Authorize 3rd party data access (OAuth)

OAuth: Managing API client access

Important: OAuth 1.0 has been officially deprecated as of April 20, 2012, and we are not accepting registration of new 1.0 clients as of October 2013. Existing OAuth 1.0 clients will continue to work as per our deprecation policy, but we encourage you to migrate to OAuth 2.0 as soon as possible. This article is for use by customers with existing OAuth 1.0 clients only.

Location: Security > Advanced settings > Authentication > Manage OAuth domain key

What it does: The Manage API client access page allows you to control custom internal application and third-party application access to supported Google Data APIs (scopes).

1) For internal applications only, you must add your domain as an OAuth client. First, enable the consumer key for your domain on the Manage OAuth domain key page. Click the "Enable this consumer key" setting, but do not click "Allow access to all APIs" setting since you will be limiting access to specific APIs.

2) On the Manage client API access page, register your client in the Authorize a new API client settings. You enter the client name and the scope, and click Authorize.

  • For internal applications: Enter your consumer key (OAuth client) in the Client Name field and then scope. For example, if your domain is "www.electric-automotive.com", you would enter "electric-automotive.com" as the client name. Then, to limit access for an internal application to Calendar data only, you would enter "http://www.google.com/calendar/feeds" in the API Scope field.
     
  • For third-party application: Enter the client name provided by the third-party vendor and specify the scope. Add a new clients by entering the client name (OAuth consumer key) and API scope and clicking "Authorize". You should verify that the client is known to you and that they have an appropriately small scope of access. For example to allow www.plaxo.com to access Contacts and Calendar APIs, adding an entry with "www.plaxo.com" as the client name and a scope value of "http://www.google.com/m8/feeds/, http://www.google.com/calendar/feeds/".

For each client, you can specify multiple APIs, separated by commas. For example, to allow access to both the Contacts and Documents List APIs: "http://www.google.com/m8/feeds/, http://docs.google.com/feeds/". The list of clients is unique, and cannot have two entries in the list for one OAuth client. Following are the Google Data APIs that currently support two-legged OAuth for Google Apps domains:

Google API Scope
Calendar Data API http(s)://www.google.com/calendar/feeds/
Contacts Data API http(s)://www.google.com/m8/feeds/
Documents List Data API http(s)://docs.google.com/feeds/
Sites Data API http(s)://sites.google.com/feeds/
Spreadsheets Data API http(s)://spreadsheets.google.com/feeds/
Calendar Resources HTTPS Read Only https://apps-apis.google.com/a/feeds/calendar/resource/#readonly
Groups Rosters HTTPS Read Only https://apps-apis.google.com/a/feeds/group/#readonly
Nicknames HTTPS Read Only https://apps-apis.google.com/a/feeds/nickname/#readonly
Users HTTPS Read Only https://apps-apis.google.com/a/feeds/user/#readonly

Authorized API Clients
Lists your approved clients and their scope.

After the client has been added, you can remove a client that has a specified API scope by clicking the "Remove" link. If the client is the OAuth consumer key for the your Google Apps domain, you'll see the link, "Manage". Clicking this link takes you to the Manage OAuth key and secret for this domain page where you can edit the client (for example, turn off global API scope access).

Caution: Be careful when revoking access as those applications that depend on the authorization will immediately stop working.

Third-party developers can learn more about registering and setting up OAuth for their web application. (Note: if you have an application on AppEngine that you would like to register, you must have a web server.)

Additional resources