When you use OAuth 2.0 for authorization, Google displays a consent screen to
the user including a summary of your project, its policies, and the requested
authorization scopes of access. Configuring your app's OAuth consent screen
defines what is displayed to users and app reviewers, and registers your app
so you can publish it later.
To define the level of access granted to your app, you need to identify and
declare
authorization scopes
. An authorization scope is an OAuth 2.0 URI string
that contains the Google Workspace app name, what kind of data it accesses, and
the level of access. Scopes are your app's requests to work with Google Workspace data, including
users' Google Account data.
When your app is installed, a user is asked to validate the scopes used
by the app. Generally, you should choose the most narrowly focused scope
possible and avoid requesting scopes that your app doesn't require. Users more
readily grant access to limited, clearly described scopes.
All apps using OAuth 2.0 require a consent screen configuration, but you only
need to list scopes for apps used by people outside your Google Workspace
organization.
Tip:
If you don't know required consent screen information, you can use
placeholder information prior to release.
For security reasons, you can't remove the OAuth 2.0 consent screen
after you've configured it.
-
In the Google Cloud console, go to Menu
menu
>
APIs & Services
>
OAuth consent screen
.
Go to OAuth consent screen
- Select the user type for your app, then click
Create
.
- Complete the app registration form, then click
Save and Continue
.
If you're creating an app for use outside of your Google Workspace
organization, click
Add or Remove Scopes
. We recommend the following best practices when
selecting scopes:
- Select the scopes that provide the minimum level of access required by your app. For a list of
available scopes, see
OAuth 2.0 Scopes for Google APIs
.
- Review the scopes listed in each of the three sections: non-sensitive
scopes, sensitive scopes, and restricted scopes. For any scopes listed in the
"Your sensitive scopes" or "Your restricted scopes" sections, try to identify
alternative non-sensitive scopes to avoid unnecessary additional reviews.
- Some scopes require additional reviews by Google. For apps used only
internally by your Google Workspace organization, scopes aren't listed on the
consent screen and use of restricted or sensitive scopes doesn't require
further review by Google. For more information, see
Scope categories
.
- After selecting the scopes required
by your app, click
Save and Continue
.
- If you selected
External
for user type, add test users:
- Under
Test users
, click
Add users
.
- Enter your email address and any other authorized test users, then click
Save and Continue
.
- Review your app registration summary. To make changes, click
Edit
. If the app
registration looks OK, click
Back to Dashboard
.
Scope categories
Some scopes require additional reviews and requirements
because of the level or type of access they grant. Consider the following types
of scopes:
|
|
|
Basic app verification
required
|
Additional app verification
required
|
Security assessment
required
|
|
Non-sensitive scopes
(recommended)
|
Grant access only to limited data that's immediately relevant to a specific action.
|
check
|
?
|
?
|
|
Sensitive scopes
|
Grant access to personal user data, resources, or actions.
|
check
|
check
|
?
|
|
Restricted scopes
|
Grant access to highly-sensitive or extensive user data or actions.
|
check
|
check
|
check
|
Next step
Create access credentials
for your app.