Service account creds not working in google service account api node

Rahul_Dasari · March 2, 2026, 8:17pm

Describe the problem/error/question

I have a workflow for which a bot account is created in gcp. A service account is created to impersonate the bot account. I have service account creds. I am using google service account api node. But it is not working

What is the error message (if any)?

I am getting error message like this after pasting email, private key and user email of whom we wanna impersonate

“Couldn’t connect with these settings

Private key validation failed: 401 - {“error”:“unauthorized_client”,“error_description”:“Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.”}”

Anshul_Namdev · March 2, 2026, 8:28pm

Hi @Rahul_Dasari Welcome to the community!
Just enable domain wide delegation for your service account in google workspace, make sure to add your scopes which are required and would be used further also turn on impersonate a user with the bot email and save/retest. I guess this should resolve the issue let me know if that works.

Rahul_Dasari · March 2, 2026, 8:32pm

Hi, Thanks for the reply. I did all dwd enablement and all for service account. and also I have turned on impersonate user with bot email and I need gmail access in group so just gave those scopes but still giving the same error

Anshul_Namdev · March 2, 2026, 8:37pm

@Rahul_Dasari understood, i am assuming Oauth 2 client ID has been perfectly added, although i would consider resetting that and also the redirect URL wait for the app to come in production and then try accessing that. (Production i mean published)

tamy.santos · March 2, 2026, 8:38pm

Hi @Rahul_Dasari, welcome!
se if this could help you, change for your language
Controlar o acesso às APIs com a delegação em todo o domínio | Apps & integrations | Google Workspace Help

Usar o OAuth 2.0 para aplicativos de servidor para servidor | Authorization | Google for Developers

Louis_Rigaux · March 3, 2026, 8:58am

Hi everyone,

I’m hitting the same wall with the Google Service Account credentials and I suspect there might be an intrinsic issue with how n8n handles the impersonation request or the RS256 key validation in certain environments.

My setup:

GCP Side: Service Account created, JSON key generated, and the Service Account Token Creator role has been assigned.
Workspace Side: Domain-Wide Delegation (DWD) is active (configured >24h ago). I used the numeric Client ID and authorized the exact same scopes.
n8n Side: Using “Google Service Account” credentials with “Impersonate a User” toggled ON.

What I’ve already tested without success:

Scope Alignment: I tried with the full list of authorized scopes and also by isolating just one (https://www.googleapis.com/auth/gmail.send), ensuring no extra spaces or hidden characters.
HTTP Request Toggle: I’ve toggled “Set up for use in HTTP Request node” to manually force the scopes, but the 401 “unauthorized_client” persists.
Impersonation Logic: If I use a non-existent email, I get a 400 (as expected), but as soon as I use a valid Workspace email, it returns the 401. This proves the link to Workspace is working, but the token retrieval is being rejected.
Key Formatting: Verified the Private Key format (no extra quotes, includes BEGIN/END headers).
Propagation: It’s been over 24 hours since the Admin Console update.

Despite all these checks, n8n keeps throwing: Private key validation failed: 401 - {"error":"unauthorized_client","error_description":"Client is unauthorized to retrieve access tokens using this method..."}

Could it be a bug in how n8n signs the JWT for the impersonation grant?

I’ll create an issue on the official repo, hoping they fix this quick

Rahul_Dasari · March 4, 2026, 8:34pm

Hii, I am facing exact same issue. Any solution or update on this or what all other scopes needs to be added?

Rahul_Dasari · March 4, 2026, 8:42pm

what all scopes are actually needed in google cloud console for this. I want bot account to read and write gmails and everything

Anshul_Namdev · March 5, 2026, 12:50pm

@Rahul_Dasari You need to add these scopes in your Google Admin Console DWD config: https://mail.google.com/, https://www.googleapis.com/auth/gmail.modify, and https://www.googleapis.com/auth/gmail.compose

And please consider using OAuth2 over Service Account for Gmail, that is recommended.

Rahul_Dasari · March 9, 2026, 2:57pm

so this seems like a limitation in n8n gmail service account creds. I tried similar thing via python code and it actually worked. pls lemme know if u guys know anything about this or pls lemme know what all u need to look into this more pls

Anshul_Namdev · March 9, 2026, 2:59pm

I would say you are correct, just use a SMTP node that should work.

Rahul_Dasari · March 9, 2026, 3:21pm

I need to poll bot gmail account to see gmails it got. so use http nodes only instead of creating creds and using gmail poling node?

Anshul_Namdev · March 9, 2026, 3:27pm

What i would say is that you can continue using the Gmail node for OAuth it is easy to configure that way, just make sure that it is for the bot account for using Gmail trigger that should be it. Although you can try HTTP node that can work too, let me know what works in your situation as your creds are not working so i cannot be very sure of what will work