Control G Suite API access with domain-wide delegation

As a G Suite administrator, you can use domain-wide delegation of authority to grant third-party and internal applications access to your G Suite users' data.

App developers and G Suite administrators can create service accounts with OAuth 2.0. Then, you authorize the service accounts to access your users' G Suite data without requiring each user to give consent. Typical apps granted domain-wide delegation:

  • G Suite migration and sync tools (such as G Suite Migrate)

  • Internal apps (for example, automation apps) that developers create for your G Suite organization. For example, you can delegate access to an application that uses the Calendar API to add events to your users' calendars.

  • Three-legged OAuth apps, which normally require individual user consent. Users activate apps without being prompted for consent, and you can specify the user data that the apps can access.

To delegate access in the Admin console, you add the client ID of the service account or OAuth2 client ID of the app, and then grant access to supported Google APIs (scopes).

About domain-wide delegation

Domain-wide delegation is a powerful feature that allows apps to access users' data across your organization's entire G Suite account. For example, grant domain-wide delegation to a migration app that duplicates user content from another service to G Suite. For this reason, only super admins can manage domain-wide delegation, and they must specify each API scope that the app can access.

You can also manage domain-wide installation and view API scopes for G Suite Marketplace apps. Learn about Marketplace apps data access and installation.

Open all   |   Close all

Before you start
  • You need super admin privileges for your G Suite account.

  • To add or edit an app, get this information from the app developer:
  • The client ID of the service account.
  • The list of API scopes requested by the app. Check that the app has an appropriately small scope of access.
  • With domain-wide delegation, the app has access to the data belonging to all of your G Suite users. We recommend setting up a regular review of service accounts and deleting any accounts no longer in use.
Set up domain-wide delegation for a client
  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to "" and then Security and then API controls.
  3. Under Domain wide delegation, click Manage Domain Wide Delegation.
  4. On the Manage domain wide delegation page, click Add new.

  5. Enter the client ID of the service account or OAuth2 client ID of the app. (Typically by provided by the developer. Or if you're the owner of the service account, you can look up the ID.)

  6. In OAuth Scopes, add each scope that the application can access (should be appropriately narrow). You can use any of the OAuth 2.0 Scopes for Google APIs. For example, if the application needs domain-wide access to the Google Drive API and the Google Calendar API, enter https://www.googleapis.com/auth/drive and https://www.googleapis.com/auth/calendar.
  7. Click Authorize. If you get an error, the client ID might not be registered with Google or there might be duplicate or unsupported scopes.
  8. To make sure every scope appears, select the new client ID and click View details.

    If they don't, click Edit, enter the missing scopes, and click Authorize. Note that you can't edit the client ID.

The app should be available for use within an hour, but might take up to 24 hours.

View, edit, or delete clients and scopes

As a best practice, periodically check your app's scopes and remove scopes that aren't required or actively used. Also delete clients you no longer need. For example, remove access for G Suite Migrate after you complete your migration.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. From the Admin console Home page, go to "" and then Security and then API controls.
  3. Under Domain-wide delegation, click Manage domain-wide delegation.
  4. Click a client name and then action:
  • View details: View the full client name and list of scopes

  • Edit: Add or remove scopes (you can't edit the client ID). Changes should be active with an hour, but might take up to 24 hours.

  • Remove: Applications that depend on the client authorization will immediately stop working.

Was this helpful?
How can we improve it?