Authorize 3rd party data access (OAuth)

OAuth: Managing the OAuth key and secret

Important: OAuth 1.0 has been officially deprecated as of April 20, 2012, and we are not accepting registration of new 1.0 clients as of October 2013. Existing OAuth 1.0 clients will continue to work as per our deprecation policy, but we encourage you to migrate to OAuth 2.0 as soon as possible. This article is for use by customers with existing OAuth 1.0 clients only.

Location: Security > Advanced settings > Authentication > Manage OAuth domain key

The "Manage OAuth key and secret for this domain" page allows you to enable, disable or update the OAuth 1.0 consumer secret for your domain. For the basic features of OAuth 1.0, see the "Overview of OAuth in Google Apps".

For sending OAuth requests to Google Apps, you can either:

  • Use the OAuth consumer key and consumer secret (HMAC-SHA1 signature method)

    or

  • Upload a X.509 certificate (RSA signature method)

The consumer key and secret is usually preferred over the certificate for performance reasons.

OAuth consumer key
Click "Enable this consumer key" if you want to generate OAuth requests with it.

OAuth consumer secret
You can regenerate a new consumer secret at any time, for example, if you decide to no longer allow access from a certain client.

X.509 Certificate
This is an option to using the consumer key and secret for signing requests. For more information on generating a certificate, see "Generating a self-signing private key and public certificate".

Two-legged OAuth access control
Click "Allow access to all APIs" to bypass any access control checks in the Google Data API when using the the domain key. For example, if this setting is enabled, a domain administrator can view and/or modify the Google Data API's, such as Google Calendar or Google Document List feeds for any user in their domain.

Also some Google Apps applications, such as the Google Apps Connector for BlackBerry Enterprise Server, require this broad level of OAuth access.

Following are the Google Data APIs that currently support two-legged OAuth for Google Apps domains:

Google API Scope
Calendar Data API http(s)://www.google.com/calendar/feeds/
Contacts Data API http(s)://www.google.com/m8/feeds/
Documents List Data API http(s)://docs.google.com/feeds/
Sites Data API http(s)://sites.google.com/feeds/
Spreadsheets Data API http(s)://spreadsheets.google.com/feeds/
Calendar Resources HTTPS Read Only https://apps-apis.google.com/a/feeds/calendar/resource/#readonly
Groups Rosters HTTPS Read Only https://apps-apis.google.com/a/feeds/group/#readonly
Nicknames HTTPS Read Only https://apps-apis.google.com/a/feeds/nickname/#readonly
Users HTTPS Read Only https://apps-apis.google.com/a/feeds/user/#readonly

Additional resources