Choose Google Drive API scopes

This document contains Google Drive API-specific authorization and authentication information. Before reading this document, be sure to read the Google Workspace's general authentication and authorization information at Learn about authentication & authorization.

Configure OAuth 2.0 for authorization

Configure your app's OAuth consent screen and choose scopes to define what information is displayed to users and app reviewers, and register your app so that you can publish it later.

Drive API scopes

To define the level of access granted to your app, you need to identify and declare authorization scopes. An authorization scope is an OAuth 2.0 URI string that contains the Google Workspace app name, what kind of data it accesses, and the level of access. Scopes are your app's requests to work with Google Workspace data, including users' Google Account data.

When your app is installed, a user is asked to validate the scopes used by the app. Generally, you should choose the most narrowly focused scope possible and avoid requesting scopes that your app doesn't require. Users more readily grant access to limited, clearly described scopes.

When possible, we recommend using non-sensitive scopes as it grants per-file access scope and narrows access to specific functionality needed by an app.

The Drive API supports the following scopes:

Scope code Description Usage
https://www.googleapis.com/auth/drive.appdata
https://www.googleapis.com/auth/drive.appfolder		 View and manage the app's own configuration data in your Google Drive. Recommended
Non-sensitive
https://www.googleapis.com/auth/drive.install Allow apps to appear as an option in the "Open with" or the "New" menu. Recommended
Non-sensitive
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/drive.resource		 View and manage Drive files and folders that you open or create with an app. Recommended
Non-sensitive
https://www.googleapis.com/auth/auth/drive.apps.readonly View apps authorized to access your Drive. Sensitive
https://www.googleapis.com/auth/drive View and manage all of your Drive files. Restricted
https://www.googleapis.com/auth/drive.readonly View and download all your Drive files. Restricted
https://www.googleapis.com/auth/drive.activityView and add to the activity record of files in your Drive. Restricted
https://www.googleapis.com/auth/drive.activity.readonlyView the activity record of files in your Drive. Restricted
https://www.googleapis.com/auth/drive.metadata View and manage metadata of files in your Drive. Restricted
https://www.googleapis.com/auth/drive.metadata.readonly View metadata for files in your Drive. Restricted
https://www.googleapis.com/auth/drive.scripts Modify your Google Apps Script scripts' behavior. Restricted

The Usage column in the table above indicates the sensitivity of each scope, according to the following definitions:

  • Recommended / Non-sensitive—These scopes provide the smallest scope of authorization access and only requires basic app verification. For information on this requirement, see Steps to prepare for verification.

  • Recommended / Sensitive—These scopes provide access to specific Google User Data that's authorized by the user for your app. It requires you to go through additional app verification. For information on this requirement, see Steps for apps requesting sensitive scopes

  • Restricted—These scopes provide wide access to Google User Data and require you to go through a restricted scope verification process. For information on this requirement, see Google API Services: User Data Policy and Additional Requirements for Specific API Scopes. If you store restricted scope data on servers (or transmit), then you must go through a security assessment.

If your app requires access to any other Google APIs, you can add those scopes as well. For more information about Google API scopes, see Using OAuth 2.0 to Access Google APIs.

For more information about specific OAuth 2.0 scopes, see OAuth 2.0 Scopes for Google APIs.

OAuth verification

Using certain OAuth scopes might require that your app proceed through Google's OAuth verification process. Read the OAuth API verification FAQs to determine when your app should go through verification and what type of verification is required. See also the Google Drive Additional Terms of Service.

When to use a restricted scope

For Drive, only the following application types may access restricted scopes:

  1. Platform-specific and web apps that provide local sync or automatic backup of users’ Drive files.
  2. Productivity and educational applications whose user interface might involve interaction with Drive files (or their metadata or permissions). Productivity applications include task management, note taking, workgroup communications, and classroom collaboration applications.
  3. Reporting and security applications that provide user or customer insight into how files are shared or accessed.

To continue using restricted scopes, you should prepare your app for restricted scope verification.

Migrate an existing app from restricted scopes

If you've developed a Drive app using any of the restricted scopes, we recommend migrating your app to use a non-sensitive scope as it grants per-file access scope and narrows access to specific functionality needed by an app. Many apps work with per-file access without any changes. If you're using your own file picker, we recommend switching to the Google Picker API which fully supports different scopes.

Save refresh tokens

Save refresh tokens in secure, long-term storage and continue to use them as long as they remain valid.