I have a form using nodemailer, xoauth2 with google APi oauth2, I updated the password last week and since then my app hasn't worked and I get:

'535-5.7.8 Username and Password not accepted. Learn more at\n535 5.7.8

I've tried deleting the app and creating a new one, but its doesnt seem to pick up the new changed password. Any suggestions to how to fix this? I have allowed less secure apps, and display unlock captcha.

@sambellerose I went from

const generator = xoauth2.createXOAuth2Generator({
  user: serverConfig.gmail.client_user,
  clientId: serverConfig.gmail.client_id,
  clientSecret: serverConfig.gmail.secret,
  refreshToken: serverConfig.gmail.refresh_token,
  accessToken: serverConfig.gmail.access_token,
});


const transporter = nodemailer.createTransport({
  service: 'gmail',
  auth: {
    xoauth2: generator,
  },
});

To just having the following:

const transporter = nodemailer.createTransport({
  service: 'gmail',
  auth: {
    type: 'OAuth2',
    user: serverConfig.gmail.client_user,
    clientId: serverConfig.gmail.client_id,
    clientSecret: serverConfig.gmail.secret,
    refreshToken: serverConfig.gmail.refresh_token,
    accessToken: serverConfig.gmail.access_token,
  },
});

I hope this helps

I solved this by updating to latest version of Nodemailer, and remove xoauth2 module as Nodemailer 3 has better Oauth 2 support. Going on Google Oauth 2.0 playground I able to get correct access and refresh tokens.

Similar to the answer above. This is how I structured mine and it worked right away.

const transporter = nodemailer.createTransport({
        host: "smtp.gmail.com",
        port: 465,
        secure: true, // true for 465, false for other ports
        auth: {
            type: "OAuth2",
            user: process.env.EMAIL, // email you are using with nodemailer
            pass: process.env.PASSWORD, // email password
            clientId: process.env.CLIENTID,
            clientSecrect:process.env.CLIENTSECRET,
            refreshToken: process.env.REFRESHTOK,
            accessToken: process.env.ACCESSTOK,
        },
        tls:{
           rejectUnauthorized:false 
        }
      });

This link for the credentials worked as well. https://www.youtube.com/watch?v=JJ44WA_eV8E

You have to navigate around as google web layout is a little different. For sure works though!