Google Service Account: 401 Unauthorized Error when enabling "Impersonate a User"

minshyh16 · December 31, 2025, 3:59am

I am experiencing a 401 unauthorized_client error when setting up Google Service Account credentials in n8n and enabling the Impersonate a User option.

Despite having the Google Service Account and relevant APIs enabled, and confirming that the setup works via direct API calls (e.g., using a custom script), the credential validation in n8n fails.

{
“error”: “unauthorized_client”,
“error_description”: “Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.”
}

Steps to Reproduce:

Create a Google Service Account and enable Domain-Wide Delegation in the Google Workspace Admin Console.
Configure the required Scopes for the Service Account (see the list below).
In n8n, create new Google API credentials using the Service Account JSON key.
Enable Impersonate a User and provide a valid user email from the domain.
Attempt to save/test the credential, resulting in the 401 error.

Scopes Configured (as shown in the attached image): I have already added the following scopes to the Domain-Wide Delegation settings:

https://www.googleapis.com/auth/gmail.readonly
https://www.googleapis.com/auth/gmail.send
https://www.googleapis.com/auth/gmail.modify
https://www.googleapis.com/auth/spreadsheets
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/calendar
https://www.googleapis.com/auth/drive.metadata
https://www.googleapis.com/auth/presentations

Debug Info:

n8n Version: 2.1.4
Installation: Self-hosted (Docker)

Additional Context: I have verified that the credentials and impersonation work correctly using external tools/scripts, which suggests the issue might be related to how n8n validates the scopes or constructs the JWT token during the credential setup phase.

Shraddha_Singh · December 31, 2025, 5:39am

Is your google app is in testing or production envrionment? have you tried adding that user specifically as a test user to see if it works? and make sure your app is set to external if the email which you are connecting is outside your domain level otherwise Internal is also fine.

minshyh16 · January 5, 2026, 1:50am

I am working in a production environment, and the email account for DWD (Domain-Wide Delegation) is within the same organization. I have already verified the Service Account and DWD settings using a Python script, and they work correctly. However, I’m specifically encountering a 401 error when enabling the credentials in n8n. I’m not sure which OAuth scopes are mandatory for n8n to function properly.

Emils_Bisenieks · January 13, 2026, 3:14pm

Hey! Did you find a way to resolve this?

Nicolas_KLEIN · January 14, 2026, 4:15pm

I have the same issue with a service account which has the single scope `https://mail.google.com/\\\`.

After struggling, I’ve tried creating an AppScript (in GCP) and found out that my service account is well confingured with DWD (domain-wide delegation)

I can use the saved credentials in HTTP Request node (able to retrieve email and querying gmail api) , but not with Gmail Trigger nor other Gmail nodes.

Obviously the issue is into n8n nodes and not into credentials itself

I’m using the Community edition (self-hosted with version 2.2.6)

minshyh16 · January 15, 2026, 1:17am

Hey Emils,

Unfortunately, I haven’t been able to resolve this yet.

I want to highlight that I’ve confirmed my credentials and Scopes work perfectly when I trigger them via a custom script/code. However, the 401 Unauthorized error only persists when using the n8n Google Service Account node with the “Impersonate a User” option enabled. This suggests there might be a specific issue or limitation in how n8n handles the impersonation logic compared to a standard implementation.

Currently, I’m at a standstill because applying for additional Google Scopes or making configuration changes requires a tedious administrative process within my organization. Since the code-based approach works but n8n doesn’t, it’s been difficult to justify these internal hurdles.

I’ll update here if I find a workaround!

minshyh16 · January 15, 2026, 1:20am

@Nicolas_KLEIN thank you for sharing your findings! This confirms exactly what I’ve been experiencing.

Like you, I’ve tested my credentials via custom code/scripts, and they work perfectly. This proves that the Google Cloud side (Service Account, DWD, and Scopes) is configured correctly.

It seems clear now that the issue lies within the n8n Google nodes (specifically when “Impersonate a User” is active), rather than the credentials themselves.

For me, this is particularly frustrating because I’m currently stuck in a tedious administrative/bureaucratic process within my organization to request any further changes to Google Scopes. Since the code-based approach works but the n8n node doesn’t, it’s difficult for me to justify these internal hurdles to my IT department.

I hope the n8n team can look into why the dedicated nodes are failing while manual HTTP requests and external scripts are succeeding.

Nicolas_KLEIN · January 15, 2026, 8:41am

@minshyh16 You can use the n8n “HTTP Request” node with your credentials, just don’t forget to specify the requested scopes for HTTP Request in your credentials.

I also hope a fix to make our workflows lighter and simpler

Emils_Bisenieks · January 15, 2026, 9:30am

@minshyh16 I set up multiple service accounts for each Google product - Drive, Sheets, Docs, Slides, Calendar, Admin, Gmail.

The problem from begining was scopes. So I found this:

github.com/n8n-io/n8n

Google Service Account Credentials Impersonate Implementation

opened 10:43AM - 09 Oct 25 UTC

closed 04:31AM - 25 Nov 25 UTC

StoneCat

in linear Needs Feedback Stale triage:needs-info

### Bug Description I want to reroll the content from the following bugs 1. ht…tps://github.com/n8n-io/n8n/issues/2397 2. https://github.com/n8n-io/n8n/issues/18174 3. https://github.com/n8n-io/n8n/pull/18450 Returned error from Google during credentials setup (if ony impersonate a User is active): `Private key validation failed: 401 - {"error":"unauthorized_client","error_description":"Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."}` When you save the credentials with a Impersonate a User eMail (and ignore the error) it is still WORKING for the Nodes: 1. Gmail 2. Google Drive 3. Google Task 4. (More I did not test) But it is NOT working for the Nodes: 1. Google Sheets 2. Google Docs 3. (More I did not test) Check the content of "To Reproduce" that everything was set up correctly and that everything works locally with a Python script or with the workaround. Therefore, I suspect a bug in the implementation of the credentials set-up to fix it globally. ### To Reproduce 1. Create a Google Service Account and generate JSON key ([like here](https://www.youtube.com/watch?v=ArXVlpo3y1k)) 2. Enable needed Google Workspace APIs like Google Docs, Google Sheets, Google Drive, Gmail API or Admin SDK API to the account's project 3. Grant it domain-wide delegation by adding its client id in the Google Workspace delegation settings, and enable the following scope for domain delegation ``` https://www.googleapis.com/auth/gmail.labels,https://www.googleapis.com/auth/gmail.addons.current.action.compose,https://www.googleapis.com/auth/gmail.addons.current.message.action,https://mail.google.com/,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.compose,https://www.googleapis.com/auth/documents,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.file,https://www.googleapis.com/auth/drive.appdata,https://www.googleapis.com/auth/drive.photos.readonly,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/tasks ``` 5. Create a new Google API credentials in n8n, set service account email and Private key. Verify that it works fine without the activation of the Impersonate 6. Enable Impersonation and provide a valid email from the domain. Test credential again, it fails with the error mentioned (yes this user exists in our google project) Workaround 1 (local python): You can use this python script to test your json content you copied in n8n credentials part - It is working `python3 test_sheet_with_your_json.py "sheet-id-you-want-to-read" --impersonate [email protected]` [test_sheet_with_your_json.py](https://github.com/user-attachments/files/22795056/test_sheet_with_your_json.py) Workaround 2 (JWT token in n8n): 1. Add "Create JWT Token" node in your new workflow. 2. Add a new JWT-Credential. Choose PEM Key as Key Type. Add your generated Private and Public Key from your JSON service account. Algorithm RS256. 3. In your JWT node Use JSON to Build Payload. Add JSON like: ```json { "iss": "client_email like [email protected]", "sub": "Impersonation eMail like [email protected]", "scope": "https://www.googleapis.com/auth/spreadsheets", "aud": "https://oauth2.googleapis.com/token", "exp": {{ $now.plus(10, 'minutes').toUnixInteger() }}, "iat": {{ $now.toUnixInteger() }} } ``` 4. Execute and connect a HTTPS Request Node 5. Method = POST, URL = https://oauth2.googleapis.com/token, Send Query Parameters = True, grant_type = urn:ietf:params:oauth:grant-type:jwt-bearer, assertion = {{ $json.token }} 6. Execute and connect another HTTPS Request Node 7. Method = GET, URL = https://sheets.googleapis.com/v4/spreadsheets/<your_sheet>/values/<your_range>, Send Headers = True, Authorization = Bearer {{ $json.access_token }} 8. Execute and you get the data from the sheet from the impersonated user Workaround 3 (just sheet/word): 1. Open each sheet you want to use in your workflow and add the mail from your service account in shared edit ### Expected behavior Why is workaround 1 and 2 not somehow implemented in the credentials creation part? Again: You can send Mails via gmail node or list all sheets in your drive via drive node from the impersonated user, but you can't edit or read? ### Debug Info # Debug info ## core - n8nVersion: 1.114.4 - platform: docker (self-hosted) - nodeJsVersion: 22.19.0 - nodeEnv: production - database: sqlite - executionMode: regular - concurrency: -1 - license: enterprise (production) ## storage - success: all - error: all - progress: false - manual: true - binaryMode: memory ## pruning - enabled: true - maxAge: 336 hours - maxCount: 10000 executions ## client - userAgent: mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/143.0.0.0 safari/537.36 - isTouchDevice: false Generated at: 2025-10-09T10:41:04.778Z ### Operating System Ubuntu Linux 22.04 ### n8n Version 1.114.4 ### Node.js Version 22.19.0 ### Database SQLite (default) ### Execution mode main (default) ### Hosting self hosted

If I understand correctly, n8n checks all these whatever you are trying to do, so for all DWD records I added these + the necessary for the specific product.
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/drive.file,
https://www.googleapis.com/auth/drive.appdata,
https://www.googleapis.com/auth/drive.photos.readonly,
https://www.googleapis.com/auth/presentations,
https://www.googleapis.com/auth/spreadsheets,
https://www.googleapis.com/auth/drive.metadata

Regarding Gmail, from testing, I think the problem is in the Gmail node itself. HTTP node request worked for me.
@Nicolas_KLEIN Thanks for the extra thing to check.
IF using an HTTP request, you need to add scopes in n8n credentials as well. I add only one:

I did this for a test and I got the results:
GET https://gmail.googleapis.com/gmail/v1/users/{{$json.email}}/messages?maxResults=1

The scopes I used in DWD:

Let me know if this helps!

minshyh16 · January 15, 2026, 9:59am

thank you so much for this deep dive!

Your discovery about n8n potentially checking a “bundled” set of Scopes (Drive, Sheets, etc.) even when only using one product is a huge revelation. It explains why a manual HTTP request (which only sends the specific scope we define) works, while the dedicated n8n nodes fail.

This puts me in a tough spot, though. As I mentioned, my organization has a very strict and tedious administrative process for approving Google Scopes. If I have to request a long list of “extra” Scopes (like Drive and Presentations) just to get a Gmail node working, I will need to provide a very strong technical justification to our IT security team.

This definitely feels like a bug or a rigid design in the n8n Google node implementation. It shouldn’t require unrelated Scopes to function.

I will share your findings with my team to see if we can push through a request for these additional Scopes as a workaround, but I really hope the n8n team can look into decoupling these requirements in the node itself.

Thanks again for the help, this clarifies a lot!

Nicolas_KLEIN · January 23, 2026, 8:10am

I think it’s a security breach to always provide a whole set of unexpected scopes. Besides, the credentials configuration should use the request scope for HTTP requests when this is provided as the default set of scopes instead of a bunch of useless ones. I mean, users can then create different credentials depending on their needs without being asked for a predefined scope they don’t want.