Configure the OAuth consent screen and choose scopes

When you use OAuth 2.0 for authorization, Google displays a consent screen to the user including a summary of your project, its policies, and the requested authorization scopes of access. Configuring your app's OAuth consent screen defines what is displayed to users and app reviewers, and registers your app so you can publish it later.

To define the level of access granted to your app, you need to identify and declare authorization scopes. An authorization scope is an OAuth 2.0 URI string that contains the Google Workspace app name, what kind of data it accesses, and the level of access. Scopes are your app's requests to work with Google Workspace data, including users' Google Account data.

When your app is installed, a user is asked to validate the scopes used by the app. Generally, you should choose the most narrowly focused scope possible and avoid requesting scopes that your app doesn't require. Users more readily grant access to limited, clearly described scopes.

All apps using OAuth 2.0 require a consent screen configuration, but you only need to list scopes for apps used by people outside your Google Workspace organization.

Tip: If you don't know required consent screen information, you can use placeholder information prior to release.

For security reasons, you can't remove the OAuth 2.0 consent screen after you've configured it.

  1. In the Google Cloud console, go to Menu > APIs & Services > OAuth consent screen.

    Go to OAuth consent screen

  2. Select the user type for your app, then click Create.
  3. Complete the app registration form, then click Save and Continue.
  4. If you're creating an app for use outside of your Google Workspace organization, click Add or Remove Scopes. We recommend the following best practices when selecting scopes:

    • Select the scopes that provide the minimum level of access required by your app. For a list of available scopes, see OAuth 2.0 Scopes for Google APIs.
    • Review the scopes listed in each of the three sections: non-sensitive scopes, sensitive scopes, and restricted scopes. For any scopes listed in the "Your sensitive scopes" or "Your restricted scopes" sections, try to identify alternative non-sensitive scopes to avoid unnecessary additional reviews.
    • Some scopes require additional reviews by Google. For apps used only internally by your Google Workspace organization, scopes aren't listed on the consent screen and use of restricted or sensitive scopes doesn't require further review by Google. For more information, see Scope categories.
  5. After selecting the scopes required by your app, click Save and Continue.
  6. If you selected External for user type, add test users:
    1. Under Test users, click Add users.
    2. Enter your email address and any other authorized test users, then click Save and Continue.
  7. Review your app registration summary. To make changes, click Edit. If the app registration looks OK, click Back to Dashboard.

Scope categories

Some scopes require additional reviews and requirements because of the level or type of access they grant. Consider the following types of scopes:

      Basic app verification required Additional app verification required Security assessment required
  Non-sensitive scopes (recommended) Grant access only to limited data that's immediately relevant to a specific action.
Sensitive scopes Grant access to personal user data, resources, or actions.
Restricted scopes Grant access to highly-sensitive or extensive user data or actions.

Next step

Create access credentials for your app.