Email OAuth authentication failed although with valid and valid credentialsIssue All the mail accounts mapped in the instance are not fetching emails with the OAuth error, although valid credentials are in the configuration. In such a use case, the instance logs show the following: SEVERE *** ERROR *** OAuth access token is not present or has expired. Email account=...worker.7 worker.7 txid=70f6337f4799 Completed: Clean Expired OAuth Credentials in 0:00:00.314... How to troubleshoot the refresh token expiration process to prevent email downtime and expired credentials not cleared?Cause- The scheduled job "Refresh Email Access Token" is configured to run as administrator (admin user). If you have installed the OAuth Email plugin, the job is located here:/sysauto_script_list.do?sysparm_query=name%3DRefresh%20Email%20Access%20Token%5Eactive%3Dtrue&sysparm_first_row=1&sysparm_view= - The admin user would normally have access to the oauth_credential table via the admin role. This role may have been later removed from the user. - Clean Expired OAuth Credentials trigger may have not run, with expired credentials not cleared, and tokens not refreshed.Resolution- Inspect token refresh logs related to the "Refresh Email Access Token" between observed timeframes, i.e.:/syslog_list.do?sysparm_query=sys_created_onBETWEENjavascript%3Ags.dateGenerate('2023-03-08'%2C'23%3A00%3A00')%40javascript%3Ags.dateGenerate('2023-03-09'%2C'02%3A30%3A00')%5Emessage%3DRefreshing%20oauth%20access%20token%20for%20email.%20Account%3D%22SVB%20Onboarding%22&sysparm_view= - Inspect the list of HTTP outbound calls made by the job, refer to the Source and Response tab from one of the record in the below example URL, also removing the Response State code from the filter value to see the success calls:/sys_outbound_http_log_list.do?sysparm_query=sys_created_onON2023-03-09%40javascript%3Ags.dateGenerate('2023-03-09'%2C'start')%40javascript%3Ags.dateGenerate('2023-03-09'%2C'end')%5Ehostname%3Dlogin.microsoftonline.com%5Eresponse_status%3D-1&sysparm_view= - Since there was no response for API calls made by ServiceNow to refresh the token, tokens were not refreshed as expected. You may have to check internally if the source which is providing the token had some issue during the time window when the HTTP calls were failing. - To proactively find if the token has refreshed successfully or not, there is an expiry field for every record on the "oauth_credential" which stores the credentials #:/oauth_credential_list.do?sysparm_query=peer.name!%3DServiceNow%20Agent%5EORpeer.name%3DNULL&sysparm_view= You can create a scheduled job at regular intervals like every 5mins to check if the expiry time has went past the current time or not, if yes then you can have an auto incident created to your group so that one of your team members can look into the issue on priority checking the above mentioned areas.Related LinksOAuth tokens of email account are disappearing when opening "Manage Token" page When setting OAuth email the job "Refresh Email Access Token" needs the admin user role to execute correctly