Viewed   85 times

I am having the same error as this. In my case it is happening when the app is trying to upload a file via Google Cloud Client API.

400 Bad Request
Invalid JWT: Token must be a short-lived token and in a reasonable timeframe

How I load the token is reading a service-account json file, and attach it to CURLOPT_HTTPHEADER in PHP. It did work properly for the past one month, so I am guessing that Google changed the way of authorization.

Has anyone faced & solved this?



I stumbled upon the same issue at roughly the same time, so I expected a generic bug of Google but here is what had happened on my computer :

raise HttpAccessTokenRefreshError(error_msg, status=resp.status)
oauth2client.client.HttpAccessTokenRefreshError: invalid_grant: Invalid JWT: Token must be a short-lived token and in a reasonable timeframe

was caused in my case by a poor synchronisation of the computer's clock where the code was executed that had a lag of 5 minutes (due to a faulty battery for the internal clock). It started working again when I manually changed the internal time of my computer to the correct one.

This solution was mentionned here, but not with the full error message

Wednesday, September 21, 2022

You will need to use both the Developer Key (API Key) and OAuth2. The developer key authenticates who wrote the software and is used for things like quota which is on a per developer basis not a per user basis. OAuth2 is for user authentication and will be need to access the non-public calendar.

OAuth2 has a renew token from which you can generate a session token and this means that you will not need to screen scrape the OAuth screens to get authenticated. To get this I would write a little command line application, or you use a one off PHP page.

  1. Under the Google Api Console go to API Access
  2. Generate a new Client ID and choose Installed Application ( as you will be authenticating you server as you not as your user)
  3. Either using a console app or a one off PHP page authenticate using OAuth and your google account (the one with the calendar you want access to)
  4. In the return from the authentication there should be a renew token, (called renew or refresh or something similar). Save this string and make it available to your PHP site.
  5. When you need to access the service your OAuth library should have a renew/refresh call. There is an example using .Net below.

private IAuthorizationState CreateAuthorization(NativeApplicationClient arg)
   // Get the auth URL:
   IAuthorizationState state = new AuthorizationState(new[] { AdsenseService.Scopes.AdsenseReadonly.GetStringValue() });
   state.Callback = new Uri(NativeApplicationClient.OutOfBandCallbackUrl);
   if (refreshToken.IsNotNullOrEmpty()) // refreshToken you stored in step 4
       state.RefreshToken = refreshToken;
       if (arg.RefreshToken(state))     // This is calling out to the OAuth servers with the refresh token getting back a session token, returns true if successful.
         if (state.RefreshToken != refreshToken) // if the refresh token has changed, save it.
         return this.authorization = state; // Retain the authorization state, this is what will authenticate your calls.
     catch (ProtocolException ex) {...}

The AuthorisationState that has now been renewed can then be used to authenticate call you make to the API. this state can be used many time until it expires and then can be refreshed. As you are authenticating your application as yourself not as a user this AuthorisationState can be shared by all you sessions. Both the current AuthorisationState and the refresh token should be kept securely on your server and never sent to the client, if you ever sent these as part of a response your clients would have the same privileges as your code application

Monday, November 14, 2022

It seems the mistake is because you send a DELETE http verb instead of a POST. Also, the XML namespace attributes in the entry are not required.

By the way, maybe this is a typo, you wrote 'content-lenght' instead of content-length.

Don't send any content in the entry for deletions, as it's not required (and not documented).

$xmlBuild = "<feed xmlns=''
$xmlBuild .= "<entry>";
$xmlBuild .= "<batch:id>1</batch:id><batch:operation type='delete'/>";
$xmlBuild .= "<id></id>";
$xmlBuild .= "</entry>";
$xmlBuild .= "</feed>";

$len = strlen($xmlBuild);
$options = array(
    "headers" => array(
        "Content-type" => "application/atom+xml; charset=UTF-8;",
        "Content-length" => $len
    "body" => $xmlBuild

$httpClient = $client->authorize();
$request = $httpClient->post("", $options); 
// or $request = $httpClient->sendRequest('POST', "", $options); 

$response = $request->getBody()->getContents();

Saturday, October 8, 2022

@Julian. Thank you so much for the inspiration here. I was able to make this work without changing any of the core FB api files.

What happens is, the setExtendedAccessToken call sends the value to setPersistentData which then sends it into session via constructSessionVariableName.

So if we get it out of session, and then set it into the facebook object, we're all set.

Here is my code:

// ask for the extended token and get it from session ...
$access_token = $_SESSION["fb_".FB_APP_ID."_access_token"];
// now set it into the facebook object ....
// now our fb object will use the new token as usual ...
$accessToken = $facebook->getAccessToken();
Monday, December 19, 2022

Invalid grant

When you try to use a refresh token, the following returns you an invalid_grant error:

  • Your server's clock is not in sync with network time protocol - NTP.
  • The refresh token limit has been exceeded.

First, kindly check the synchronization problem with the server clock, see the poor synchronization of the computer's clock answer for additional information. Second, check handling of refresh token and the old tokens. Some flows include additional steps, such as using refresh tokens to acquire new access tokens. For detailed information about flows for various types of applications, see Google's OAuth 2.0 documentation.

Hope this helps!

Sunday, September 4, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :