According to the RFC specifications:
The provided authorization grant (e.g., authorization
code, resource owner credentials) or refresh token is
invalid, expired, revoked, does not match the redirection
URI used in the authorization request, or was issued to
Invalid grant issues only take place during a token refresh.
Still having problems?
- Confirm that you do not have multiple developers testing using the same account, this will lead to multiple tokens being created which will constantly invalidate each other.
- 🆕 Check if you have passed the refresh token window (which is 30 days). Once the user gives consent, as we know, the access token lasts for 5 minutes, which you can refresh using the refresh token. This token then lasts for 30 days.
Hence, even if the total consent period may be valid for 90 days, it must be refreshed within a 30-day window using to guarantee total lifetime.
5. If the
invalid_grant error takes place during a code exchange (
authorization_code) after authentication, make sure the code is no older than 5 minutes.
If you need more information...
Have a look at our comprehensive list of the authentication error descriptions in our.
Read our blog post on Refresh Tokens here.