We’re suddenly seeing this error for a user who had no issues before, and they have not touched their email provider’s settings (e.g. app approval), so it’s a bit confusing. What would be the common causes of this when using Google? I could not find much in the docs.
This usually pops up in Google OAuth flows (and in Nylas, since we broker them) when Google decides not to send back a refresh_token during the code → token exchange. Without that token, you won’t have long-lived access.
A few things you can try:
On the Google Cloud side (GCP):
-
Switch your consent screen to Production (it defaults to “Testing”).
-
Double-check your scopes and redirect URIs match exactly what you have in Nylas.
-
Revoke the app’s access from your Google account (Google Account → Security → Third-party apps) to reset and force Google to issue a new token.
On the Nylas Dashboard:
-
Confirm your redirect URIs are correct.
-
Check that your scopes + redirect URIs match the GCP app.
-
Make sure your Hosted Auth request includes access_type=offline and prompt=consent.
For testing:
-
Try re-authenticating with a fresh user or after revoking access.
-
Look at the raw token exchange response from Nylas — if Google returned a refresh_token, it’ll show up there.
If it helps, I can also share the steps to hit our endpoints directly (without running the whole Hosted Auth flow) just to check if the issue is in the auth flow itself or in the Nylas endpoints. Let me know if that would be useful!