Skip to main content

Troubleshooting actions authentication

This page helps you diagnose and resolve authentication issues with Glean actions — including repeated re-authentication prompts, expired token errors, and connection failures across different connectors.

Why an action keeps asking you to reconnect

Actions use OAuth to access source systems on your behalf. After you click Connect and authorize an action, Glean stores an access token and (where available) a refresh token. Glean uses the refresh token to get new access tokens without prompting you again.

You'll be asked to reconnect if any of the following happen:

  • The refresh token expires because of the source system's token lifetime policy.
  • You or an admin revoked the Glean connected app in the source system.
  • The custom OAuth app's client secret was rotated but not updated in the Glean Admin Console.
  • A required site-level or org-level approval hasn't been granted (for example, a Jira site admin hasn't authorized the OAuth app for the Atlassian site).

Choose an OAuth setup for actions

When setting up an action pack, admins choose between two authentication methods:

Central

The Central option uses a Glean-managed OAuth app. This is the fastest way to get started — no additional configuration is needed in the source system. Token refresh is handled automatically.

Use Central when:

  • You want the quickest setup with no OAuth app management overhead.
  • Your organization's security policy allows Glean-managed OAuth apps.

Custom

The Custom option uses an OAuth app that your organization creates and manages in the source system. This gives you control over the app's permissions, branding, and token policies.

Use Custom when:

  • Your security team requires customer-managed OAuth apps.
  • You need to configure longer refresh token lifetimes to reduce re-authentication frequency. For example, Databricks recommends setting refresh token lifetimes to approximately three months on custom OAuth apps.
  • You need to control which API scopes the app can access.
tip

If teammates are being prompted to re-authenticate frequently with a custom OAuth app, check the refresh token lifetime policy in the source system. Extending the lifetime reduces how often teammates need to reconnect.

Re-authenticate an action

As a teammate

  1. Run an agent that uses the action, or trigger the action directly in Assistant.
  2. When prompted, click Connect.
  3. Complete the authorization flow in the source system and return to Glean.

As an admin

If a teammate's action pack authorization needs to be reset:

  1. Go to Admin Console → Platform → Actions.
  2. Open the action pack.
  3. Find the teammate whose authorization needs to be reset and clear their stored credentials.
  4. Ask the teammate to re-run the agent and click Connect when prompted.

Individual connector notes

Jira

  • The first time Jira actions are used at your organization, a Jira site admin must authorize the OAuth app for your Atlassian site. Until this is done, other teammates will see authorization errors when they try to connect.
  • If you manage multiple Jira sites, create a separate action pack per site so each can be bound to its own datasource instance.
  • This applies to both Cloud and Service Management — Jira Data Center (on-premises) isn't supported for actions.

For setup details, see Jira actions setup.

Salesforce

  • Salesforce actions use OAuth for each teammate that's separate from the Salesforce connector used for search indexing. Connecting or disconnecting one doesn't affect the other.
  • If a teammate revokes the Glean connected app in Salesforce (under Setup → Connected Apps OAuth Usage or My Personal Information → Connections), they'll need to re-authorize by running an agent that uses a Salesforce action and clicking Connect.
  • If you use a custom OAuth app, you can configure the refresh token policy in the connected app settings in Salesforce to control token lifetime.

For setup details, see Salesforce actions setup.

Google

  • Google Calendar, Google Docs, Google Sheets, and Gmail actions use OAuth for each teammate. Each teammate is prompted to connect the first time they run one of these actions.
  • If a teammate revokes the Glean app from their Google account permissions, they'll need to reconnect the next time they run a Google action.
  • The newer Google Calendar, Google Docs, Google Sheets, and Gmail actions use OAuth user authentication and don't support Domain-wide Delegation.

For setup details, see Google actions setup.

Zendesk

  • Zendesk access tokens are long-lived, so teammates should not need to reconnect Zendesk actions on a daily basis.
  • If teammates are seeing repeated re-authentication prompts, verify the action pack's authentication configuration and contact Glean Support if the issue persists.

For setup details, see Zendesk actions setup.

Slack

  • Slack actions use custom OAuth only. If your Slack app has token rotation enabled, make sure the rotation is configured correctly per the Slack actions setup guide to avoid unexpected re-authentication prompts.

When to contact your admin vs. Glean Support

SituationWho to contact
You're prompted to reconnect and clicking Connect resolves itNo action needed — this is normal after a token expires
You're prompted to reconnect every time you run the actionYour admin — the action pack's OAuth configuration or the source system's token policy may need adjustment
Clicking Connect fails or doesn't show an authorization screenYour admin — the OAuth app may be misconfigured or require site-level approval
Multiple teammates across your organization are affected at the same timeGlean Support — this may indicate a platform-level issue

See also

© 2026, Glean Technologies, Inc.
Last updated on