Support » Plugin: WP Mail SMTP by WPForms » Token has been expired or revoked

  • Resolved christopherdisch


    I am experiencing the following error about once a week on my client’s site. I set everything up as directed, but this continues to happen to cause form failures. I use Elementor Forms on the site and use WP Mail SMTP. I follow the instructions to re-connect, and everything works ok for another week, and then I receive this message again. Here are some details. The client does not use Google Workspace for their email, just a personal Gmail. I set up the API using their email account. I am hoping there is a simple solution to this issue.

    Mailer: Gmail
    "error": "invalid_grant",
    "error_description": "Token has been expired or revoked."
    Please re-grant Google app permissions!
    Go to WP Mail SMTP plugin settings page. Click the “Remove Connection” button.
    Then click the “Allow plugin to send emails using your Google account” button and re-enable access.


Viewing 15 replies - 1 through 15 (of 20 total)
  • bst7


    I am having the same issue, for over a month now – it seems to be ok for a week, and then it silently fails and I have to re-establish the mail service.

    Did you find any solution to this?

    Thread Starter christopherdisch


    I have not heard anything, and I’ve also not found anything online on how to fix this issue. I’m hoping the developer will provide some insight.

    Plugin Support Sanjeev Aryal


    Hi @christopherdisch, @bst7,

    Thanks for reaching out. Generally, the error means that there are permission issues due to the Secret Key (and all tokens that were generated using that key) being invalidated. The issue can happen due to various reasons and can be resolved by re-connecting the account or regenerating the keys. Unfortunately, we aren’t sure why this is happening every week without anything being changed within your account. We’re monitoring this issue and get back to you as soon as we have some updates.


    Thread Starter christopherdisch


    Please let me know if you would like any additional information on the issue.

    Not at the moment, but if you are able to figure out why this is happening, please let me know! If there’s anything else I can do to help…

    We are having the same issue! We badly need a solution to this issue, as the forms on a large website are silently failing and leads are being lost!

    It just did it again on my site.

    I’m guessing:
    I think it is a problem with the plugin. One clue perhaps, is that when I go to establish the credentials with Google, it says that it is “under development” and that I should only proceed if I know the source of the app – presumably it is not getting the correct token to be seen as a completely legitimate client by Google and so it is only allowing temporary access?

    It also says that the client is requesting permission to basically do anything to my email – why does an SMPT service need to read email?

    Plugin Author Gregor Capuder


    Hi everyone,

    it looks like this is happening to more and more users, but we don’t know what the reason behind this account disconnect is. We have a lot of testing sites set up, and we never experienced this issue. I just rechecked my testing sites.

    One of the main things that could cause this issue is if your Google/Gmail API app is in “Testing” mode. Could you please check if the google API project is in the “Production” mode by going to the Google API console, opening the project for our plugin integration, then go to “OAuth Consent Screen” and check the “Publishing status”. More info can be found in this screenshot. It should say “In production”.

    If that’s not the reason, then we have to go over all the Gmail API project options together and see what the differences are. I think it has to be something on Google’s side since they are the ones that invalidate the token, not us.

    And to answer bst7’s questions:
    The Google API app is created by you, to be used just by you, even though on the free Gmail accounts you have the app set to “External use” (no other option is available), but nobody else will use this app apart from you, since you are the only one that knows the project credentials and have logged into it from your secured WP admin dashboard.

    Our plugin requires top-level permission because that’s the best way to future-proof our plugin development. If we were to improve our plugin and would have required only the minimal permission level, upon the plugin update, your connection would be invalidated and the newly added plugin functionality would not work. For example, we added the support for aliases a few versions ago and if we didn’t have the top-level permission, after the update all users would have to reset the connection manually in order for the Gmail mailer to work properly again. It’s just a way to make sure we can keep improving our plugin without any issues for our users.

    Hi Greg,

    When I look at the account, it says the account has a security issue, that “Melbourne Photobook Collective” (our website from which the WPSMTP plugin is activated) has “risky access to your data”… Shouldn’t this be a secure, no problem, access? Why is this coming up as a security concern?

    It says: Unverified Developer Access given to:

    We have granted access to other 3rd party services (MacOS), and that doesn’t have the security concern that yours does.

    Is this expected? Is there any way to fix this?

    To answer your question:
    The Melbourne Photobook Collective was in “Testing”, so I’ve changed this to Publish as you suggest and it now reads “In Production” and (as you describe) it has an “External” user type.

    In the Domain verification tab, there are no domains listed here. Should there be?



    Plugin Author Gregor Capuder


    Hi William,

    could you please show us a screenshot of this security issue, with any personal data blurred out? When I visit my google API app, I can’t see any mention of this.

    Now that you changed it to “In Production”, please go to WP Mail SMTP Settings, remove the connection and create a new one. This one should now not break after a few days.

    The “Domain Verification” tab is OK if it’s empty. You should just have our redirect URI set up in the “Credentials” tab (edit oauth client) under the “Authorized redirect URIs” setting.

    Take care!

    Hi Greg

    I’ve done this (re-linked the SMTP).

    The security issue is on the google account. Go to the Google account, and it says “Security Issues Found”. I also removed this (as advised) before re-linking the plugin.

    It starts here (on the account page):

    Then it expands to this:


    • This reply was modified 1 month, 3 weeks ago by bst7.
    Plugin Author Gregor Capuder


    Hi Bill (or is it William :)),

    thank you for sharing the screenshots. Yes, that is totally fine. The app you created is not verified by Google, because it doesn’t need to be. You are the only one that is using it. This Google OAuth app is created and used by you via the WP Mail SMTP plugin. The domain is used in the redirect URI, because some of the users experienced issues with mod_security and other WP security plugins, when Google redirected back to their WP site. This redirect URI just removes the troubling URL parameter and redirects back to your WP site. This resolves the issue for all our users.

    You would have to verify the Google OAuth app, if other people would be using this app, but that is not the case for you and our plugin users.

    Please let me know if changing the mode from “Testing” to “Production” is the solution to the original problem of the “access token has expired”. So, I suggest checking up on your WP site and the Google OAuth connection in our plugin after a few days and after a week and two weeks. I really hope this is the solution, since we never see any disconnect issues on our sites (our OAuth apps are all in the above-mentioned production mode).

    Have a nice day!

    Hi Gregor

    Thanks for the explanation, really appreciate your details to understand this properly from our end.

    So far so good, I’ll keep an eye on this over the next week or two and post here again to update status.

    William 🙂



    Hi Gregor,

    All good, no further revocations, so I would say that the Google account status of “Testing” is the source of those actions. Thanks for your help


    Plugin Author Gregor Capuder


    Hi William,

    Thank you for letting us know! 🙂

    We’ve already updated the Gmail mailer documentation/guide, so it includes this step for the free Gmail users.

    Thank you and have a nice day!

Viewing 15 replies - 1 through 15 (of 20 total)
  • You must be logged in to reply to this topic.