This document contains Google Workspace Events API-specific authorization and authentication information. Before reading this document, be sure to read the Google Workspace's general authentication and authorization information at Learn about authentication and authorization.
Configure OAuth 2.0 for authorization
Configure the OAuth consent screen and choose scopes to define what information is displayed to users and app reviewers, and register your app so that you can publish it later.
Google Workspace Events API scopes
To define the level of access granted to your app, you need to identify and declare authorization scopes. An authorization scope is an OAuth 2.0 URI string that contains the Google Workspace app name, what kind of data it accesses, and the level of access. Scopes are your app's requests to work with Google Workspace data, including users' Google Account data.
When your app is installed, a user is asked to validate the scopes used by the app. Generally, you should choose the most narrowly focused scope possible and avoid requesting scopes that your app doesn't require. Users more readily grant access to limited, clearly described scopes.
When possible, we recommend using non-sensitive scopes as it grants per-file access scope and narrows access to specific functionality needed by an app.
The Google Workspace Events API uses scopes from Google Workspace applications that support subscriptions. If your app already uses the scopes that are required for your subscription, you don't need to add additional scopes to use the Google Workspace Events API.
The following table displays the supported scopes for the Google Workspace Events API:
| Scope code | Description | Usage | ||
|---|---|---|---|---|
| Google Chat | ||||
https://www.googleapis.com/auth/chat.bot |
Lets Google Chat apps view chats and send messages. Gives access to all features available to Chat apps. | Non-sensitive | ||
https://www.googleapis.com/auth/chat.memberships |
View, add, and remove members from conversations in Google Chat. | Sensitive |
||
https://www.googleapis.com/auth/chat.memberships.readonly |
View members in Google Chat conversations. | Sensitive |
||
https://www.googleapis.com/auth/chat.spaces |
Create conversations and spaces and view or update metadata (including history settings) in Google Chat. | Sensitive | ||
https://www.googleapis.com/auth/chat.spaces.readonly |
View chat and spaces in Google Chat. | Sensitive |
||
https://www.googleapis.com/auth/chat.messages |
View, compose, send, update, and delete messages, and add, view, and delete reactions to messages. | Restricted | ||
https://www.googleapis.com/auth/chat.messages.readonly |
View messages and reactions in Google Chat. | Restricted |
||
https://www.googleapis.com/auth/chat.messages.reactions |
View, add, and delete reactions to messages in Chat. | Restricted |
||
https://www.googleapis.com/auth/chat.messages.reactions.readonly |
View reactions to a message in Chat. | Restricted |
||
| Google Meet | ||||
https://www.googleapis.com/auth/meetings.space.created |
Allow apps to create, modify, and read metadata about meeting spaces created by your app. | Sensitive |
||
https://www.googleapis.com/auth/meetings.space.readonly |
Allow apps to read metadata about any meeting space the user has access to. | Sensitive |
||
The Usage column in the preceding table indicates the sensitivity of each scope, according to the following definitions:
Non-sensitive—These scopes provide the smallest scope of authorization access and only requires basic app verification. For information on this requirement, see Steps to prepare for verification.
Sensitive—These scopes provide access to specific Google User Data that's authorized by the user for your app. It requires you to go through additional app verification. For information on this requirement, see Steps for apps requesting sensitive scopes
Restricted—These scopes provide wide access to Google User Data and require you to go through a restricted scope verification process. For information on this requirement, see Google API Services: User Data Policy and Additional Requirements for Specific API Scopes. If you store restricted scope data on servers (or transmit), then you must go through a security assessment.
If your app requires access to any other Google APIs, you can add those scopes as well. For more information about Google API scopes, see Using OAuth 2.0 to Access Google APIs.
For more information about specific OAuth 2.0 scopes, see OAuth 2.0 Scopes for Google APIs.
OAuth verification
Using certain OAuth scopes might require that your app proceed through Google's OAuth verification process. Read the OAuth API verification FAQs to determine when your app should go through verification and what type of verification is required. See also the Google Drive Additional Terms of Service.
Types of required authentication
This section explains which types of authentication are required or supported, and provides the supported scopes for each method of the Google Workspace Events API.
For subscriptions to Google Chat events, the Google Workspace Events API
supports both user and app authentication to call some of its methods. If an API
method supports both credentials, the type of credential used in the call
affects the result that's returned. For example, if you call the
subscriptions.list()
method with user authentication, the API returns a list of subscriptions that
the authenticated user can access. If you use app authentication, the API
returns a list of subscriptions that the app can access. To learn more about
the types of Chat authentication, see Authenticate and authorize
Chat apps and Google Chat API
requests.
The following table displays which scopes and types of authentication are required or supported for each Google Workspace Events API method:
| Method | User authentication required or supported | App authentication supported (Google Chat apps only) | Authorization scopes supported | |
|---|---|---|---|---|
| Create a subscription | — |
Requires a supported scope for each event type:
|
||
| Get a subscription |
With user authentication, this method requires a scope that supports at least one event type for the subscription.
With app authentication (Google Chat apps only):
|
|||
| List subscriptions |
With user authentication, this method requires a scope that supports at least one event type for the subscription.
With app authentication (Google Chat apps only):
|
|||
| Update a subscription | — |
Requires a supported scope for each event type:
|
||
| Reactivate a subscription | — |
Requires a supported scope for each event type:
|
||
| Delete a subscription |
With user authentication, this method requires a scope that supports at least one event type for the subscription.
With app authentication (Google Chat apps only):
|
|||
Scopes by event type
When you call the Google Workspace Events API using user authentication, you must specify one or more scopes that correspond to the event types of the subscription.
The following table displays which authorization scopes are supported for each event type:
| Events | Event types | Authorization scopes supported | ||||||
|---|---|---|---|---|---|---|---|---|
| Google Chat | ||||||||
| A message is posted or updated. |
|
|
||||||
| A reaction is added or deleted, or multiple reactions are changed. |
|
|
||||||
| A membership is created, updated, or removed, or multiple memberships are changed. |
|
|
||||||
| A space is updated or deleted. |
|
|
||||||
| Google Meet | ||||||||
| A conference starts or ends. |
|
|
||||||
| A participant joins or leaves a conference. |
|
|
||||||
| A recording was generated. |
|
|
||||||
| A transcript was generated. |
|
|
||||||