We get to know when find-actionable-event runs after a user revokes consent to us. At that point, the idp token we hold is invalid and when talking to google this returns 400.
{
"level": "ERROR",
"message": "Google failed response",
"timestamp": "2025-09-09T14:30:59.977Z",
"service": "notifycal-backend",
"cold_start": true,
"function_arn": "arn:aws:lambda:eu-west-1:222261726252:function:find-actionable-events-prod",
"function_memory_size": "512",
"function_name": "find-actionable-events-prod",
"function_request_id": "5bf26fe6-58f5-55ed-8ae2-0edc64a4d1ae",
"sampling_rate": 0,
"xray_trace_id": "1-68c03a23-2eda34bd82e69d305909138d",
"appVersion": "1.0.0",
"awsRegion": "eu-west-1",
"environment": "prod",
"logger": {
"name": "@aws-lambda-powertools/logger",
"version": "2.25.2"
},
"correlation_id": "30d94185-0613-83b0-63b9-378f05b15b8b",
"correlationId": "30d94185-0613-83b0-63b9-378f05b15b8b",
"userId": "34ee63f4-8ef8-520d-81c1-afb3323fc14b",
"idp": "google.com",
"idpId": "115891966119018277387",
"run": {
"lowerBoundStartTime": "2025-09-10T14:30:00.000Z",
"upperBoundStartTime": "2025-09-10T14:59:59.999Z",
"slidingWindowInMinutes": 30
},
"responseError": {
"name": "Error",
"location": "/node_modules/gaxios/src/gaxios.ts:211",
"message": "invalid_grant",
"stack": "Error: invalid_grant\n at SN._request (/node_modules/gaxios/src/gaxios.ts:211:15)\n at process.processTicksAndRejections (node:internal/process/task_queues:105:5)\n at async r.refreshTokenNoCache (/node_modules/google-auth-library/build/src/auth/oauth2client.js:259:19)\n at async r.getRequestMetadataAsync (/node_modules/google-auth-library/build/src/auth/oauth2client.js:372:17)\n at async r.requestAsync (/node_modules/google-auth-library/build/src/auth/oauth2client.js:457:23)\n at async yDe (/node_modules/googleapis-common/build/src/apirequest.js:308:25)\n at async YS (/src/services/observability/metrics.ts:25:20)\n at async Kv.processRecord (/node_modules/@aws-lambda-powertools/batch/lib/esm/BatchProcessor.js:100:28)\n at async Promise.all (index 0)\n at async Kv.process (/node_modules/@aws-lambda-powertools/batch/lib/esm/BasePartialProcessor.js:75:15)",
"cause": {
"message": "invalid_grant",
"code": 400,
"status": "Bad Request"
},
"config": {
"retry": true,
"retryConfig": {
"httpMethodsToRetry": [
"GET",
"PUT",
"POST",
"HEAD",
"OPTIONS",
"DELETE"
],
"currentRetryAttempt": 0,
"retry": 3,
"noResponseRetries": 2,
"retryDelayMultiplier": 2,
"timeOfFirstRequest": 1757428259977,
"totalTimeout": 9007199254740991,
"maxRetryDelay": 9007199254740991,
"statusCodesToRetry": [
[
100,
199
],
[
408,
408
],
[
429,
429
],
[
500,
599
]
]
},
"method": "POST",
"url": "https://oauth2.googleapis.com/token",
"data": {},
"responseType": "unknown",
"duplex": "half",
"headers": {}
},
"response": {
"size": 0,
"data": {
"error": "invalid_grant",
"error_description": "Token has been expired or revoked."
},
"config": {
"retry": true,
"retryConfig": {
"httpMethodsToRetry": [
"GET",
"PUT",
"POST",
"HEAD",
"OPTIONS",
"DELETE"
]
},
"method": "POST",
"url": "https://oauth2.googleapis.com/token",
"responseType": "unknown",
"duplex": "half"
}
},
"code": 400,
"status": 400
}
}
At least we should get this user out of the way so alerting does not get spammy. As things are now the error will happen on every background process run. Then, there are a few options to fix the issue.
We get to know when find-actionable-event runs after a user revokes consent to us. At that point, the idp token we hold is invalid and when talking to google this returns 400.
At least we should get this user out of the way so alerting does not get spammy. As things are now the error will happen on every background process run. Then, there are a few options to fix the issue.