Identify scopes for your app

A scope is a string, such as https://www.googleapis.com/auth/drive.metadata.readonly defining a level of access to resources required by your app, such as the level of access to data owned by the users.

Scopes with broad access are designated as "restricted" and, if used in an external app, require your app to go through security assessment and app verification process. Following is a list of restricted scopes:

Scope Description
https://www.googleapis.com/auth/gmail.readonly Read all resources and their metadata—no write operations.
https://www.googleapis.com/auth/gmail.compose Create, read, update, and delete drafts. Send messages and drafts.
https://www.googleapis.com/auth/gmail.insert Insert and import messages only.
https://www.googleapis.com/auth/gmail.modify All read/write operations except immediate, permanent deletion of threads and messages, bypassing Trash.
https://www.googleapis.com/auth/gmail.metadata Read resources metadata including labels, history records, and email message headers, but not the message body or attachments.
https://www.googleapis.com/auth/gmail.settings.basic Manage basic mail settings.
https://www.googleapis.com/auth/gmail.settings.sharing Manage sensitive mail settings, including forwarding rules and aliases. Note:Operations guarded by this scope are restricted to administrative use only. They are only available to Google Workspace customers using a service account with domain-wide delegation.
https://mail.google.com/ Full access to the account’s mailboxes, including permanent deletion of threads and messages This scope should only be requested if your application needs to immediately and permanently delete threads and messages, bypassing Trash; all other actions can be performed with less permissive scopes.
https://www.googleapis.com/auth/drive Full, permissive scope to access all of a user's files, excluding the Application Data folder.
https://www.googleapis.com/auth/drive.readonly Allows read-only access to file metadata and file content.
https://www.googleapis.com/auth/drive.activity Allows read and write access to the Drive Activity API.
https://www.googleapis.com/auth/drive.activity.readonly Allows read-only access to the Drive Activity API.
https://www.googleapis.com/auth/drive.scripts Allows access to Apps Script files.
https://www.googleapis.com/auth/drive.metadata Allows read-write access to file metadata (excluding downloadUrl and contentHints.thumbnail), but does not allow any access to read, download, write or upload file content. Does not support file creation, trashing or deletion. Also does not allow changing folders or sharing in order to prevent access escalation.
https://www.googleapis.com/auth/drive.metadata.readonly Allows read-only access to file metadata (excluding downloadUrl and contentHints.thumbnail), but does not allow any access to read or download file content.

Scopes that are narrower in scope than restricted scopes, but still allow access to user resources, are classified as "sensitive." If used in an external app, these scopes require your app to go through an app verification process. Following is a list of sensitive scopes:

Scope Description
https://www.googleapis.com/auth/drive.apps.readonly Allows read-only access to installed apps.
https://www.googleapis.com/auth/gmail.send Send messages only.
https://www.google.apis.com/auth/fitness.activity.write See and add to your Google Fit physical activity data.
https://www.google.apis.com/auth/fitness.blood_glucose.write See and add info about your blood glucose to Google Fit. I consent to Google sharing my blood glucose information with this app.
https://www.google.apis.com/auth/fitness.blood_pressure.write See and add info about your blood pressure in Google Fit. I consent to Google sharing my blood pressure information with this app
https://www.google.apis.com/auth/fitness.body.write See and add info about your body measurements and heart rate to Google Fit.
https://www.google.apis.com/auth/fitness.heart_rate.write See and add to your heart rate data in Google Fit. I consent to Google sharing my heart rate information with this app.
https://www.google.apis.com/auth/fitness.body_temperature.write See and add to info about your body temperature in Google Fit. I consent to Google sharing my body temperature information with this app.
https://www.google.apis.com/auth/fitness.location.write See and add to your Google Fit location data
https://www.google.apis.com/auth/fitness.nutrition.write See and add to info about your nutrition in Google Fit
https://www.google.apis.com/auth/fitness.oxygen_saturation.write See and add info about your oxygen saturation in Google Fit. I consent to Google sharing my oxygen saturation information with this app.
https://www.google.apis.com/auth/fitness.reproductive_health.write See and add info about your reproductive health in Google Fit. I consent to Google sharing my reproductive health information with this app.
https://www.google.apis.com/auth/fitness.sleep.write See and add to your sleep data in Google Fit. I consent to Google sharing my sleep information with this app.
https://www.google.apis.com/auth/fitness.activity.read Use Google Fit to see and store your physical activity data.
https://www.google.apis.com/auth/fitness.blood_glucose.read See info about your blood glucose in Google Fit. I consent to Google sharing my blood glucose information with this app.
https://www.google.apis.com/auth/fitness.blood_pressure.read See info about your blood pressure in Google Fit. I consent to Google sharing my blood pressure information with this app.
https://www.google.apis.com/auth/fitness.body.read See info about your body measurements and heart rate in Google Fit.
https://www.google.apis.com/auth/fitness.heart_rate.read See your heart rate data in Google Fit. I consent to Google sharing my heart rate information with this app.
https://www.google.apis.com/auth//fitness.body_temperature.read See info about your body temperature in Google Fit. I consent to Google sharing my body temperature information with this app.
https://www.google.apis.com/auth/fitness.location.read See your Google Fit speed and distance data.
https://www.google.apis.com/auth/fitness.nutrition.read See info about your nutrition in Google Fit.
https://www.google.apis.com/auth/fitness.oxygen_saturation.read See info about your oxygen saturation in Google Fit. I consent to Google sharing my oxygen saturation information with this app.
https://www.google.apis.com/auth/fitness.reproductive_health.read See info about your reproductive health in Google Fit. I consent to Google sharing my reproductive health information with this app.
https://www.google.apis.com/auth/fitness.sleep.read See your sleep data in Google Fit. I consent to Google sharing my sleep information with this app.

Scopes not listed in the previous tables are considered "Recommended" and can be freely used.

Determine scopes to use in your app

To plan for a security assessment or app verification, it's good to identify the scopes you'll use before beginning development. Additionally, external apps must identify scopes when configuring a consent screen in the Cloud Console.

To determine the scopes to use:

  1. Open OAuth 2.0 Scopes for Google APIs. This page lists all the scopes available for all Google APIs, including those that are restricted and sensitive.

  2. Scroll to the section listing scopes for each API that you intend to use in your app.

  3. Identify any non-restricted and non-sensitive scopes you can use in your app. If possible, use non-restricted and non-sensitive scopes, especially for external apps, to avoid overhead of a security assessment or app verification. For example, if your app needs only to "view file metadata" for files in Google Drive, use the https://www.googleapis.com/auth/drive.metadata.readonly scope instead of the https://www.googleapis.com/auth/drive.metadata/drive scope. The https://www.googleapis.com/auth/drive.metadata/drive scope provides broad access to user resources and is restricted for external apps.

  4. Identify any restricted and sensitive scopes that you must use in your app.

  5. If your app is external and uses restricted scopes it must go through a security assessment. Also if your app is external and uses restricted or sensitive scopes, it must go through an app verification process. To learn more about the assessment and verification process, refer to the OAuth verification FAQ.