Why Google OAuth Returns
April 13, 2026
Google returns invalid_grant for refresh tokens when the token is:
- no longer valid (for example, revoked, inactive, or invalidated by Google)
- hit a token limit
or was restricted by:
- Google,
- the user,
- or a Workspace admin.
In many cases, your app cannot tell the exact reason from the error response alone, so the right product behavior is to prompt the user to reconnect their account.
Google's OAuth docs explicitly say refresh tokens can stop working for several reasons, including 7-day expiry for External apps in Testing mode, six months of inactivity, user revocation, password changes when the refresh token includes Gmail scopes, and refresh token limits per user and client.
A few causes are easy to check. If your OAuth consent screen is set to External and Testing, Google documents that refresh tokens expire in 7 days when the OAuth consent screen is External and the publishing status is Testing, unless the app only requests basic profile scopes. Google documents a limit of 100 live refresh tokens per Google Account per OAuth 2.0 client ID. If that limit is exceeded, the oldest refresh token is invalidated without warning.
Some causes are easy to verify from your setup, while others are not distinguishable from the token response alone. A user may revoke access in their Google Account, a Google Workspace admin may block or restrict scopes, or for Google Cloud Platform scopes, session control policies can surface as invalid_grant with an error_subtype such as invalid_rapt. Google also documents that revoked tokens should be treated as no longer usable and discarded.
The practical takeaway is simple: Unified automatically refreshes access tokens. invalid_grant only occurs when the underlying refresh token has been invalidated by Google. Once Google invalidates the refresh token, it cannot be used to obtain new access tokens and requires user reauthorization. That is why Google recommends building your integration to anticipate refresh token failure and restart the authorization flow when needed.
For product teams, the best fix is not trying to guess the exact hidden cause every time. The best fix is a clean reconnect experience. Monitor refresh failures, treat invalid_grant as a reconnect-required state, pause affected jobs, and send the user back through OAuth to obtain a new refresh token. That creates a much better user experience than surfacing a generic auth error with no next step.
Unified handles token refresh automatically, so expired access tokens are never surfaced to your application.
When invalid_grantoccurs, it reflects upstream invalidation from Google—not a failure in your integration logic.
→ Start your 30-day free trial
FAQs
What does invalid_grant mean in Google OAuth?
It means Google rejected the grant being used, including refresh tokens that are expired, revoked, invalid for that client, or otherwise no longer usable.
Can Google invalidate a refresh token even if my app refreshes tokens automatically?
Yes. In Unified, access tokens are refreshed automatically. invalid_grant only occurs when the refresh token itself has been invalidated by Google. Google can still invalidate it due to revocation, inactivity, token limits, or admin/session policies.
→ Using OAuth 2.0 to Access Google APIs
What is the most common preventable cause?
A consent screen left in Testing mode. For External apps, that can cause refresh tokens to expire after 7 days.
→ Google OAuth 2.0 documentation
What should my app do when this happens?
Prompt the user to reconnect their Google account and obtain a new authorization. Google's guidance is to handle revoked tokens gracefully and restart the auth flow when required.