Authorize 3rd party data access (OAuth)

OAuth: Managing API client access

Important: OAuth 1.0 has been replaced by OAuth 2.0 as of April 20, 2015. We encourage you to migrate to OAuth 2.0 as soon as possible. OAuthConfig in Apps Script  will be forcefully shut down starting June 26, 2015. Scripts using OAuthConfig to connect to a Google API should instead use the OAuth2 for Apps Script library.

Location: Security > Advanced settings > Authentication > Manage OAuth domain key

What it does: The Manage API client access page allows you to control custom internal application and third-party application access to supported Google Data APIs (scopes).

1) For internal applications only, you must add your domain as an OAuth client. First, enable the consumer key for your domain on the Manage OAuth domain key page. Click the "Enable this consumer key" setting, but do not click "Allow access to all APIs" setting since you will be limiting access to specific APIs.

2) On the Manage client API access page, register your client in the Authorize a new API client settings. You enter the client name and the scope, and click Authorize.

  • For internal applications: Enter your consumer key (OAuth client) in the Client Name field and then scope. For example, if your domain is "", you would enter "" as the client name. Then, to limit access for an internal application to Calendar data only, you would enter "" in the API Scope field.
  • For third-party applications: Enter the client name provided by the third-party vendor and specify the scope. Add a new client by entering the client name (OAuth consumer key) and API scope and clicking "Authorize". You should verify that the client is known to you and that they have an appropriately small scope of access. For example to allow to access Contacts and Calendar APIs, adding an entry with "" as the client name and a scope value of ",".

For each client, you can specify multiple APIs, separated by commas. For example, to allow access to both the Contacts and Documents List APIs: ",". The list of clients is unique, and cannot have two entries in the list for one OAuth client. Following are the Google Data APIs that currently support two-legged OAuth for Google Apps domains:

Google API Scope
Calendar Data API http(s)://
Contacts Data API http(s)://
Documents List Data API http(s)://
Sites Data API http(s)://
Spreadsheets Data API http(s)://
Calendar Resources HTTPS Read Only
Groups Rosters HTTPS Read Only
Nicknames HTTPS Read Only
Users HTTPS Read Only

Authorized API Clients
Lists your approved clients and their scope.

After the client has been added, you can remove a client that has a specified API scope by clicking the "Remove" link. If the client is the OAuth consumer key for the your Google Apps domain, you'll see the link, "Manage". Clicking this link takes you to the Manage OAuth key and secret for this domain page where you can edit the client (for example, turn off global API scope access).

Caution: Be careful when revoking access as those applications that depend on the authorization will immediately stop working.

Third-party developers can learn more about registering and setting up OAuth for their web application. (Note: if you have an application on AppEngine that you would like to register, you must have a web server.)

Additional resources

Was this article helpful?
Sign in to your account

Get account-specific help by signing in with your Apps for Work account email address, or learn how to get started with Apps for Work.