Authorize unverified third-party apps

Google is working with app developers to make sure that third-party apps comply with Google privacy and security requirements. Third-party apps that haven’t completed a verification process are “unverified” and might be subject to restrictions.

Which unverified third-party apps are subject to restrictions?

Unverified third-party apps that access Gmail data and have more than 100 users worldwide are subject to restrictions.

Currently, unverified third-party apps with fewer than 100 users worldwide, apps internal to your domain, and unverified third-party apps that access data for Google services other than Gmail aren’t subject to restrictions

What does this mean for my organization?

If your organization has users who currently run unverified third-party apps, those unverified apps will continue to work as expected. However, any new installations of unverified third-party apps that are subject to restrictions will be blocked—unless you indicate that the app is trusted.

Review your third-party apps

You might have received email from Google advising you of this change, containing a list of your unverified third-party apps. Review this list and decide which apps you want to trust and allow users to install.
If you weren't contacted, it’s still a good idea to review your third-party apps using these best practices.

If you have unverified third-party apps

If you decide to let users install new instances of unverified third-party apps that are subject to restrictions, you must first put them into a whitelist of trusted apps.
If you have unverified third-party apps that aren't subject to restrictions, we recommend that you also put these apps into a whitelist of trusted apps.

What about internal apps?

We recommend trusting internal apps that are built in-house or apps that you installed from a trusted source, such as a developer hired by your organization.  

You can trust internal apps created in your organization automatically by selecting to Trust domain owned apps in the G Suite Admin console.

About trusted third-party apps

When you trust a third-party app, it will have access to some G Suite user data (OAuth2 scopes) that you have otherwise restricted. For example, if you have generally blocked access to Gmail OAuth2 scopes, whitelisted apps will still have access to Gmail.

FAQ

Why would a third-party app be unverified?

An app might not have completed the verification process for various reasons, such as using an unsupported application type, or using data in a way that’s incompatible with limited use requirements.
Google implemented this verification process to help provide confidence and consistency with your privacy expectations.

If I'm an app developer as well as a user, how do I get a third-party app verified?

Review the OAuth API Application Verification FAQ and submit for verification from the API Developer Console.

What will happen to unverified third-party apps?

Users who currently run unverified third-party apps can continue to use them, unless you restrict access to G Suite APIs.
New users won’t be able to install unverified third-party apps that are subject to restrictions—unless you first put them into a whitelist of trusted apps.

What happens when I trust a third-party app?

Users who don't already have the app will be able to install it, whether or not the app is verified. Additionally, it will have access to any G Suite APIs (OAuth2 scopes) that you restricted using the API Permissions settings.  
Was this helpful?
How can we improve it?