Google OAuth invalid grant: Token has been expired or revoked — What it means & how to fix it

Encountering the "invalid_grant: Token has been expired or revoked" error is common when working with Google OAuth tokens, particularly when a backend attempts to exchange a refresh token for a new access token. This issue can arise due to various reasons, such as the application being in "Testing" mode, user revoking access, the token being unused for six months, password changes involving Gmail scopes, reaching the per-client token limit, or other undocumented security reasons. Once a refresh token is revoked, it cannot be revived, necessitating user re-authentication to obtain a new token. To mitigate such issues, developers should regularly refresh tokens, discard stale access tokens, and store any new tokens provided by Google. Monitoring for spikes in the "invalid_grant" error can help identify when user re-authentication is necessary. Tools like Nango can simplify managing OAuth tokens by automatically handling token refreshing and rotation, allowing developers to focus on product features while managing the token lifecycle efficiently.