Google Ads token refresh and reconnection

Google refresh tokens don't expire under normal operation — they live until the user explicitly revokes the app in Google Account settings. Wevion auto-refreshes the short-lived access token every ~50 minutes silently. If refresh fails (revoked, account suspended, password reset for some apps), the connector card turns yellow with a Reconnect button. No data loss on reconnect.

Who is this for

Mediabuyers seeing a yellow card on the Google connector, admins setting up alerts, anyone who lost Google Ads sync.

How Google's OAuth differs from Meta's

Google's model is more resilient — under normal use, your token lasts indefinitely. Failures are rare and usually require user action.

What can cause refresh to fail

1. User revokes Wevion from Google Account settings (most common)

   • At myaccount.google.com/permissions → look for Wevion → Remove access

   • Forces full reconnect (no auto-recovery)

2. Google Account suspended or deleted

   • Wevion has no recourse — user must resolve Google-side first

   • Then reconnect

3. Password change (only on apps that haven't passed Google's verification)

   • Rare for Wevion (we're verified)

   • May invalidate refresh token requiring reconnect

4. 6+ months of inactivity (only on apps under specific use criteria)

   • Unlikely in normal use — Wevion makes API calls every 15 min for sync

   • Refresh token effectively never expires from inactivity in normal usage

5. Google deprecates an OAuth version

   • Rare migration event — Wevion forces re-OAuth on product update with announcement

Auto-refresh flow

Behind the scenes (verified in apps/backend/src/providers/google/domains/auth.provider.ts):

• Wevion stores refresh_token encrypted at rest (GOOGLE_TOKEN_ENCRYPTION_KEY env)

• Every ~50 min before access token expires, Wevion calls Google's /oauth2/v4/token endpoint with grant_type: refresh_token

• New access_token returned (1h validity)

• Wevion stores new access token in memory (not DB — short-lived)

• API calls use the fresh access token

• Refresh token is reused (Google doesn't rotate it on each refresh)

Sync continues uninterrupted. You see nothing.

When auto-refresh fails

If Wevion gets invalid_grant from Google:

• Connector card turns yellow with Reconnect button

• Email + Telegram alerts sent (if configured)

• 15-min sync skipped for this Google user

• Affected ad accounts marked Token expired

How to reconnect

Step 1: Open /connect/google-ads

Find the affected Google user (yellow card).

Step 2: Click Reconnect

OAuth popup opens to Google's login screen.

Step 3: Sign in

Use the same Google account ideally (re-establishes the same data attribution).

If you use a different Google account:

• Wevion creates a new Google user record

• Old user remains in DB (admin can archive)

• Sync resumes via the new user (if it has the same customer access)

Step 4: Grant scope

Google prompts for the adwords scope (same as initial connect — see gog-101). Click Continue.

Step 5: Token saved

New refresh token saved encrypted. Card turns green. Sync resumes within 15 min.

What happens during the token-expired gap

Between failure detection and reconnect:

• No new data syncs from Google to Wevion

• Existing data preserved

• Rules don't fire for affected ad accounts (stale data)

• Cannot launch new campaigns to those accounts (publish fails)

• Cannot edit campaigns in Wevion for those accounts

• Existing campaigns continue running on Google (Google serves them, you're billed normally)

A 1-2 day gap is recoverable; a 7+ day gap means you've missed insights and optimization signals.

Avoid token issues

Best practices:

• Don't revoke Wevion from Google Account settings unless you mean to disconnect

• Use a stable Google account — one that won't be deleted when the user leaves the company. For agencies: use a long-term agency account, not the freelancer's personal Gmail

• Connect multiple Google users for redundancy (same as Meta best practice)

• Whitelist Wevion's notification email + Telegram so token alerts get through

Reconnect with a different Google user

If the original user is permanently unavailable (left company, account deleted):

1. Different teammate (or same teammate with different Google account) opens /connect/google-ads

2. Clicks Connect (not Reconnect — that's tied to the original user)

3. OAuth flow creates a new Google user record

4. If the new user has MCC / customer access to the same accounts, sync resumes

This is the off-ramp for employee departures.

Token encryption

• Refresh token stored encrypted at rest via AES-GCM

• Key from GOOGLE_TOKEN_ENCRYPTION_KEY env (secret manager)

• Never logged plaintext

• Decrypted only at API-call time

• Wevion staff cannot read tokens

Email and notification alerts

• In-app: bell icon shows yellow card immediately

• Email: sent within 1-5 min of failure (to billing email)

• Telegram: sent within seconds (if bot connected — gs-115)

Unlike Meta (60-day predictable expiry), Google failures are mostly unpredictable (user-initiated). Wevion can't send a "7 days before expiry" warning — instead alerts fire at the moment of detection.

What you'll see

Healthy Google user:

• Connector card: green badge, Connected

• Last sync: recent (within last 15 min)

• All assigned ad accounts syncing

Unhealthy Google user:

• Yellow card: "Token expired — Reconnect"

• Last sync: stale (> 1 hour)

• Sync stopped for accounts attached to this user

• Dashboard banner: "Google Ads connection needs attention"

Common issues

• Reconnect popup blocked: enable popups for app.wevion.ai.

• Reconnect succeeds but card stays yellow: refresh after 60s; contact support if persistent with google_user_id.

• OAuth fails 'access_denied': user clicked Cancel in Google popup. Retry.

• OAuth fails 'invalid_request': Wevion's OAuth app may have config issue. Contact support.

• "Google Ads access removed": the Google user lost access in Google Ads UI (admin revoked). Re-grant in Google Ads, then reconnect.

• Reconnect creates duplicate Google user: you authenticated with a different Google account. Choose the original or accept the duplicate (clean up old via admin action).

• Sync didn't resume after reconnect: 15-min cycle delay. Use Force sync if available.

Related

• Connect Google Ads — initial OAuth flow

• Meta token health — Meta's similar but different model

• Google Ads troubleshooting — broader issue list