ToolProviderOAuthError when using Gemini model

Discussion
1

Error log:
Error refreshing credentials: req_id: 75b762d516 PluginInvokeError: {“args”:{},“error_type”:“ToolProviderOAuthError”,“message”:“Network error during token refresh: 400 Client Error: Bad Request for url: https://oauth2.googleapis.com/token”}
———————————————————————————————————————–

What I tried so far:

  • Use a different Gemini API
  • Create a new API in Gemini Studio and use the new API

My Gemini plugin is the latest version.

Thank you in advace for any help!

2

Found the root cause, the error comes from the GMAIL plugin not Gemini model.

3

@Dify_Forum_Helper summarize the Q&A and abstract the troubleshooting approaches, reminding other users not to forget this possibility in the future.

4

下面是这个话题的 Q&A 总结和可复用的排查思路,方便后来的用户遇到类似报错时快速定位问题。

I. Brief Review of the Issue

Error Message:

Error refreshing credentials: req_id: 75b762d516 
PluginInvokeError: {"args":{},"error_type":"ToolProviderOAuthError",
"message":"Network error during token refresh: 400 Client Error: Bad Request for url: https://oauth2.googleapis.com/token"}

User’s Initial Judgment:

  • Thought it was a Gemini model / Gemini plugin error
  • Already tried:
    • Switched to different Gemini APIs
    • Created a new API in Gemini Studio and replaced it
    • Confirmed the Gemini plugin was the latest version

Final Root Cause:

“Found the root cause, the error comes from the GMAIL plugin not Gemini model.”

In other words:
The error occurred within an application/workflow using Gemini, but the real issue was with the Gmail plugin’s OAuth token refresh process, not the Gemini model itself.

II. Troubleshooting Approach Abstracted from This Case (Applicable to All Google OAuth-based Plugins)

1. First, Distinguish: Is it a ‘Model Issue’ or a ‘Tool/Plugin OAuth Issue’?

Pay close attention when you see similar fields:

  • error_type: "ToolProviderOAuthError"
  • The error URL is https://oauth2.googleapis.com/token

These two signals generally indicate:

  • This is a tool/plugin OAuth issue, especially for Google services (Gmail, Calendar, Drive, etc.),
  • rather than an issue with the LLM model (Gemini / OpenAI, etc.) itself.

General Advice:

  1. First, confirm if the error message contains:
    • ToolProviderOAuthError
    • oauth2.googleapis.com/token
  2. Then check in the current workflow:
    • If Google tools like Gmail are enabled
    • If so, prioritize suspecting the tool, not the model

2. Identify ‘Token Refresh Failure’ vs. ‘Initial Authorization Failure’

Keywords in the log:

Error refreshing credentials
token refresh
400 Client Error at oauth2.googleapis.com/token

This type of information indicates:

  • The plugin was previously authorized successfully (had a refresh token)
  • The current failure is during access token refresh, not during the initial OAuth process

Common causes for this 400 error include:

  • Refresh token expired / revoked
  • OAuth client (client_id / client_secret) was changed
  • Google-side application/permissions were adjusted, rendering the old token invalid

General Advice:

  • When encountering ‘refreshing credentials’ or ‘token refresh’:
    • Start by ‘re-authorizing the tool’ (re-run the Gmail / Google OAuth login process)
    • Rather than changing the model API Key first

3. Use ‘Disabling Tools’ to Quickly Pinpoint if it’s a Model or Plugin Issue

To avoid initially suspecting Gemini, as in this post, a simple isolation strategy can be used:

  1. In the same application / workflow:
    • First disable all tools/plugins (including Gmail), keeping only the LLM node
    • Then run it again
  2. There are two scenarios:
    • If the model runs fine alone → Model configuration is generally OK, the issue is with a tool
    • If it still errors without tools → Then re-examine the model’s API Key, model name, quota, etc.

In this post, if Gemini was run alone without Gmail from the start, it would have been easy to see that the error was not with the model.

4. How to Quickly Determine Which Google Plugin Has an Issue

Once you’ve confirmed it’s an OAuth issue, you need to further confirm whether it’s Gmail, Calendar, or another plugin.

Practical Method:

  • Look near the error occurrence: which tool node reported the error during execution
  • If unsure:
    • Disable (or delete) suspicious plugins one by one, then re-run
    • When the error disappears after disabling a certain plugin, you can pinpoint it as the source of the problem

In this post, it was:
Initially thought to be a ‘Gemini model node’, but later realized the real issue was the Gmail plugin enabled in the same workflow.

5. General Resolution Steps for 400 Bad Request + oauth2.googleapis.com/token

Applicable to all Google OAuth-based plugins like Gmail / Calendar / Drive:

  1. Reset the plugin’s authorization in Dify
    • Remove the current Google account connection (or reconfigure the plugin)
    • Click the authorization button again and go through the complete OAuth login / authorization process
  2. Check on the Google Account / Google Cloud Console side
    • In the user’s Google account, under ‘Third-party app access’, check if access for this application has been revoked
    • In Google Cloud Console:
      • Whether the OAuth client has been deleted / disabled
      • Whether client_id, client_secret have been replaced, but not updated in the plugin
      • Whether the configured redirect URI is still correct
  3. Confirm environment consistency
    • After switching to a new OAuth client or creating a new GCP project, old refresh tokens will generally become invalid
    • At this point, re-authorization is required, rather than repeatedly retrying the old token

III. Brief Reminder for Future Users

  • When the error contains:

    • ToolProviderOAuthError
    • https://oauth2.googleapis.com/token

    Then prioritize suspecting Google-based plugins (e.g., Gmail),
    do not immediately ‘blame the model’ (e.g., Gemini, GPT, etc.).

  • In complex workflows, first perform a minimal test by ‘keeping only the model node’:

    • If the model runs successfully alone, it’s likely an issue with a tool/plugin (especially an OAuth tool).

The lesson from this post is:
What appears to be a ‘Gemini model error’ is actually a ‘Gmail plugin OAuth refresh failure’. When you see similar error messages in the future, you can start troubleshooting from here.