Confluence OAuth refresh token invalid_grant — What it means & how to fix it

Confluence integrations rely on a healthy OAuth token lifecycle, with failures often resulting from Atlassian-specific issues like rotating refresh tokens and concurrency problems. When a token refresh request returns an "invalid_grant" error, it usually indicates that the token lifecycle was disrupted, often due to not persisting the new refresh token, overlapping refresh attempts, inactivity expiry, revoked app grants, password changes, or incorrect client credentials. Practical solutions include persisting the rotated refresh token, ensuring single-flight refresh per connection, verifying Atlassian OAuth endpoints, and re-authorizing if necessary. To prevent issues, it's crucial to store replacement refresh tokens, manage refresh concurrency, plan for inactivity expiry, and provide a clear reconnect user experience. Nango offers an open-source solution for managing OAuth processes, including automatic refresh and error handling, allowing developers to focus on product features rather than OAuth complexities.