auth.google_state_mismatch
The OAuth state parameter is missing or does not match the server-side cookie.
auth.google_state_mismatch is returned during the Google OAuth callback when the state parameter in the callback URL does not match the state value stored in the browser cookie. This is a CSRF protection mechanism.
The OAuth state cookie was cleared (e.g., by a browser restart, cookie block, or cross-origin redirect) before the callback was processed. It may also appear if the callback URL was shared or replayed after the original browser session ended.
Restart the Google sign-in flow from the beginning. Do not share or replay the callback URL between browser sessions or devices.
{
"error": {
"code": "auth.google_state_mismatch",
"message": "OAuth state cookie missing or tampered",
"request_id": "req_01900000abc"
}
}