Google's OAuth Pain: Token invalid – AuthSub token has wrong scope

While I’d been meaning to play with Google’s applications – and integrating them with our own Affinity – for some time, the launch of the Marketplace pushed this experimentation up the priority list.

After spending a fair bit of time hacking on a Sunday, I’d managed to re-purpose our OAuth platform to play nicely with Google, including their need to have the scope variable passed as a part of the token request process.

Regardless, I’d gotten really really really frustrated with a persistent error. While it is now really obvious, I missed it and it cost me a few hours and a lot of frustration, so hopefully this blog will help someone else trying to solve this into the future.

After correctly getting my token and secret for a specific user – and asking for quite a few scope options – I was still getting the error Token invalid – AuthSub token has wrong scope when I was trying to access a document list via OAuth.

While this error talks about AuthSub, I’ve now discovered it is really a generic error message, and applies to any case where the scope of access doesn’t match what you’re asking for, whether it is OAuth or AuthSub. This confusing error message had me off the scent for a while as I started to wonder whether OAuth was supported as widely as I had expected, whether there was a difference between paid and free accounts, and so on…

The problem in my case is that I’d requested a scope to, but using the example code at Google’s Documents Developer Guide I was then going on to interrogate


To make matters worse, even when you explicitly ask for https based feed scopes, Google doesn’t even show them to the user. Seems like in some cases, Google thinks the http vs https distinction doesn’t matter, but when it does care about it, it doesn’t give you an error message that’s any use at all.

Google can't make up its mind if https and http are interchangeable in a scope: each of these scope requests were with https prefixes.

Unfortunately, Google’s own access summary interface doesn’t clarify which versions of the domains are http, and which one’s are https.

So, in summary, if you’re getting a “Token Invalid – AuthSub token has wrong scope” error when you’re trying to use OAuth (or even AuthSub for that matter?), make sure the scope you’re requesting is using the same protocol as you’re using – http vs https makes a very big difference.

35 thoughts on “Google's OAuth Pain: Token invalid – AuthSub token has wrong scope

  1. arf… I almost wanted to cry when i’ve found your post… big thanks.
    Whith OAuth, for almost every providers, it always fails to work for those kind of extremely subtile details

  2. Another thingie I cannot fully grasp is that the URIs of some GData are different than the scope I asked for:
    For example my contacts have this edit url:

    so when i try to fetch them i have the same problem as you did. Once I remove my email from the url and replace it for default it all works again

  3. After having about 3-4 hours spent your post saved me from spending more. Don’t know how to thank you. (seems like I’m not the only thankful here tho =D)

  4. Thanks a million, I still struggled with multiple scopes because while setting the FeedURI for docs I forgot to drop the s 🙂

  5. After struggling with OAuth for quite some time I finally got a way to get the token.AND THEN there was this error.
    You really saved my life!!

    Thank you

  6. Thank you Geoff,
    I had the same issue when retrieving a calendar EventEntry using the EventEntryID retrieved when the calendar EventEntry was first created.

    Unfortunately, even though the EventEntry was created using an SSL connection, the returned EventEntryID had a ‘HTTP’ prefix. I simply replaced ‘HTTP’ with ‘HTTPS’ and it worked like a charm.

    VB .Net snippet
    ‘ the stored evententryid is prefixed with http,
    ‘ but the authsub scope is https
    ‘ Google.GData.Client.GDataRequestException()
    ‘ 401 Token invalid – AuthSub token has wrong scope
    strEventEntryID = strEventEntryID.Replace(“http”, “https”)

    Respectfully yours,


  7. Pingback: "your authorization header here", what’s that? | Gravity Layouts

  8. Hi Geoff,
    Thanks for the write up and it is very helpful.

    I am still struggling with this error when I tried to use google calendar. I am setting the scope as below in omniauth initialize file:

    :scope => [“”, “”]

    I am able to access google docs but when I try to access calendar, I get the same token invalid error … Any other suggestions to troubleshoot the issue? Do I need to set the scope some other way for calender API?

  9. Thanks https is really slightly different from http. Solved my problem and saved my day. Applause and big ungay kiss.

    Cheers Tony

  10. Cheers Geoff! The entry still serves great purpose – your post saved another bunch of hours spent struggling with an error worth of one letter.

  11. Here my contribution to this very time consuming issue. It is maybe possible that if you use https Host Header and you add the port 443 to this value (Host: it could be the case that “Token invalid – AuthSub token has wrong scope” is the generated response. The OAuth2 implementation is very strict! But not all feeds. I have the problem with spreadheets. For further info see my post at google forum!topic/oauth2-dev/-3DB0SC96lo

  12. hi ..thanks for the replay .In market place i set the scope for spreadsheet like this
    This app create a spreadsheet

    but i got

    Token invalid – AuthSub token has wrong scope

    Token invalid – AuthSub token has wrong scope
    Error 401

    this exception how can i solve this please help me

  13. Pingback: Is SSL required to use the google plus api? |

  14. Pingback: Ruby: Create and share Google Drive Spreadsheet at Mark Needham

Leave a Reply to ajv Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s