Configure OAuth for your application

To configure OAuth for your application, you set up an OAuth workflow, and you enable the Data Portability API OAuth scopes.

Set up an OAuth workflow

To set up an OAuth flow for your application, follow the basic steps in the Google Identity documentation.

Most developers use the Server-side Web Apps flow for obtaining OAuth consent, but you can also use the JavaScript Web Apps flow or the Mobile and Desktop Apps flow.

Data Portability API OAuth scopes

When you configure your Data Portability API application for OAuth, enable the Data Portability API OAuth scopes that are relevant to your application. Some scopes are sensitive and restricted and are subject to additional requirements.

When you add the Data Portability API scopes to your OAuth flow, there may be cases where your user gives consent to some but not all of the scopes. Your app must be able to handle these cases by:

  • Allowing partial data exports
  • Notifying the user that they didn't select all the necessary scopes (and failing gracefully)
  • Asking the user for the remaining consents

You should note that a user's consent allows you one data export for that specific consent. To download the data again, you need a new consent from the user.

You should also note that during the OAuth flow, your app does not know which Google Account was used to give consent. The OAuth token your application receives is opaque.

If you are looking for information on how users share data, see Share a copy of your data with a third party.

Scopes restrictions

This section covers restrictions in scopes that result in errors.

Mixed scopes

Requests for Data Portability API scopes (such as, https://www.googleapis.com/auth/dataportability.*) can't be mixed with other scopes (such as, https://www.googleapis.com/auth/userinfo.email). Here is an example of a bad request, with the restricted part bolded:

https://accounts.google.com/o/oauth2/v2/auth?
client_id=client_id&
redirect_uri=redirect_uri&
response_type=token&
scope=https://www.googleapis.com/auth/dataportability.myactivity.search+https://www.googleapis.com/auth/userinfo.email&
include_granted_scopes=false

Previously granted scopes

You should never set include_granted_scopes=true when requesting DPAPI scopes. Here is an example of a bad request, with the restricted part bolded:

https://accounts.google.com/o/oauth2/v2/auth?
client_id=client_id&
redirect_uri=redirect_uri&
response_type=token&
scope=https://www.googleapis.com/auth/dataportability.myactivity.search&
include_granted_scopes=true

Scopes categories

For list of all OAuth scopes supported by the Data Portability API and their categories, see Available OAuth scopes. For a list of all resource groups and OAuth scopes supported by a particular service, see the schema reference page for that service.