISS
At this point you'll be presented with a dialog of options where you indicate the level of trust you have for the app. I just went ahead and said I trusted the developer/app, obviously. And that's it! The refresh token should persist after this.

I could not find anything related anywhere else.

Inspiratory answered 20/2, 2021 at 14:17 Comment(4)

Is this supposed to prevent the new token from expiring after a week? I dismissed the security notification last week, and my new token has now expired again. Hoping I'm missing something. According to Google's API verification exceptions, verification isn't required for personal use, but there are no details on how to indicate the app is for personal use rather than in testing. – Baggett 13/8, 2021 at 17:2

This workaround didn't work for me. I found the security activity menu and dismissed, but the token still expired 7 days later. – Gingergingerbread 2/4, 2022 at 9:30

@EtienneDechamps It turns out this is the case as mentioned by above https://mcmap.net/q/403879/-39-token-has-been-expired-or-revoked-39-google-oauth2-refresh-token-gets-expired-in-a-few-days. A maximum validity of 7 days is given to tokens for test apps. – Inspiratory 4/4, 2022 at 0:10

you should see a security alert for your app Nope. – Hadlock 19/10, 2022 at 11:57

The other answer pointed me in the right direction but for me the option was located somewhere else: security > security checkup/security issues found > context menu next to your app > dismiss

Celestyn answered 20/4, 2021 at 9:27 Comment(0)

What I did:

Go to https://console.cloud.google.com/apis/credentials/consent and change from the testing status to published.
Delete the current token file.
Authorize the API again by signing into your gmail account. You will be sent to a warning screen. From there, you can choose to proceed.
When done you'll get a new token file

Shunt answered 5/12, 2022 at 14:35 Comment(2)

This only get you into a back and forth conversation with google team trying to verify your app. in the end, they only say that since its for personal use, to keep using unverified app.. and we still end up having to manually change the token every week – Louis 10/2, 2023 at 2:2

As @etienne-dechamps stated, "You DON'T need to verify the app despite all the warnings in the console" – Drown 15/8, 2023 at 18:24

The solution is to delete your token.json file to force Google to find a new token.

I was able to get it to work WITHOUT a verified app. Perhaps the refresh() method will work once my app is verified. Not sure on that one.

Puri answered 3/1, 2022 at 19:33 Comment(1)

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Stationer 4/1, 2022 at 1:30

This issue seems to be for unverified apps, Simply delete the token file from your project and rerun the project, it will create a new token.

Crept answered 27/5, 2021 at 16:53 Comment(1)

Actually it seams to have nothing to do with being verified. Its only if the app is still in testing. – Yasminyasmine 26/8, 2021 at 8:23

My problem was when I've added access_token instead of refresh_token.

Cicatrix answered 19/1, 2022 at 16:22 Comment(0)

Had this issue with Woocommerce Bookings Calendar Sync app. Kept getting disconnected and there was nothing in the documentation. Reached out to their support who told me to go to the OAuth consent screen and change Publishing status from "Testing" to "In production"

This is the error I noticed:

ERROR Unable to fetch access token with refresh token. Google sync disabled until re-authenticated. Error: "invalid_grant", "Token has been expired or revoked." NOTICE Invalid access token. Reconnect with Google necessary. Code 0. Message: Invalid token format.

Bielefeld answered 11/4, 2023 at 3:40 Comment(0)

Recommended topics

Hot tags