Admin SDK

Google Apps Admin Settings API

The Google Apps Admin Settings API allows administrators of Google Apps domains to retrieve and change the settings of their domains in the form of Google Data API feeds.

These domain settings include many of the features available in the Google Apps Admin console. Example uses of this API include creating a custom control panel or integrating Google Apps domains into an existing legacy environment.

The Admin Settings API implements the Google Data API protocol. The Google Data API conforms to the Atom Publishing Protocol (AtomPub) publishing and editing model. The AtomPub HTTP requests use the Representational Set Transfer (RESTful) design approach to web services. For more information, see the Google Data APIs Overview.



Audience

This document is intended for developers who want to write client applications that can modify and retrieve information about Google Apps domains. It provides examples of the basic Admin Settings API interactions using raw XML and HTTP.

This document assumes that you understand the general ideas behind the Google Data API protocol, and that you are familiar with the Google Apps Admin console. For more information about the Admin console, see Use your Admin console.

Getting Started

Creating an account

The Google Apps Admin Settings API is enabled for the Google Apps for Business, Education and ISP accounts. Sign up for a Google Apps for Business or Education account for testing purposes. Contact sales for an ISP account. The Admin Settings service uses Google Accounts, so if you already have an account on a domain with one of these product versions, you're all set.

About the Admin Settings feed types

The Admin Settings API allows you to manage these categories of domain settings:

General settings
This feed allows you to modify a domain's language and organization name. In addition, use this feed to retrieve the maximum and current number of users in the domain.
Account settings
This feed allows you to modify a domain's secondary contact address. In addition, use this feed to retrieve information about the domain ownership status, product version, creation date, and country code.
Appearance settings
The appearance feed modifies a domain's header logo. The domain's logo is also managed in the Admin console.
Verification settings
The verification feed confirms your domain's MX record status.
Single Sign-On settings
SAML-based Single Sign-On (SSO) allows users to use the same login and password for both Google Apps hosted services as well as other services you may be hosting within your organization. Specifically when using SSO, a hosted web application, such as Google Apps, redirects users to your organization's identity provider to authenticate users when they log in. For detailed information, see Understanding SAML-based SSO for Google Apps.

Configuring SSO involves entering the necessary information for the Google Apps service to communicate with the identity provider that stores your users' login information, as well as setting up the links users should be sent to for logging in, logging out, and for changing their passwords. The Admin Settings API allows you to update and retrieve these settings programmatically. Google uses your generated public key to verify this SSO request with your identity provider and that the private key SAML response was not modified during the network transmission.

For a short API specific summary of using the SSO settings, get your public key certificate from your identity provider, register the public key with Google, and set up your SAML-based SSO query settings. For error messages, see Troubleshooting SSO:
  • Generate your keys -- With your identity provider, generate a set of public and private keys using either the DSA or RSA algorithms. The public key is in an X.509 formatted certificate. For more information about SAML-based Single Sign-On signing keys, see Generating Keys and Certificates for Google Apps Single Sign-On Service.
  • Register with Google -- Use the API's Single Sign-On settings to register your public key certificate with Google
  • Set up your SSO settings -- Use the API's Single Sign-On settings to configure the settings used to communication with the domain's identity provider's servers

Google Apps offers the Single Sign-On (SSO) service to customers with Google Apps for Business, Education, and ISPs.

Email migration, gateway, and routing settings
This feed lets domain administrators control whether the domain's users can upload mail using the Email Migration API.

If you are using both the IMAP email migration and the email routing services, the email routing operations allow administrators to specify the domain-level email routing settings. This is similar to the email routing functionality of the Admin console's Gmail settings. For more information, see Email routing. If you are using both the IMAP email migration and email routing resources, see the email routing feature's dual delivery configuration to allow users continuous mail flow while their mail is being migrated.

Sample of an Admin Settings API XML request and response

This document provides code examples of basic Admin Settings API requests and responses using raw XML and HTTP. This domain default language example shows the full XML and HTTP syntax for a request and response entry's body which is common to each operation:

To change the domain's default language, send an HTTP PUT to the default language's feed URL:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/general/defaultLanguage

The domain default language PUT request AtomPub entry XML is:

<atom:entry xmlns:atom='http://www.w3.org/2005/Atom'
  xmlns:apps='http://schemas.google.com/apps/2006'>
  <apps:property name='defaultLanguage' value='yourLanguageCode'/>
</atom:entry>

Except for the operation-specific properties and values, the atom:property elements represents a single key-value pair containing information about a property that you wish to retrieve or update. These are common to all Admin Settings API request bodies.

The domain default language response entry element returns the defaultLanguage property along with the XML syntax common to all Admin Settings API response bodies:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
<id>https://apps-apis.google.com/a/feeds/domain/2.0/domainName/general/defaultLanguage</id>
<updated>2008-12-17T23:59:23.887Z</updated>
<link rel='self' type='application/atom+xml' href='https://apps-apis.google.com/a/feeds/domain/
  2.0/domainName/general/defaultLanguage'/>
<link rel='edit' type='application/atom+xml' href='https://apps-apis.google.com/a/feeds/domain/
  2.0/domainName/general/defaultLanguage'/>
<apps:property name='defaultLanguage' value='yourLanguageCode'/>
</entry>

Managing general domain settings

The general domain API operations include managing a domain's language, organization name, maximum number of users, and the current number of users. The language and organization name settings are also editable on the Admin console's Company Profile page.

Retrieving a domain's default language

To retrieve the domain's default language, send an HTTP GET request to the default language feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/general/defaultLanguage

This operation has no parameters in the request body.

A successful response returns an HTTP 200 OK status code, along with a standard AtomPub feed with the domain's default language element. For language encoding information, see the Google Apps Email Settings API Email Language Tags.

The response entry element returns the defaultLanguage property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='defaultLanguage' value='yourLanguageCode'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Updating a domain's default language

To update a domain's default language, first retrieve the entry you want to update using the Retrieving a domain's default language, modify it, and then send a PUT request, with the updated entry in the request's body, to the default language feed URL. Be sure the <id> value in your updated entry exactly matches the <id> of the existing entry.

When updating the domain's default language, send an HTTP PUT to the default language's feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service:

https://apps-apis.google.com/a/feeds/domain/2.0/{yourDomainName}/general/defaultLanguage

The PUT request AtomPub entry XML is:

<atom:entry xmlns:atom='http://www.w3.org/2005/Atom'
  xmlns:apps='http://schemas.google.com/apps/2006'>
<apps:property name='defaultLanguage' value='yourLanguageCode'/>
</atom:entry>

For language encoding, see the Google Apps Email Settings API Email Language Tags.

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the default language.

The response entry element returns the defaultLanguage property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='defaultLanguage' value='yourLanguageCode'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Retrieving the organization name

To retrieve the domain's organization name, send an HTTP GET to the organization name feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/general/organizationName

This operation has no parameters in the request body.

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the domain's organization name.

The response entry element returns the organizationName property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='organizationName' value='yourOrgName'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Updating an organization name

To update a domain's organization name, first retrieve the entry the organization's name using the Retrieving the organization name, modify it, and then send a PUT request to the organization name feed URL. Be sure the <id> value in your updated entry exactly matches the <id> of the existing entry.

When changing the domain's organization name, send an HTTP PUT to the organization name feed URL:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/general/organizationName

The PUT request AtomPub entry XML is:

<atom:entry xmlns:atom='http://www.w3.org/2005/Atom'
  xmlns:apps='http://schemas.google.com/apps/2006'>
<apps:property name='organizationName' value='yourNewOrganizationName'/>
</atom:entry>

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the new organization name.

The response entry element returns the organizationName property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='organizationName' value='yourNewOrganizationName'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Retrieving the maximum number of users in a domain

To retrieve a domain's maximum number of users, send an HTTP GET to the maximum number of user feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/general/maximumNumberOfUsers

This operation has no parameters in the request body.

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the domain's allowed maximum number of users.

The response entry element returns the maximumNumberOfUsers property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='maximumNumberOfUsers' value='yourAccountMaxUserNumber'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Retrieving the current number of users in a domain

To retrieve a domain's current number of users, send an HTTP GET to the current number of user feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/general/currentNumberOfUsers

This operation has no parameters in the request body.

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the domain's current number of users.

The response entry element returns the currentNumberOfUsers property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='currentNumberOfUsers' value=' yourAccountCurrentUserNumber'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Managing account settings

The following sections demonstrate the XML format used for each account setting.

Retrieving the domain's support PIN (deprecated)

Retrieving the domain's product version

To retrieve a domain's product version, send an HTTP GET to the account information edition feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/accountInformation/edition

This operation has no parameters in the request body.

A successful response returns an HTTP 200 OK status code, along with an AtomPub fee with the domain's product version.

The GET response returns the edition property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='edition' value='premier'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Retrieving the domain's customer PIN

To retrieve a customer's PIN, send an HTTP GET to the account information customer PIN feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/accountInformation/customerPIN

This operation has no parameters in the request body.

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the domain's customer PIN. The returned PIN is valid for one hour.

The GET response returns the customerPIN property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='customerPIN' value='nnnnnnnn'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Retrieving the domain's creation time

To retrieve the domain's creation time, send an HTTP GET to the account information creation time feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/accountInformation/creationTime

This operation has no parameters in the request body.

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the domain's creation time stamp.

The GET response returns the creationTime property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='creationTime' value='20080211T163910.308-0800'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Retrieving the domain's country code

To retrieve the domain's country code, send an HTTP GET to the account information country code feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/accountInformation/countryCode

This operation has no parameters in the request body.

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the domain's country code. For country code information, see the ISO 3166 country code elements.

The GET response returns the countryCode property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='countryCode' value='US'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Retrieving the domain administrator's secondary email address

To retrieve the domain administrator's secondary email address, send an HTTP GET to the account information administrator secondary email address feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/accountInformation/adminSecondaryEmail

This operation has no parameters in the request body.

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the administrator's secondary email address.

The GET response returns the adminSecondaryEmail property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='adminSecondaryEmail' value='yourSecondaryEmailAddress'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Changing the domain administrator's secondary email address

To change the domain administrator's secondary email address, send an HTTP PUT to the domain administrator's secondary email address feed URL:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/accountInformation/adminSecondaryEmail

The PUT request AtomPub entry XML is:

<atom:entry xmlns:atom='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='adminSecondaryEmail' value='yourAdminSecondaryEmail'/>
</atom:entry>

A successful response returns an HTTP 200 status code, along with an AtomPub entry element. If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

The PUT response returns the adminSecondaryEmail property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='adminSecondaryEmail' value='yourSecondaryEmailAddress'/>
</entry>

Managing appearance settings

The following sections demonstrate the XML format used for the appearance setting.

To change the domain's logo, send an HTTP PUT to the domain's logo feed URL:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/appearance/customLogo

The PUT request is:

<atom:entry xmlns:atom='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
<apps:property name='logoImage' value='<base 64 encoded binary data of logo image>' />
</atom:entry>

A successful response returns an HTTP 200 OK status code, along with an AtomPub entry element. If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

The PUT response returns the logoImage property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='logoImage' value='base 64 encoded binary data of logo image'/>
</entry>

Managing verification settings

The following sections demonstrate the XML format used to confirm your MX record verification settings.

To use the Google Apps Gmail service, the account's MX records must be modified to point to Google's email servers. Without this step, the account does not receive mail. The MX record operation confirms the verification status and tests your manual MX record edits. For more information about how to edit your MX records, see Configuring MX records.

Retrieving the MX record verification status

To find out if your MX records have been updated, retrieve the domain's MX record verification status. Send an HTTP GET to the MX record status feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/verification/mx

This operation has no parameters in the request body.

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the domain's MX record information.

The GET response returns the verified and verificationMethod properties:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='verified' value='false' />
<apps:property name='verifiedMethod' value='mx' />
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Changing the MX record verification status

Before confirming your MX record status, at your domain host vendor's web site, configure your MX record to point to the Google systems. For more information, see Configuring MX records.

To confirm and test your domain's MX record configuration, send an HTTP PUT to the domain's MX record status feed URL:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/verification/mx

In the PUT request, change the verified property value to true.

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='verified' value='true' />
</entry>

Use this operation to test your MX record edit and to reset the Google status of your MX record configuration.

This PUT request sets the verified property's value to true. If your MX record is correct, this MX verification PUT request returns property name='verified' value='true'. If the return value is false, it can mean your MX record updates have not been propagated, there is a typo in the MX record edit, or the MX record has not been configured. We recommend to wait the amount of time defined by the MX record's Time To Live value (TTL) and try again.

The PUT response returns the verified and verificationMethod properties:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='verified' value='true' />
<apps:property name='verifiedMethod' value='mx' />
</entry>

Managing Single Sign-On settings

The Google Apps Single Sign-On feature (SSO) lets users log on to multiple services while only having to enter a login and password once. This password is stored by the domain's identity provider, not by Google Apps. For more information, see the Help Center's SSO page. The following sections demonstrate the XML format used for Single Sign-On settings.

Retrieving Single Sign-On settings

To retrieve Single Sign-On settings, send an HTTP GET to the SSO general feed URL , and include an Authorization header as described in Authenticating to the Admin Settings service. And, for error messages, see Troubleshooting SSO:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/sso/general

This operation has no parameters in the request body.

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the domain's SSO settings.

The GET response XML returns the samlSignonUri, samlLogoutUri, changePasswordUri, enableSSO, ssoWhitelist, and useDomainSpecificIssuer properties:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
<apps:property name='samlSignonUri' value='http://www.example.com/sso/signon'/>
...
<apps:property name='samlLogoutUri' value='http://www.example.com/sso/logout'/>
<apps:property name='changePasswordUri' value='http://www.example.com/sso/changepassword'/>
<apps:property name='enableSSO' value='true'/>
<apps:property name='ssoWhitelist' value='CIDR formated IP address'/>
<apps:property name='useDomainSpecificIssuer' value='false'/>
</entry>

The properties include:

samlSignonUri
The identity provider's URL where Google Apps sends the SAML request for user authentication.
samlLogoutUri
The address that users will be sent to when they log out of the web application.
changePasswordUri
The address that users will be sent to when they want to change their SSO password for the web application.
enableSSO
Enables SAML-based SSO for this domain. If you have previously configured SSO settings, and you have subsequently set enableSSO to enableSSO=false, the settings you have previosly entered are still saved.
ssoWhitelist
A ssoWhitelist is a network mask IP address in Classless Inter-Domain Routing (CIDR) format. The ssoWhitelist determines which users log in using SSO and which users log in using the Google Apps account authentication page. If no masks are specified, all users will log in using SSO. For more information, see How do network masks work.
useDomainSpecificIssuer
A domain specific issuer can be used in the SAML request to the identity provider. Though not necessary for most SSO deployments, this feature is useful in large companies using a single identity provider to authenticate an entire organization with multiple subdomains. Giving the specific domain issuer determines which subdomain to associate with the request. For more information, see How does the Issuer element in the SAML request work?

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Updating Single Sign-On settings

To update a domain's SSO settings, first retrieve the SSO settings using the Retrieving Single Sign-On settings operation, modify it, and then send a PUT request to the SSO feed URL. Be sure the <id> value is in your updated entry exactly matches the <id> of the existing entry. Include an Authorization header as described in Authenticating to the Admin Settings service. And, for error messages, see Troubleshooting SSO.

When updating Single Sign-On settings, send an HTTP PUT to the SSO general feed URL:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/sso/general

The XML body of the PUT request is:

<atom:entry xmlns:atom='http://www.w3.org/2005/Atom' xmlns:apps="http://schemas.google.com/apps/2006'>
<apps:property name='enableSSO' value='false' />
<apps:property name='samlSignonUri' value='http://www.example.com/sso/signon' />
<apps:property name='samlLogoutUri' value='http://www.example.com/sso/logout' />
<apps:property name='changePasswordUri' value='http://www.example.com/sso/changepassword' />
<apps:property name='ssoWhitelist' value='127.0.0.1/32' />
<apps:property name='useDomainSpecificIssuer' value='false'/>
</atom:entry>

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the SSO settings.

The PUT response XML is:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='samlSignonUri' value='http://www.example.com/sso/signon'/>
<apps:property name='samlLogoutUri' value='http://www.example.com/sso/logout'/>
<apps:property name='changePasswordUri' value='http://www.example.com/sso/changepassword'/>
<apps:property name='enableSSO' value='false'/>
<apps:property name='ssoWhitelist' value='127.0.0.1/32'/>
<apps:property name='useDomainSpecificIssuer' value='false'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Retrieving the Single Sign-On signing key

To retrieve the Single Sign-On signing key, send an HTTP GET to the SSO signing key feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service. And, for error messages, see Troubleshooting SSO:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/sso/signingkey

This operation has no parameters in the request body.

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the signing key.

The GET response XML returns the signingKey property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='signingKey' value='yourBase64EncodedPublicKey'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Updating the Single Sign-On signing key

To update a domain's SSO signing key, first retrieve the signing key using the Retrieving Single Sign-On signing key operation, modify it, and then send a PUT request to the SSO signing key feed URL. Be sure the <id> value is in your updated entry exactly matches the <id> of the existing entry. For more information about SAML-based Single Sign-On signing keys, see Generating Keys and Certificates for Google Apps Single Sign-On Service.

When updating Single Sign-On signing key, send an HTTP PUT to the SSO signing key feed URL:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/sso/signingkey

The PUT request XML is:

<atom:entry xmlns:atom='http://www.w3.org/2005/Atom' xmlns:apps="http://schemas.google.com/apps/2006">
<apps:property name='signingKey' value='yourBase64EncodedPublicKey'/>
</atom:entry>

Managing email migration, a gateway, and routing

The email migration sections demonstrate the XML format used to let domain administrators control whether users on their domain are allowed to migrate email from other accounts to Google Apps Gmail using the Email Migration API (EMAPI). The outbound email gateway section shows how the API supports the outbound routing of mail from users in your domain. The email routing section shows how to route messages to another mail server.

Retrieving migration access settings

To retrieve migration access settings, send an HTTP GET to the migration feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/email/migration

This operation has no parameters in the request body.

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the user migration status information.

The GET response returns the enableUserMigration property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='enableUserMigration' value='true'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Updating migration access settings

To update a domain's migration access settings, first retrieve the access settings using the Retrieving migration access settings operation, modify it, and then send a PUT request to the access setting feed URL. Be sure the <id> value is in your updated entry exactly matches the <id> of the existing entry.

When updating migration access settings, send an HTTP PUT to the migration feed URL:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/email/migration

The PUT request XML is:

<atom:entry xmlns:atom='http://www.w3.org/2005/Atom' xmlns:apps="http://schemas.google.com/apps/2006">
<apps:property name='enableUserMigration' value='true' />
</atom:entry>

A successful response returns an HTTP 200 OK status code, along with the AtomPub feed with the migration access status.

The PUT response returns the enableUserMigration property:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='enableUserMigration' value='true'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Retrieving outbound email gateway settings

To retrieve outbound email gateway settings, send an HTTP GET to the gateway feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/email/gateway

This operation has no parameters in the request body.

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the email gateway status information.

The GET response returns the smartHost and smtpMode properties. For more information about these properties, see Updating outbound email gateway settings.

An example of a possible response is:

<?xml version='1.0' encoding='UTF-8'?>
<entry xmlns='http://www.w3.org/2005/Atom' xmlns:apps='http://schemas.google.com/apps/2006'>
...
<apps:property name='smartHost' value='smtpout.domain.com'/>
<apps:property name='smtpMode' value='SMTP'/>
</entry>

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Updating outbound email gateway settings

To update a domain's outbound email gateway setting, send an HTTP PUT request to the gateway feed URL:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/email/gateway

The PUT request XML is:

<atom:entry xmlns:atom='http://www.w3.org/2005/Atom' xmlns:apps="http://schemas.google.com/apps/2006">
<apps:property name='smartHost' value='smtp.out.domain.com' />
<apps:property name='smtpMode' value='SMTP' />
</atom:entry>

The request properties are:

smartHost
Either the IP address or hostname of your SMTP server. Google Apps routes outgoing mail to this server.
smtpMode
The default value is SMTP. Another value, SMTP_TLS, secures a connection with TLS when delivering the message.

A successful response returns an HTTP 200 OK status code, along with the AtomPub feed with the email gateway settings status.

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Managing email routing settings

First, create an XML request:

<atom:entry xmlns:atom='http://www.w3.org/2005/Atom' xmlns:apps="http://schemas.google.com/apps/2006">
<apps:property name='routeDestination' value='route-smtp.domain.com'/>
<apps:property name='routeRewriteTo' value='true'/>
<apps:property name='routeEnabled' value='true'/>
<apps:property name='bounceNotifications' value='true'/>
<apps:property name='accountHandling' value='can be either allAccounts | provisionedAccounts | unknownAccounts'/>
</atom:entry>

The request properties are:

routeDestination
This destination is the hostname or IP address of the SMTP-In mail server where the email is being routed. The hostname or IP address must resolve for Google. For more details on resolving mail host names, see Pilot Google Apps with email routing.
routeRewriteTo
If true, the message's SMTP envelope's to: field is changed to the destination hostname (user@destination's hostname), and the message is delivered to this user address on the destination mail server. If false, the email is delivered to the original message's to: email address (user@original hostname) on the destination mail server. This is similar to the Admin console's 'Change SMTP envelope' setting. For more information, see Domain settings for email routing.
routeEnabled
If true, the email routing functionality is enabled. If false, the functionality is disabled.
bounceNotifications
If true, Google Apps is enabled to send bounce notifications to the sender when a delivery fails.
accountHandling
This setting determines how different types of users in the domain are affected by email routing: * allAccounts -- Deliver all email to this destination. * provisionedAccounts -- Deliver mail to this destination if the user exists in Google Apps. * unknownAccounts -- Deliver mail to this destination if the user does not exist in Google Apps. This is similar to the Admin console's 'Delivery email for' setting. For more information about prerequisites and how to use mail routing, see Domain settings for email routing.

To publish this request, send an HTTP POST to the email routing feed URL, and include an Authorization header as described in Authenticating to the Admin Settings service:

https://apps-apis.google.com/a/feeds/domain/2.0/{domainName}/emailrouting

A successful response returns an HTTP 200 OK status code, along with an AtomPub feed with the archive information.

If your request fails for some reason, a different status code is returned. For more information about the Google Data API status codes, see HTTP status codes.

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.