A site owner posted on the WordPress forums that their CF7 to CleverReach integration had been throwing errors for a week. The logs looked scary. The plugin author said the spam-related errors could be ignored. Thread closed.
That answer is only partly right. The logs in this thread actually contain three completely different types of errors, each with a different cause and a different fix. If you are seeing similar errors in your CF7 to CleverReach setup, here is what each one actually means.
Error 1: invalid_grant on the OAuth Token Endpoint
POST https://rest.cleverreach.com/oauth/token.php
400 Bad Request
{"error":"invalid_grant","error_description":"Authorization code doesn't exist or is invalid for the client"}
This is the most important error in the log and the only one that is genuinely a problem with your integration. It means the OAuth authorization code your plugin used to connect to CleverReach has expired or been invalidated.
When you first connect the CF7 CleverReach plugin to your account, CleverReach issues an authorization code. That code is exchanged for an access token and a refresh token. If something invalidates those tokens, the plugin can no longer authenticate and every attempt to refresh fails with invalid_grant.
This happens when you change your CleverReach password, when you revoke the app's access in your CleverReach account settings, or when the authorization code expires before the plugin could exchange it. It can also happen if you migrated your WordPress site to a new server and the stored tokens did not transfer correctly.
The fix is to disconnect the plugin from CleverReach and reconnect it from scratch. Go to the plugin settings, revoke the current connection, and go through the authorization flow again. This gives you a fresh set of tokens and clears the invalid_grant error.
Error 2: 403 Forbidden: email not allowed
POST https://rest.cleverreach.com/v2/forms.json/239438/send/activate
403 Forbidden
{"error":{"code":403,"message":"Forbidden: email not allowed"}}
This error appears dozens of times in the log. The plugin author said to ignore it because CleverReach rejects known spam emails. That is accurate but there is more to understand here.
CleverReach maintains a blocklist of email addresses and domains that have been flagged as spam sources, disposable inboxes, or previously bounced addresses. When your CF7 form receives a submission from one of these addresses, CleverReach refuses to add it to your list. That is actually CleverReach protecting your sender reputation, not something going wrong with your integration.
Looking at the actual email addresses in the log, some are clearly spam bot submissions. The field values for several of these entries contain Telegram phishing links and promotional spam text in what should be a name field. These are not real people filling in your form. They are bots.
So the 403 email not allowed errors are doing you a favour. CleverReach is rejecting spam bot submissions that should never have reached your email list in the first place. You do not need to fix this error. You need to stop the spam bots from submitting your form so they never hit the CleverReach API at all.
Adding a honeypot field or enabling Cloudflare Turnstile on your CF7 form stops most bots before they submit. CF7 has a built-in honeypot option that bots fill in but real users cannot see, and CF7 rejects any submission where that field has a value.
Error 3: 400 Bad Request: duplicate address
POST https://rest.cleverreach.com/v2/groups.json/1173358/receivers
400 Bad Request
{"error":{"code":400,"message":"Bad Request: \"duplicate address 'ackstein01@aol.com'\""}}
This error means someone tried to sign up with an email address that already exists in your CleverReach group. This is not a bug and it is not something you need to fix. CleverReach prevents duplicate email addresses in the same group.
If you want to update an existing contact's details when they submit your form again, you need to use CleverReach's update endpoint rather than the add endpoint. Most CF7 integration plugins use the add endpoint by default and do not handle duplicates.
The Real Problem: Your Form Has No Spam Protection
The most revealing thing in this log is what the spam bot submissions look like. Fields that should contain a person's name contain Telegram links and cryptocurrency scam text. This means your CF7 form is completely unprotected and bots are submitting it freely.
Every spam submission that reaches CleverReach uses one of your API calls and potentially triggers a 403 error in your logs. More importantly, if a bot ever submits with a real-looking email address that CleverReach does not recognise as spam, that address gets added to your marketing list without that person's consent.
Fixing your spam problem protects your CleverReach list quality, reduces unnecessary API calls, and clears most of the errors from your log. The best options are CF7's built-in honeypot, Google reCAPTCHA, or Cloudflare Turnstile, all of which CF7 supports natively.
A More Reliable Way to Connect CF7 to CleverReach
The dedicated CF7 CleverReach plugin works for many people but it has limitations. It relies on an OAuth connection that can break when credentials change, it does not handle duplicate contacts gracefully, and it gives you limited control over which fields are sent and how.
Contact Form to API connects CF7 directly to CleverReach's REST API using a straightforward API key instead of OAuth. API keys do not expire the way OAuth tokens do, so you do not get invalid_grant errors weeks after setting up the integration. You also get full control over the field mapping, which means you can send exactly the data CleverReach expects and avoid payload issues.
Quick Summary
| Error | What it means | What to do |
|---|---|---|
invalid_grant |
OAuth tokens expired or revoked | Disconnect and reconnect the plugin in settings |
403 email not allowed |
CleverReach blocked a spam or invalid email | Add spam protection to your CF7 form |
400 duplicate address |
Email already exists in CleverReach group | Normal behaviour, or switch to an update endpoint |
Top comments (0)