Create credentials

Credentials are used to obtain an access token from a Google authorization server. This token is used to call Google Workspace APIs. The type of credentials you use depends on the type of data your app accesses. All Google Workspace APIs access data owned by an end-user. You can use either an OAuth client ID or a service account with domain delegation of authority to access user data.

When you use OAuth 2.0 for authorization, your app requests authorizations for one or more scopes of access from a Google Account. Google displays a consent screen to the user including a summary of your project and its policies and the requested scopes of access. You must configure the consent screen for all apps. However, you need only list scopes used by your app for external apps.

To configure the OAuth consent screen:

  1. Open the Google Cloud Console.
  2. Next to Google Cloud Platform, click the Down arrow and select a project.
  3. At the top-left corner, click Menu .
  4. Click APIs & Services > Credentials. The credential page for your project appears.
  5. Click Configure Consent Screen. The "OAuth consent screen" screen appears.
  6. Click the user type for your app. If you're running a Quickstart, select Internal.

  7. Click Create. A second "OAuth consent screen" screen appears.

  8. Fill out the form:

    • If you're running a quickstart, enter "Quickstart" in the App name field.
    • If you're running a quickstart, enter your personal email address in the User support email field.
    • If you're running a quickstart, enter your personal email address in the Developer contact information field.
  9. Click Save and Continue. The "Scopes" page appears.

  10. (optional). If you are creating an external app, click Add or Remove Scopes. The "Update selected scopes" page appears.

  11. (optional). For each API you intend to use in your app, check the scopes to use in your app.

  12. (optional) Click Update. A list of scopes for your app appears. If any scopes appear under the heading "Your sensitive scopes" or "Your restricted scopes," refer to Identify scopes.

  13. Click Save and Continue. The "Edit app registration" page appears.

  14. Click Save and Continue. The "OAuth consent screen" appears.

  15. Click Back to Dashboard.

If you are creating a service account with domain-wide delegation of authority, proceed to Create a service account with domain-wide delegation.

Create a OAuth client ID credential

  1. In the left-hand navigation, click Credentials. The "Credentials" page appears.
  2. Click Create Credentials and select OAuth client ID. The "Create OAuth client ID" page appears.
  3. Click the Application type drop-down list and select the type of application you're creating. For a full explanation of application types, refer to Setting up OAuth 2.0.

  4. In the name field, type a name for the credential. This name is only shown in the Cloud Console.

  5. In this document, continue with the documentation that corresponds to your app type:

Create Web application credentials (client-side JavaScript)

If you're creating Web application credentials for a client-side JavaScript app, follow these steps :

  1. Specify authorized JavaScript origins. Under Authorized JavaScript origins, click Add URI and type a URI in the URIs field for use with requests from a browser. The origins identify the domains from which your application can send API requests to the OAuth 2.0 server.
  2. Click Create. The OAuth client created screen appears. This screen shows the Client ID and Client secret.
  3. Note the Client ID. Client secrets aren't used for Web applications.
  4. Click OK. The newly created credential appears under "OAuth 2.0 Client IDs."
  5. (Optional). If you're creating credentials as a prerequisite for a JavaScript quickstart, you must also generate an API key. To generate an API key:
    1. Click the Create Credentials drop-down list and select API Key. The "API Key created" page appears.
    2. Note the API key.
    3. Click Close. The newly created credential appears under "API Keys."

Create Web application credentials (web server app)

If you're creating Web application credentials for a web server app, follow these steps :

  1. For web server applications using languages and frameworks like PHP, Java, Python, Ruby, and .NET, specify authorized redirect URIs:
    1. Under Authorized redirect URIs, click Add URI.
    2. Type a URI in the URIs field. The redirect URIs are the endpoints to which the OAuth 2.0 server can send responses.
  2. Click Create. The OAuth client created screen appears. This screen shows the Client ID and Client secret.
  3. Click the download button to the right of the newly-created OAuth 2.0 Client ID. This copies a client secret JSON file to your desktop. Note the location of this file.

Create Desktop application credentials

If you're creating Desktop application credentials:

  1. Click Create. The OAuth client created screen appears. This screen shows the Client ID and Client secret.
  2. Click OK. The newly created credential appears under "OAuth 2.0 Client IDs."
  3. Click the download button to the right of the newly-created OAuth 2.0 Client ID. This copies a client secret JSON file to your desktop. Note the location of this file.
  4. (Optional) If you are creating credentials for a quickstart, rename the client secret JSON file to "credentials.json".

Create Chrome application credentials

If you're creating Chrome application credentials:

  1. In the Application ID field, enter the last part of your app's Chrome Web Store URL.
  2. Click Create. The OAuth client created screen appears. This screen shows the Client ID and client secret.
  3. Click OK. The newly created credential appears under "OAuth 2.0 Client IDs."

Create Android application credentials

If you're creating Android application credentials:

  1. In the package name field, enter the package name from your AndroidManifest.xml file.
  2. In the SHA-1 certificate fingerprint field, enter the SHA-1 certificate fingerprint.
  3. Click Create. The OAuth client created screen appears. This screen shows the Client ID.
  4. Click OK. The newly created credential appears under "OAuth 2.0 Client IDs."

Create iOS application credentials

If you're creating iOS application credentials:

  1. In the Bundle ID field, enter the bundle identifier as listed in the app's Info.plist file.
  2. If your app appears in the Apple app store, enter the App Store ID.
  3. In the Team ID field, enter your Team ID.
  4. Click Create. The OAuth client created screen appears. This screen shows the Client ID.
  5. Click OK. The newly created credential appears under "OAuth 2.0 Client IDs."

Create TVs and limited input device credentials

If you're creating Chrome application credentials:

  1. Click Create. The OAuth client created screen appears. This screen shows the Client ID and client secret.
  2. Click OK. The newly created credential appears under "OAuth 2.0 Client IDs."

Create Universal Windows Platform (UWP) credentials

If you're Universal Windows Platform (UWP) creating Universal Windows Platform (UWP) credentials:

  1. In the Store ID field, enter the last part of your app's Microsoft Store URL.
  2. Click Create. The OAuth client created screen appears. This screen shows the Client ID and client secret.
  3. Click OK. The newly created credential appears under "OAuth 2.0 Client IDs."

Create a service account with domain-wide delegation of authority

Creating a service account with domain-wide delegation of authority is a four-step process:

  1. Create the service account.
  2. Obtain service account credentials.
  3. Enable domain-wide delegation for the service account.
  4. Grant access to user data to the service account.

Create a service account:

  1. Open the Google Cloud Console.
  2. Next to Google Cloud Platform, click the Down arrow and select a project.
  3. At the top-left corner, click Menu .
  4. Click IAM & Admin > Service Accounts. The Service account page appears.
  5. Click Create service account. The "Create service account page appears with the "Service account details section open."
  6. Fill in the service account details. By default, Google creates a unique service account ID. If you would like to change the ID, modify the ID in the service account ID field.
  7. Click Create. The "Grant service account access to project" section appears. This section is used to grant your service account role(s) to perform tasks on resources held within your Google Cloud Console project, such as creating other service accounts.
  8. (Optional) Identify roles for your service account. For further information, refer to Granting, changing, and revoking access to resources.
  9. Click Continue. The "Grant users access to this service account" section appears. This section is used identify users or groups that can be impersonated by this user account.
  10. (Optional) Identify users, groups, and admins who can have access to this service account. For further information, refer to Managing service account impersonation.
  11. Click Done. Your list of service accounts appears.

Obtain service account credentials

You must obtain credentials in the form of a public/private key pair. These credentials are used by your code to authorize service account actions within your app. To obtain credentials for your service account:

  1. Click on your newly-create service account.
  2. Click Keys.
  3. Click Add key > Create new key. The "Create private key" dialog appears.
  4. Select JSON.
  5. Click Create. Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of this key. For information on how to store your key securely, see Managing service account keys.
  6. Click Close. The list of keys appears.

Enable domain-wide delegation for a service account

  1. Click Details. The service account details appear.
  2. Click Show domain-wide delegation.
  3. Check Enable Google Workspace domain-wide delegation.
  4. Note the client ID. The client ID is used in the next section.

Grant access to user data to a service account

To access user data on a Google Workspace domain, the service account that you created needs to be granted access to user data through an API. This process must be performed by a super administrator for the domain. To grant your service account access to user data:

  1. Open the Admin Console.
  2. Click Main menu > Security > API controls
  3. Scroll down and click Manage Domain Wide Delegation.
  4. Click Add new. The "Add a new client ID" dialog box appears.
  5. In the "Client ID" field, enter the client ID obtained from the service account creation steps above.
  6. In the "OAuth Scopes" field, enter a comma-delimited list of the scopes required by your application. This is the same set of scopes you defined when configuring the OAuth consent screen.
  7. Click Authorize.

Your service account now has domain-wide access to your enabled Workspace API(s) for all the users of your domain.