DEV Community

rashidpbi
rashidpbi

Posted on

๐Ÿคฏ Understanding Google OAuth2 Token Refresh in Node.js (with googleapis)

#googleapis #oauth #webdev #node

When integrating Google OAuth2 in your Node.js / Next.js app using the googleapis library, a key question is:

๐Ÿง  "How do I handle access token expiration and refresh automatically?"

Turns out โ€” you don't need to handle much at all. But understanding why and how took me down a rabbit hole. Here's what I learned so you don't get stuck like I did.

๐Ÿ”‘ The Basics

When you authorize a user via the OAuth2 web server flow (access_type: "offline"), Google returns:

  • access_token โ€“ short-lived, used for API requests
  • refresh_token โ€“ used to get a new access token
  • expiry_date โ€“ timestamp (in ms) when the access token expires

โœ… The Simple Solution

The good news? You can make Google auto-refresh tokens just by doing this:

oauth2Client.setCredentials({
  access_token,
  refresh_token,
  expiry_date,
});
Enter fullscreen mode Exit fullscreen mode

Then, call the API like normal:

const calendar = google.calendar({ version: "v3", auth: oauth2Client });
await calendar.events.delete({
  calendarId: "primary",
  eventId: "123",
});
Enter fullscreen mode Exit fullscreen mode

If the access_token is expired, the client automatically refreshes it using the refresh_token.

๐ŸŽ‰ No need to manually check expiry or refresh!

๐Ÿค” Then Why Do People Use getAccessToken()?

Great question!

Use getAccessToken() only when you need the raw token string, such as:

  • Adding it to custom headers
  • Injecting into a GraphQL/WebSocket context
  • Logging / debugging 
const { token } = await oauth2Client.getAccessToken();
Enter fullscreen mode Exit fullscreen mode

Otherwise, skip it. Google handles everything internally during requests.

๐Ÿงช How I Tested the Refresh Behavior

Want to test token refresh manually without waiting for expiration?

Just fake the expiry like this:

oauth2Client.setCredentials({
  access_token,
  refresh_token,
  expiry_date: Date.now() - 1000, // fake it as expired
});
Enter fullscreen mode Exit fullscreen mode

Then make a normal API call โ€” it will refresh in the background.

๐Ÿ‘€ Bonus: Log When Token Refresh Happens

You can log when a refresh happens using the tokens event:

oauth2Client.on("tokens", (tokens) => {
  console.log("๐Ÿ”„ Refreshed tokens:", tokens);
});
Enter fullscreen mode Exit fullscreen mode

Perfect for debugging or confirming it's working.

๐Ÿง  Lessons Learned

  • The docs are technically right, but don't show everything clearly
  • The googleapis package uses google-auth-library internally, which handles refresh logic
  • Set a past expiry_date + make a request = auto-refresh
  • Use getAccessToken() only when you need the token string
  • You don't need to memorize class hierarchies โ€” but checking inheritance (like OAuth2Client โ†’ AuthClient) helps

๐Ÿ Final Tip

If you're ever unsure about how a client like OAuth2Client behaves:

  • Look for event hooks (like tokens)
  • Check method docs (getAccessToken, request)
  • Look at class inheritance
  • Test locally with fake expiry

Top comments (0)