Hello everyone,
I’m facing a very persistent 403 - Request had insufficient authentication scopes error when trying to use the Google Photos API through the HTTP Request node.
The strange part is that the OAuth2 authentication flow completes successfully every single time. I can log in, see the consent screen, grant permission, and get redirected back to n8n. The error only happens when the HTTP Request node actually tries to use the token to make an API call.
I’ve spent many hours troubleshooting this and have gone through an extensive list of potential issues. I’m hoping someone in the community can spot something I’ve missed or confirm if this might be a bug.
My Environment
n8n Version: 1.103.2
Database: SQLite
n8n Execution Mode: main
Running n8n via: Docker
Hosting: Self-hosted on an Oracle Cloud VM (Linux)
Setup: n8n is running behind Nginx Proxy Manager with a valid Let’s Encrypt SSL certificate (HTTPS is working correctly).
The Goal
The ultimate goal is to create a workflow that backs up new photos from Google Photos to Backblaze B2. The very first step—listing recent photos—is where the error occurs.
The Error
This is the error I get when I execute the HTTP Request node to call https://photoslibrary.googleapis.com/v1/mediaItems:search.
JSON
{
“errorMessage”: “Forbidden - perhaps check your credentials?”,
“errorDescription”: “Request had insufficient authentication scopes.”,
“errorDetails”: {
“rawErrorMessage”: [
“403 - "{\n \"error\": {\n \"code\": 403,\n \"message\": \"Request had insufficient authentication scopes.\",\n \"status\": \"PERMISSION_DENIED\"\n }\n}\n"”
],
“httpCode”: “403”
},
“n8nDetails”: {
“nodeName”: “Listar Fotos Recentes”,
“nodeType”: “n8n-nodes-base.httpRequest”,
“nodeVersion”: 4.2,
“itemIndex”: 0,
“time”: “7/23/2025, 9:47:12 PM”,
“n8nVersion”: “1.103.2 (Self Hosted)”,
“binaryDataMode”: “default”
}
}
What I’ve Already Tried (Troubleshooting Steps)
I believe I have eliminated almost every possible configuration error. Here is a summary of what has been done:
Full HTTPS Setup: n8n is accessible via a custom subdomain with a valid SSL certificate managed by Nginx Proxy Manager.
New Google Cloud Project: Created a brand new Google Cloud project from scratch to rule out a corrupted project state.
API Enabled: The “Photos Library API” is enabled in the Google Cloud Project. I have also tried disabling and re-enabling it.
OAuth Consent Screen: Correctly configured the consent screen as “External” and added my Google account email to the “Test Users” list. I can successfully get past the “unverified app” screen.
Correct Redirect URI: The https redirect URI (https:///rest/oauth2-credential/callback) is correctly configured in the OAuth Client ID settings.
Scopes: I have tried creating credentials with both the specific https://www.googleapis.com/auth/photoslibrary.readonly scope and the broader https://www.googleapis.com/auth/photoslibrary scope. The error is the same.
n8n Credentials: I have tried using both the dedicated Google OAuth2 API credential type and the generic OAuth2 API credential type, manually specifying all endpoints and parameters (access_type=offline&prompt=consent). The result is the same. I have deleted and recreated these credentials multiple times.
n8n Proxy Configuration: Added the -e N8N_TRUST_PROXY=true environment variable to my n8n Docker container. This fixed an earlier “Connection lost” issue.
NPM Websockets: Enabled Websockets support in Nginx Proxy Manager for the n8n proxy host, which fixed all UI connection issues.
DNS / IPv6: Solved an issue with Let’s Encrypt failing by removing the AAAA (IPv6) record from my DNS, forcing validation over IPv4. SSL is now working perfectly.
Minimal Reproducible Workflow
Here is the JSON for a simple workflow that reproduces the error. You just need to create a Google OAuth2 credential and associate it.
JSON
{
“name”: “Google Photos API Test”,
“nodes”: [
{
“parameters”: {},
“id”: “76329431-4a81-4355-a0d0-058914b15093”,
“name”: “Start”,
“type”: “n8n-nodes-base.start”,
“typeVersion”: 1,
“position”: [
240,
300
]
},
{
“parameters”: {
“authentication”: “googleOAuth2Api”,
“googleOAuth2Api”: {
“id”: “YOUR_CREDENTIAL_ID_HERE”
},
“requestMethod”: “POST”,
“url”: “https://photoslibrary.googleapis.com/v1/mediaItems:search”,
“sendBody”: true,
“body”: “=\n{\n "pageSize": 5\n}”
},
“id”: “e67e335e-c045-4b06-b09e-10878e11075c”,
“name”: “List Recent Photos”,
“type”: “n8n-nodes-base.httpRequest”,
“typeVersion”: 4.2,
“position”: [
460,
300
]
}
],
“connections”: {
“Start”: {
“main”: [
[
{
“node”: “List Recent Photos”,
“type”: “main”,
“index”: 0
}
]
]
}
},
“settings”: {
“executionOrder”: “v1”
},
“staticData”: null,
“id”: “E3gVfJ7O5L8b9c2A”,
“pinData”: {},
“versionId”: “65b26639-689e-4a6c-9477-f230f81d113f”,
“triggerCount”: 0,
“tags”:
}
My Question
Given all of the above, is this a known bug in n8n v1.103.2, or is there any other configuration step I could possibly have missed? It seems like the HTTP Request node is not correctly using the scope from the authenticated token.
Any help or insight would be greatly appreciated. Thank you!