This topic was automatically generated from Slack. You can find the original thread here.
Hey,
I’m trying to create a Google Drive “list files” workflow for my end users, but I’m running into this error:
“Running workflows with official OAuth apps is not allowed.”
I’ve already created an OAuth client, the end user is connected and has authorized access (they show up under the project’s connected users). I’m also testing this in development mode.
Not sure what I’m doing wrong—any ideas?
I’m sorry you’re running into this issue! Based on your description and the error message: > “Running workflows with official OAuth apps is not allowed.” Here’s what could be happening and how to resolve it: — ## Why This Error Occurs When using Pipedream Connect to run workflows for your end users with OAuth apps (like Google Drive), you must use your own custom OAuth client—not Pipedream’s default/official OAuth app. This is a security and compliance requirement. Even if you’ve created your own OAuth client and connected your end user, you need to ensure that: 1. Your custom OAuth client is properly configured in Pipedream. 2. Your workflow is using your custom OAuth client when connecting accounts for end users. — ## What To Check 1. Did you add your OAuth client credentials to Pipedream? - Go to OAuth Clients settings and make sure your Google OAuth client is registered. 2. Are you specifying your oauthAppId when connecting end user accounts? - When connecting accounts for end users, you must specify the oauthAppId so Pipedream knows to use your custom client instead of the official one. 3. Are you running in development mode? - You mentioned you are, which is correct—anyone can run Connect workflows in development. — ## Next Steps - Double-check that your custom OAuth client is set up in Pipedream and that your end user connection is using it (not the official app). - If you’re using the Connect API/SDK, make sure to pass the oauthAppId when creating the connection for your user. - For more details, see: - OAuth Clients documentation - Connect docs — If you’ve confirmed all of the above and are still seeing this error, please reach out to Support - Pipedream with details about your setup, and the team can help debug further. Let me know if you need clarification on any of these steps!
Thanks! I’m pretty sure I followed all the steps mentioned above. Could you clarify a bit more about the oauthAppId—
When exactly should I specify it in the workflow? Is it required even if the user is already connected via my custom OAuth client?
Certainly! Here’s a step-by-step clarification about the oauthAppId and when you need to specify it: — ### When to Specify oauthAppId - You must specify the oauthAppId when connecting an end user’s account to your app via Pipedream Connect. - This happens at the moment you prompt your end user to connect their Google Drive (or other OAuth app) account. - You do this by passing the oauthAppId to the relevant method in the Pipedream SDK (e.g., pd.connectAccount({ appSlug: "google", oauthAppId: "YOUR_OAUTH_APP_ID" })) or by including it in the Connect Link URL. Reference: > 2. When connecting an account either via the [frontend SDK], make sure to include the oauthAppId in pd.connectAccount(). > 3. If using [Connect Link], make sure to include the oauthAppId in the URL. (docs) — ### Is oauthAppId Required If the User Is Already Connected? - Yes, you should still specify the oauthAppId when referencing the connection in your workflow or Connect API calls. - This ensures Pipedream uses your custom OAuth client (not the official one) for all authentication and API requests. - Even if the user is already connected via your custom OAuth client, specifying the oauthAppId makes it explicit which OAuth client should be used, and avoids ambiguity—especially if multiple OAuth clients exist for the same app in your workspace. — ### Summary Table | Action | Is oauthAppId required? | |----------------------------------------------|:------------------------
| Connecting user account (Connect SDK/Link) | Yes | | Referencing connection in workflow/API | Yes | — ### Why This Matters If you do not specify the oauthAppId, Pipedream may default to the official OAuth app, which is not allowed for end-user workflows. This is what triggers the error: > “Running workflows with official OAuth apps is not allowed.” — If you’re still seeing the error after specifying oauthAppId everywhere you connect or reference the account, please visit Support - Pipedream for further help. Let me know if you need an example or further clarification!
I made it work but can you help me out with getting connected accounts, calling frontendClient and getAccounts returning bad request errors:
const client = useMemo(() => {
if (!externalUserId) return null;
return createFrontendClient({
tokenCallback: async ({ externalUserId }) => {
const response = await fetch('/api/pipedream/connect-token', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ externalUserId }),
});
const { token, connect_link_url, expires_at } = await response.json();
if (!token) throw new Error("Failed to retrieve connect token");
setToken(token);
return {
token,
connect_link_url,
expires_at
}
},
externalUserId: externalUserId,
});
}, [externalUserId]);
...
const accounts = await client.getAccounts(); // returns HTTP error! status: 401, body: {"error":"The Pipedream Connect token is invalid. Please generate a new one and try again."}
I verifed token is valid and is being returned.
It sounds like you’re running into a 401 error when calling client.getAccounts() with a Connect token you believe is valid. This is a common issue when working with Pipedream Connect, and there are a few areas to double-check: — ### 1. Token Expiry and Reuse - Connect tokens are short-lived and single-use: Once a token is used (for example, to connect an account or fetch accounts), it cannot be reused. If you try to use the same token again, you’ll get a 401 error like: > {"error":"The Pipedream Connect token is invalid. Please generate a new one and try again."} - Solution: Always generate a fresh Connect token for each new operation that requires it. Do not cache or reuse tokens between requests or sessions. — ### 2. Token Generation Endpoint - Make sure your /api/pipedream/connect-token endpoint is generating a new, valid Connect token every time it’s called, and that it’s not returning an expired or previously-used token. — ### 3. Frontend Client Initialization - Ensure you’re passing the fresh token to createFrontendClient each time you need to perform an operation (like getAccounts()). - If you’re storing the token in state (with setToken), make sure you’re not accidentally using an old token after a user disconnects/reconnects or after a page reload. — ### 4. Debugging Tips - Check the network tab in your browser’s dev tools for the exact request and response when you call getAccounts(). Confirm the token being sent matches the one freshly generated. - Check the response from /api/pipedream/connect-token — ensure it’s not returning an error or an expired token. — ### 5. Reference from Docs From the Pipedream Connect docs: > Most errors when connecting an account are related to the Connect token, which Pipedream validates from the Connect iFrame. > Pipedream typically returns an explicit error message in the HTTP response of the token validation network call directly from the iFrame in the client. To check for errors, start the account connection flow in a browser and open the developer console to view the network requests. Filter for requests to https://api.pipedream.com/v1/connect/tokens and check the response for error messages. — ### 6. Summary Checklist - Generate a new Connect token for each operation (do not reuse). - Pass the fresh token to createFrontendClient. - Ensure the token is not expired or already used. - Check your backend endpoint for correct token logic. - Debug network requests for more error detail. — If you’ve checked all of the above and are still seeing issues, it may be a deeper problem with your Connect environment or token generation. In that case, please visit Support - Pipedream for direct help from the Pipedream team. Let me know if you need help with specific code for generating the token or further debugging!
but it seems token is not evein being passed in request for getting accounts? https://api.pipedream.com/v1/connect/accounts?external_user_id=user_tppwhXXXX
You’re correct: if the Connect token is not being passed in the request to the Pipedream Connect API, you will get a 401 error or a “bad request” when calling endpoints like /v1/connect/accounts. The Connect token must be included in the Authorization header as a Bearer token for all Connect API requests that require authentication. ### Why the token might not be sent - If you call getAccounts() on your frontend client, but the client was not initialized with a valid, fresh Connect token, the SDK will not include the token in the request. - If your tokenCallback is not being called before getAccounts(), the token may not be set. - If you are reusing an old or expired token, or not passing the token at all, the request will fail. ### How to fix 1. Ensure your frontend client is initialized with a fresh token before calling getAccounts(). 2. The request to /v1/connect/accounts must include: http Authorization: Bearer <CONNECT_TOKEN> 3. Double-check your client initialization: - Make sure the tokenCallback is called and returns a valid token before you call getAccounts(). - If using the SDK, inspect the network request in your browser dev tools. You should see the Authorization header set. Example of a correct request: http GET https://api.pipedream.com/v1/connect/accounts?external_user_id=user_tppwhXXXX Authorization: Bearer <CONNECT_TOKEN> ### Debugging steps 1. Check your network tab: Find the request to /v1/connect/accounts. Is the Authorization header present? If not, your client is not passing the token. 2. Check your client code: Make sure you are not calling getAccounts() before the token is set. 3. Check token freshness: Connect tokens are single-use and short-lived. Always generate a new one before each operation. — Summary: The Connect token must be sent in the Authorization header for all authenticated Connect API requests. If it’s missing, you’ll get 401 or bad request errors. Make sure your client is initialized with a fresh token, and that all requests include the header. If you continue to have issues, please visit Support - Pipedream for more support options.