diff --git a/agentclaw/app/agent_claw_main/tools/google_workspace.py b/agentclaw/app/agent_claw_main/tools/google_workspace.py
index d66d806..967955c 100644
--- a/agentclaw/app/agent_claw_main/tools/google_workspace.py
+++ b/agentclaw/app/agent_claw_main/tools/google_workspace.py
@@ -28,9 +28,12 @@ def _secrets():
 
 
 def _get_creds(actor_id: str) -> Credentials:
+    from datetime import datetime
     secret_name = 'agent-claw/google-credentials/' + actor_id.replace(':', '-')
     print(f'[google] fetching creds actor={actor_id}')
     data = json.loads(_secrets().get_secret_value(SecretId=secret_name)['SecretString'])
+    expiry_str = data.get('expiry')
+    expiry = datetime.fromisoformat(expiry_str.replace('Z', '+00:00')) if expiry_str else None
     creds = Credentials(
         token=data.get('token'),
         refresh_token=data.get('refresh_token'),
@@ -38,12 +41,17 @@ def _get_creds(actor_id: str) -> Credentials:
         client_id=data.get('client_id'),
         client_secret=data.get('client_secret'),
         scopes=data.get('scopes'),
+        expiry=expiry,
     )
-    if creds.expired and creds.refresh_token:
+    print(f'[google] creds loaded, expired={creds.expired}')
+    if (creds.expired or not creds.valid) and creds.refresh_token:
         print('[google] refreshing token')
         creds.refresh(Request())
         data['token'] = creds.token
+        if creds.expiry:
+            data['expiry'] = creds.expiry.isoformat()
         _secrets().put_secret_value(SecretId=secret_name, SecretString=json.dumps(data))
+        print('[google] token refreshed and saved')
     return creds