OAuth Error: invalid_grant
Last updated: April 2026
OAuth Token Response
{"error": "invalid_grant", "error_description": "Authorization code is invalid or has expired."}
invalid_grant means the authorization code or refresh token your app sent was rejected. The most common causes are expired codes, reused codes, or clock skew between servers.
Cause 1 โ authorization code expired
Authorization codes expire quickly (60 seconds in most providers). If your app takes too long to exchange the code, it expires.
# Fix: exchange the code immediately after receiving it # Do not store or delay the token exchange step
Cause 2 โ code already used
Authorization codes are single-use. If your callback fires twice (double redirect, retry logic), the second request fails.
# Fix: check if code has already been exchanged before retrying # Use state parameter to track flow status
Cause 3 โ clock skew
If your server clock is more than a few minutes off, tokens appear expired to the provider.
# Fix: sync server time timedatectl set-ntp true # Linux systemd ntpdate pool.ntp.org # manual sync
Cause 4 โ refresh token expired or revoked
Refresh tokens expire based on provider settings or are revoked when the user changes their password.
# Fix: catch invalid_grant on refresh token requests
# and redirect user through the authorization flow again
if (error === 'invalid_grant') {
redirectToLogin();
}