Failure Index / Auth & permissions · critical · LangChain · OpenAI Agents SDK · CrewAI
Gmail / Google API tool fails: invalid credentials or token expired
A Google/Gmail tool failed because the OAuth token expired or lacks the right scope. Google access tokens expire after roughly 1 hour, so agents that run long or infrequently hit this constantly.
The error
gmail api invalid_grant agent
google oauth token expired langchain
401 invalid credentials gmail toolRoot cause
Google OAuth access tokens are short-lived (~1 hour). If the agent stores the access token without refresh logic, every call after expiry fails with 401 invalid credentials. Alternatively the consent screen never granted the scope the tool needs (gmail.send vs gmail.readonly, etc.).
The fix
Use the refresh token to mint a new access token before each run (or when a 401 appears), and verify the granted scopes include the exact ones your tool operations need. Re-run the consent flow if the scope list changed.
Preventing it next time
Never store bare access tokens for agents — store the refresh token and refresh proactively. Pin the scope list next to the tool definitions.
pip install vorlo-trace · npm install vorlo-trace. Start free