Whitelist connected apps

Manage OAuth based access to connected apps

As an admin, if you don't want to share sensitive Google Drive or Gmail content outside your organization's domain through third-party OAuth apps or add-ons, you revoke OAuth access tokens.

You can also disable several API scopes across G Suite services. These include Gmail, Drive, Calendar, and Google Cloud Platform services, such as Machine Learning. You can selectively whitelist third-party applications that can access those scopes.

Disabling an API scope or trusting a third-party application for a G Suite service such as Calendar will include all scopes provided by it. These include  OAuth scopes. Some apps, such as Gmail, provide a greater level of access control for predefined high-risk scopes. 

How to whitelist an app

You must be signed in as a super administrator for this task.

If you have Drive Enterprise edition, API access settings don't apply for Gmail or Calendar.

To whitelist applications, first limit which G Suite API scopes third-party apps can access. Then create whitelists that define which apps can access blocked scopes. Here's how:

Step 1. Review third-party app's access to API scopes
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Security.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Click API Permissions.
  4. Examine API access for any of these core services:
    • G Suite:
      • Gmail
      • Drive
      • Calendar
      • Contacts
      • Admin
      • Vault
      • Apps Script runtime–Controls the actions Apps Script projects can perform. Includes App Maker apps, add-ons, and scripts from both inside and outside your domain.
      • Apps Script API–Controls whether clients can use the Apps Script API to manage projects. 
    • Google Cloud Platform:
      • Cloud Platform—includes all Google Cloud Platform services, except Machine Learning and Cloud Billing
      • Machine Learning—includes Cloud Video Intelligence, Cloud Speech API, Cloud Natural Language API, Cloud Translation API, and Cloud Vision API
      • Cloud Billing
  5. Click the apps link under each API scope to confirm which apps can currently access the core service.
  6. (Optional) You can filter your installed apps by API permissions, name, or by number of users.
  7. (Optional) To add an app to the list of Trusted apps, click More More at right and select Trust.
  8. Review these apps before proceeding to the next section to create your whitelist.
Step 2. Add an app to the whitelist of trusted apps
  1. From the Admin console Home page, go to Security and then API Permissions.
  2. At the bottom of the list of apps, click the Trusted Apps link.
  3. Click Whitelist an App Add 
    The Add App To Trusted List window opens
  4. In the Select App Type list, select an option:
    • Android
    • iOS
    • Web applications—requires you to fill in the OAuth2 Client ID.
  5. For Android or iOS®, type an app name and click Search to display a list of available apps.
  6. Scroll down to see more apps.
  7. Once the entire app list is displayed, use Ctrl + f or ⌘ + f (Mac) to search for all or part of an app name.
  8. Check the box next to the app you want to add, then click Add.
  9. (Optional) To provide internal apps access to the restricted G Suite APIs:
    1. Navigate back to the Security page.
    2. At the bottom of the page, next to Internal App Settings, check the Trust domain-owned apps box and click Save.

Note: If you disable Trust domain-owned apps, internal apps can’t access the restricted G Suite APIs. Domain-owned apps include:

  • Any Google Apps Script projects created by users within the domain
  • Apps associated with the organization in the Google Cloud Platform Console owned by the domain 
Step 3. Block specific API scopes
  1. From the Admin console Home page, go to Security and then API Permissions.
  2. Click the Apps link to confirm which apps will be affected.
    If you revoke an app's access, it takes up to 24 hours for an app to disappear from the list.
  3. If you click the Disable option, you can block API access for any of these core services:
    • G Suite:
      • Gmail
      • Drive
      • Calendar
      • Contacts
      • Admin
      • Vault
    • Google Cloud Platform:
      • Cloud Platform—includes all Google Cloud Platform services, except Machine Learning and Cloud Billing
      • Machine Learning—includes Cloud Video Intelligence, Cloud Speech API, Cloud Natural Language API, Cloud Translation API, and Cloud Vision API
      • Cloud Billing
  4. If you’re disabling API access for Gmail, choose an option:
    • All Access—Block all third-party apps, except the ones that you whitelisted.
    • High Risk Access—Block third-party apps with high-risk OAuth scopes:
      • https://mail.google.com/
      • https://www.googleapis.com/auth/gmail.compose
      • https://www.googleapis.com/auth/gmail.insert
      • https://www.googleapis.com/auth/gmail.metadata
      • https://www.googleapis.com/auth/gmail.modify
      • https://www.googleapis.com/auth/gmail.readonly
      • https://www.googleapis.com/auth/gmail.send
      • https://www.googleapis.com/auth/gmail.settings.basic
      • https://www.googleapis.com/auth/gmail.settings.sharing

        For details about Gmail scopes, see Choose Auth Scopes

        .
  5. If you’re disabling API access for Drive, choose an option:
    • All Access—Block all third-party apps, except the ones that you whitelisted.
    • High Risk Access—Block third-party apps using these high-risk OAuth scopes:
      • https://www.googleapis.com/auth/drive
      • https://www.googleapis.com/auth/drive.apps.readonly
      • https://www.googleapis.com/auth/drive.metadata
      • https://www.googleapis.com/auth/drive.metadata.readonly
      • https://www.googleapis.com/auth/drive.readonly
      • https://www.googleapis.com/auth/drive.scripts
      • https://www.googleapis.com/auth/documents

        For details about Drive scopes, see About Authorization

        .
  6. Click Save.

If you disable API access:

  • After blocking the scopes, any already installed apps will stop working and tokens will be revoked.
  • When a user tries to install an app that has a blocked scope, they see the error message that's shown under Display message when users try to access apps with disabled permissions (below the API scope list). You can edit the default message as needed (message length can be up to 300 characters). 
Step 4. Remove apps from a whitelist
  1. From the Admin console Home page, go to Security and then API Permissions.
  2. At the bottom of the list of apps, click the Trusted Apps link.
  3. Click Action menu next to the app you want to remove from whitelisting and select Remove.
Was this helpful?
How can we improve it?