Configure the OAuth consent screen

When you use OAuth 2.0 for authorization, Google displays a consent screen to the user including a summary of your project, its policies, and the requested authorization scopes of access. Configuring your app's OAuth consent screen defines what is displayed to users and app reviewers, and registers your app so you can publish it later.

All apps using OAuth 2.0 require a consent screen configuration, but you only need to list scopes for apps used by people outside your Google Workspace organization.

Tip: If you don't know required consent screen information, you can use placeholder information prior to release.

  1. In the Google Cloud console, go to Menu > APIs & Services > OAuth consent screen.

    Go to OAuth consent screen

  2. Select the user type for your app, then click Create.
  3. Complete the app registration form, then click Save and Continue.
  4. If you're creating an app for use outside of your Google Workspace organization, click Add or Remove Scopes. Add and verify the authorization scopes required by your app, then click Save and Continue.

    Some scopes require additional reviews by Google. For apps used only internally by your Google Workspace organization, scopes aren't listed on the consent screen and use of restricted or sensitive scopes does not require further review by Google. For more details, see How to choose scopes for your app.

  5. If you selected External for user type, add test users:
    1. Under Test users, click Add users.
    2. Enter your email address and any other authorized test users, then click Save and Continue.
  6. Review your app registration summary. To make changes, click Edit. If the app registration looks OK, click Back to Dashboard.

Choose scopes for your app

To define the level of access granted to your app, you need to identify and declare authorization scopes. An authorization scope is a OAuth 2.0 URI string that contains the Google Workspace app name, what kind of data it accesses, and the level of access.

For a list of available scopes, see OAuth 2.0 Scopes for Google APIs.

For example, the following scope grants access to view, but not modify, Google Calendar settings:

Scope categories

Some scopes require additional reviews and requirements because of the level or type of access they grant. Consider the following types of scopes:

      Basic app verification required Additional app verification required Security assessment required
  Non-sensitive scopes (recommended) Grant access only to limited data that's immediately relevant to a specific action.
Sensitive scopes Grant access to personal user data, resources, or actions.
Restricted scopes Grant access to highly-sensitive or extensive user data or actions.

Select the scopes your app needs

We recommend identifying the scopes you'll use before beginning development. This speeds up app configuration in the Google Cloud console and helps you prepare for any additional security reviews.

To select authorization scopes for your app:

  1. While configuring your OAuth Consent Screen in the steps above, click Add or remove scopes. A panel appears with a list of scopes for each API you've enabled in your Google Cloud project.
  2. Select the scopes that provide the minimum level of access required by your app, then click Update.
  3. Review the scopes listed in each of the three sections: non-sensitive scopes, sensitive scopes, and restricted scopes. For any scopes listed in the "Your sensitive scopes" or "Your restricted scopes" sections, try to identify alternative non-sensitive scopes to avoid unnecessary additional reviews.
  4. When your list of scopes is complete, click Save and continue.

Next step

Create access credentials for your app.