An Apps Script project uses a manifest file to configure certain details about the script and its operation. To learn how to view and edit a manifest, see Manifests.
This documentation covers the details of configuring a manifest for a Google Workspace Add-on.
Manifest structure for Google Workspace Add-ons
Google Workspace Add-ons use the Apps Script project
manifest file to define several aspects of the add-on's appearance and behavior.
Google Workspace Add-on manifest properties are
organized under the
addOns section of manifest object structure.
Sample Google Workspace Add-on manifest configuration
The below manifest sample shows the section of a manifest file that defines a Google Workspace Add-on, including the following aspects:
- The
addOns.commonsection of the manifest defines the name, logo URL, colors, and other general, host-independent settings for the add-on. - The manifest defines a common homepage, but also defines Calendar, Drive, Docs, Sheets, and Slides-specific homepages. Gmail uses the default homepage.
- The sample manifest settings enable the following:
- Calendar
eventOpenandeventUpdatedtriggers, and two Calendar conference solutions. - Two universal actions.
- A Drive
onItemsSelectedTrigger. - A Gmail compose action and contextual trigger.
- File-specific interfaces for Docs, Sheets, and Slides.
- Calendar
The below sample manifest also gives examples of oauthScopes
and urlFetchWhitelist
fields, which most add-on manifests must set.
The links in the sample direct to the descriptions of that field in the manifest reference documentation.
{
...
"addOns": {
"calendar": {
"createSettingsUrlFunction": "getConferenceSettingsPageUrl",
"conferenceSolution": [{
"id": "my-video-conf",
"logoUrl": "https://lh3.googleusercontent.com/...",
"name": "My Video Conference",
"onCreateFunction": "onCreateMyVideoConference"
}, {
"id": "my-streamed-conf",
"logoUrl": "https://lh3.googleusercontent.com/...",
"name": "My Streamed Conference",
"onCreateFunction": "onCreateMyStreamedConference"
}],
"currentEventAccess": "READ_WRITE",
"eventOpenTrigger": {
"runFunction": "onCalendarEventOpen"
},
"eventUpdateTrigger": {
"runFunction": "onCalendarEventUpdate"
},
"eventAttachmentTrigger": {
"label": "My Event Attachment"
"runFunction": "onCalendarEventAddAttachment"
},
"homepageTrigger": {
"runFunction": "onCalendarHomePageOpen",
"enabled": true
}
},
"common": {
"homepageTrigger": {
"runFunction": "onDefaultHomePageOpen",
"enabled": true
},
"layoutProperties": {
"primaryColor": "#ff392b",
"secondaryColor": "#d68617"
},
"logoUrl": "https://ssl.gstatic.com/docs/script/images/logo/script-64.png",
"name": "Demo Google Workspace Add-on",
"openLinkUrlPrefixes": [
"https://mail.google.com/",
"https://script.google.com/a/google.com/d/",
"https://drive.google.com/a/google.com/file/d/",
"https://en.wikipedia.org/wiki/",
"https://www.example.com/"
],
"universalActions": [{
"label": "Open settings",
"runFunction": "getSettingsCard",
"openLink": "https://www.example.com/help"
}],
"useLocaleFromApp": true
},
"drive": {
"homepageTrigger": {
"runFunction": "onDriveHomePageOpen",
"enabled": true
},
"onItemsSelectedTrigger": {
"runFunction": "onDriveItemsSelected"
}
},
"gmail": {
"composeTrigger": {
"selectActions": [
{
"text": "Add images to email",
"runFunction": "getInsertImageComposeCards"
}
],
"draftAccess": "METADATA"
},
"contextualTriggers": [
{
"unconditional": {},
"onTriggerFunction": "onGmailMessageOpen"
}
]
},
"docs": {
"homepageTrigger": {
"runFunction": "onEditorsHomepage"
},
"onFileScopeGrantedTrigger": {
"runFunction": "onFileScopeGrantedEditors"
}
},
"sheets": {
"homepageTrigger": {
"runFunction": "onEditorsHomepage"
},
"onFileScopeGrantedTrigger": {
"runFunction": "onFileScopeGrantedEditors"
}
},
"slides": {
"homepageTrigger": {
"runFunction": "onEditorsHomepage"
},
"onFileScopeGrantedTrigger": {
"runFunction": "onFileScopeGrantedEditors"
}
},
"oauthScopes": [
"https://www.googleapis.com/auth/calendar.addons.execute",
"https://www.googleapis.com/auth/calendar.addons.current.event.read",
"https://www.googleapis.com/auth/calendar.addons.current.event.write",
"https://www.googleapis.com/auth/drive.addons.metadata.readonly",
"https://www.googleapis.com/auth/gmail.addons.current.action.compose",
"https://www.googleapis.com/auth/gmail.addons.current.message.metadata",
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/script.external_request",
"https://www.googleapis.com/auth/script.locale",
"https://www.googleapis.com/auth/script.scriptapp",
"https://www.googleapis.com/auth/drive.file",
"https://www.googleapis.com/auth/documents.currentonly",
"https://www.googleapis.com/auth/spreadsheets.currentonly",
"https://www.googleapis.com/auth/presentations.currentonly"
...
],
"urlFetchWhitelist": [
"https://www.example.com/myendpoint/",
...
],
...
}
Allowlist URLs
Sometimes you may want your script or add-on to open a URL in response
to a user action. Other times you may want your script or add-on to
retrieve information from an external location using the Apps Script
UrlFetch service. In both cases you must
allowlist the URLs you open or fetch from in the project manifest.
Allowlisting is the process where you designate specific URLs that are pre-approved for access by your script or add-on. This requirement helps protect user data; if you define a allowlist, script projects can't access URLs that have not been allowlisted. Google Workspace add-ons require URLs to be allowlisted before they can be fetched or opened.
You can allowlist a URL for fetching by adding it or a matching prefix to the
urlFetchWhitelist
manifest field. For Google Workspace
add-on projects, you can allowlist a URL for
opening by adding it or a matching prefix to the
addOns.common.openLinkUrlPrefixes
manifest field.
The prefixes you add to the manifest must satisfy the following requirements:
- Each prefix must be a valid URL.
- Each prefix must use
https://, nothttp://. - Each prefix must have a full domain.
- Each prefix must have a non-empty path. For example,
https://www.google.com/is valid buthttps://www.google.comis not. - You can use wildcards to match URL subdomain prefixes.
- A single
*wildcard can be used in theaddOns.common.openLinkUrlPrefixesfield to match all links, but this is not recommended as it can expose a user's data to risk and can prolong the add-on review process. Only use a wildcard if your add-on functionality requires it.
When determining if a URL matches a allowlisted prefix, the following rules apply:
- Path matching is case-sensitive.
- If the prefix is identical to the URL, it is a match.
- If the URL is the same or a child of the prefix, it is a match.
For example, the prefix https://example.com/foo matches the following URLs:
https://example.com/foohttps://example.com/foo/https://example.com/foo/barhttps://example.com/foo?barhttps://example.com/foo#bar
Using wildcards
You can use a single wildcard character (*) to match a subdomain for both the
urlFetchWhitelist
and addOns.common.openLinkUrlPrefixes
fields. You can't use more than one wildcard to match multiple subdomains, and
the wildcard must represent the leading prefix of the URL.
For example, the prefix https://*.example.com/foo matches the following
URLs:
https://subdomain.example.com/foohttps://any.number.of.subdomains.example.com/foo
The prefix https://*.example.com/foo doesn't match the following
URLs:
https://subdomain.example.com/bar(suffix mismatch)https://example.com/foo(at least one subdomain must be present)
Some of the prefix rules are enforced when you try to save your manifest. For example, the following prefixes cause an error if they are present in your manifest when you attempt to save:
https://*.*.example.com/foo(multiple wildcards are forbidden)https://subdomain.*.example.com/foo(wildcards must be used as a leading prefix)