Examples of Common Issues
Need further guidance on your requesting scopes? Navigate to the relevant finding for targeted remediation instructions.
The justification you provided in your Cloud Console submission does not sufficiently explain why the requested OAuth scopes are necessaryWe require a thorough understanding of why you require access to certain scopes and what you intend to use that data for. Please reply directly to the email from the OAuth verification team to provide additional context for your application's use case. For a more efficient review, please list a rationale specific to the Google API you are requesting.
Example of an acceptable justification: My app will use https://www.googleapis.com/auth/calendar to show a user's Google calendar data on the scheduling screen of my app, so that users can manage their schedules through my app and sync the changes with their Google calendar.
The Google Drive API User Data and Developer Policy requires that permission requests be limited to the critical information necessary to implement your application's services.
If your application’s user-facing features are limited to when a user uploads, downloads and/or deletes specific files, and/or creates folders, you should not request a broad-access restricted Drive scope.
For any exception request to the minimum scopes requirements, we would need evidence of functionality limitations to your application to consider additional data access.
Please follow the instructions provided here to create another project for testing and use the recommended drive.file and drive.appfolder scopes.
- Replace any call in your code to https://www.googleapis.com/auth/drive with https://www.googleapis.com/auth/drive.file and https://www.googleapis.com/auth/drive.appfolder. It should work as expected without the need to use the Google Picker API.
- You can also use the Google Picker API to display a file picker.
- If your application is a Google Workspace add-on, you should use Advanced Drive Service in order to use the drive.file scope.
- To allow users to open Drive files from a movile app, refer to Google Workspace APIs for Android or Google Workspace APIs for iOS.
Please note that the verification channel is not equipped to support you with any technical questions. If you have any questions in regards to your implementation, you can use the following resources to find community support:
For more information on the benefits of using drive.file with the Google Picker API, please refer to the Drive API documentation on choosing scopes.
Further documentation:
We recommend that you request access only to scopes that are required to enable your app’s functionality. During your app’s verification, we may recommend narrower scopes for your app. If this is the case, please reply directly to the email from the OAuth verification team with one of the following resolutions:
- Respond “Confirm Downscoping” to confirm that you will migrate your app to use the recommended scopes.
- Respond “Unable to use narrower scopes” and explain why.
How to migrate to recommended scopes without breaking your app
1. Create a separate project to test your app
If you need to test and evaluate the recommended scopes with your app, we recommend you use a separate cloud console project to do so. It is a recommended best practice to have separate cloud projects for development/testing and production/publishing.
If you add the recommended scopes to your production app’s codebase and start making API calls before these scopes are approved for your app, your users will start to see an unverified app warning pop-up.
To test your app with recommended scopes do the following:
- Create a separate development/testing cloud project.
- Configure the OAuth Consent screen and add only the recommended scopes
- Configure a test deployment of your app to work with this test cloud project
- Test your app’s functionality to confirm the recommended scopes are sufficient.
2. Update your production cloud project to include the recommended scopes
Once you are satisfied that the recommended narrower scopes are sufficient for your app’s functionality, add the recommended scopes to your cloud production project which is being verified:
- Sign-in to the Google Cloud Console
- Select the project-id
- Go to Credentials on the OAuth Consent Screen configuration page
- Go to Scopes for Google APIs
- Click Add scope
- Select the requested scope(s)
- Click Add
- Click Submit for verification
IMPORTANT!
DO NOT remove any approved scopes from your production cloud console project until your app verification is completed.
DO NOT make API calls to these new scopes from the production code until your app verification is completed.
Once your app is approved for the recommended scopes you can start to use these APIs scopes.
- Make changes to your app code to use the recommended scopes.
- Remove the broader scopes from the OAuth configuration of your production/publishing cloud project.
We require that you only request scope access for implemented features. Please implement the feature for which you are requesting scope(s) and resubmit the application for verification for the additional scopes you are requesting access to.
In order to accurately verify your application’s request for Google APIs, we require that the scopes shown on the OAuth consent screen match those on your verification submission. Please ensure the presented scopes are accurate and up-to-date. Once updated, re-submit your application with the correct scopes in your OAuth consent screen configuration.
Once your verification is approved, please remove the old scopes. The following approach is recommended to avoid your users needing to re-authenticate multiple times. .
-
Revoke the existing user token for this scope, or remove access to the app entirely.
-
For example, revoke the token with access to the overly broad scope.
-
Consider revoking tokens while your users are using your app so that you can prompt for user consent immediately.
-
-
Prompt your users to give consent again.
-
Users will get a new refresh token with only the new granular scopes, and without the overly broad scope.
-
To prompt users to grant consent again, your app can use the same OAuth authentication request that was used when the user first signed up for your app, and add the URL parameter 'prompt=consent' as described in the Google OAuth documentation. Google OAuth will generate a new refresh token and send it back to your app with the authorization code exchange. You should use this new token going forward.
-
-
Remove the scope from your project's OAuth consent screen configuration page in Google Cloud Console
-
Sign in to the Google Cloud Console
-
Select the project ID
-
Go to Credentials on the OAuth Consent Screen configuration page
-
Go to Scopes for Google APIs and delete the overly broad scope
-
Click Submit for verification
-
You can also revoke your users' tokens before they next use the app and authorize your current set of scopes, but this will make any offline API calls fail. You should only do this if you aren't worried about breaking the integration between revocation and sign-in. All tokens that contain unapproved restricted scopes will be revoked. As long as users consent to the approved scopes in a new authorization, then we will not revoke their tokens.
Our reviewers have assessed your application and determined that the scopes you requested are too broad for its implemented features. We recommend the following “downscoping” based on the scopes you requested.
|
Full Scope Name |
Scope Name |
Description |
Sensitivity |
Recommended Downscope |
|
auth/drive |
This app wants permission to access everything in your Google Drive. It will be able to do the same things you can do, including: See your files Upload and download your files Delete your files See the names and emails of people you share files with Share and stop sharing your files with others Remove people from your files Organize your Drive There may be private information in your Google Drive, like financial records, medical reports, photos or tax info. |
Restricted |
drive.file if your app needs view and manage Drive files and folders that are opened or created via the app drive.appdata or drive.appfolder If your app needs to create app-specific folders drive.readonly if your app needs to view the user’s files and/or folders within the app UI, but per-file selection with the drive.file scope via a file picker justifiably does not fit your use case. This downscope is only recommended if your app is unable to use any of the narrower scopes and needs read-only access. |
|
|
This app wants permission to: See your Google Drive files Download your files See the names and emails of people you share files with There may be private information in your Google Drive, like financial records, medical reports, photos or tax info. |
Restricted |
|||
|
drive.activity |
View and add to the activity record of files in your Google Drive. For example, view the history of changes to a Google Doc or add an activity event to a Google Sheet |
Restricted |
||
|
drive.activity.readonly |
View the activity record of files in your Google Drive. For example, view the history of changes to a Google Doc |
Restricted |
None |
|
|
drive.metadata |
View and manage metadata of files in your Drive, including the titles, descriptions, and last modified date of your files. |
Restricted |
drive.metadata.readonly |
|
|
drive.metadata.readonly |
This app wants permission to see information about your Drive files, including: The titles and descriptions of your files The names and email addresses of people you share files with Your folders and how files are organized There may be private information in your Google Drive, like financial records, medical reports, photos or tax info. |
Restricted |
None |
|
|
drive.scripts |
Modify your Google Apps Script scripts this app can access, allowing the script to take advantage of privileges in new ways (e.g., a script with access to your Gmail may be changed to send emails on your behalf) |
Restricted |
None |
|
|
View and manage Drive files and folders that you open or create with an app. |
Non-sensitive |
It is generally recommended to use the drive.file scope instead of a broader restricted Drive scope. Apps using a file picker may mistakenly request the Full Drive or drive.readonly scope when drive.file would be sufficient. Read the section below for more information. |
||
|
drive.appdata drive.appfolder |
View and manage the app's own configuration data in your Google Drive. |
Non-sensitive |
None |
|
|
drive.install |
Allow apps to appear as an option in the "Open with" or the "New" menu. |
Non-sensitive |
None |
|
|
drive.file drive.resource |
View and manage Drive files and folders that you open or create with an app. |
Non-sensitive |
None |
|
|
drive.apps.readonly |
View apps authorized to access your Drive. |
Sensitive |
Why should you use drive.file?
drive.file is a non-sensitive scope that allows users to choose which files they want to share with your application. This gives them more control and confidence that your application's access to their files is limited and secure. In contrast, requiring broad access to all Drive files could discourage users from interacting with your application:
-
Usability: The drive.file scope works with all Drive API REST Resources which means you can use it the same way you use broader OAuth scopes
-
Functionality: The Google Picker API provides a similar look-and-feel to the Google Drive UI, several views showing previews and thumbnails of Drive files, and an inline, modal window, so users never leave the main application.
-
Convenience: Applications can narrow to certain Drive file types (e.g. docs, sheets, photos etc), via a filter on the Google Picker files
Since drive.file is non-sensitive, an additional security assessment will not be necessary. This will result in a more streamlined verification process for your application.
Our reviewers have assessed your application and determined that the scopes you requested are too broad for its implemented features. We recommend the following “downscoping” based on the scopes you requested.
|
Full Scope Name |
Scope Name |
Description |
Sensitivity |
Recommended Downscope |
|
https://www.googleapis.com/auth/gmail.addons.current.action.compose |
gmail.addons.current.action.compose |
Manage drafts and send emails when you interact with the add-on. |
Non-sensitive |
None |
|
https://www.googleapis.com/auth/gmail.addons.current.message.action |
gmail.addons.current.message.action |
View your email messages when you interact with the add-on. |
Non-sensitive |
None |
|
https://www.googleapis.com/auth/gmail.addons.current.message.metadata |
gmail.addons.current.message.metadata |
View your email message metadata when the add-on is running. |
Sensitive |
None |
|
https://www.googleapis.com/auth/gmail.addons.current.message.readonly |
gmail.addons.current.message.readonly |
View your email messages when the add-on is running. |
Sensitive |
None |
|
gmail.labels |
Create, read, update, and delete labels only. |
Non-sensitive |
None |
|
|
gmail.send |
Send messages only. No read or modify privileges on mailbox. |
Sensitive |
None |
|
|
gmail.readonly |
Read all resources and their metadata—no write operations. |
Restricted |
gmail.metadata for apps which are performing email monitoring and reporting, or for apps which check if emails have bounced |
|
|
gmail.compose |
Create, read, update, and delete drafts. Send messages and drafts. |
Restricted |
gmail.send and gmail.labels if your application sends emails or invites users onto the platform via Gmail, and management of drafts in the source Gmail account is not needed. gmail.compose should be used if your app only needs to send emails and does not need to manage drafts. |
|
|
gmail.insert |
Insert and import messages only. |
Restricted |
None |
|
|
gmail.modify |
All read/write operations except immediate, permanent deletion of threads and messages, bypassing Trash. |
Restricted |
gmail.send (sensitive) and gmail.labels (non-sensitive) gmail.modify should be used if your app only needs to create labels and not mark email/threads. |
|
|
gmail.metadata |
Read resources metadata including labels, history records, and email message headers, but not the message body or attachments. |
Restricted |
None |
|
|
Manage basic mail settings. |
Restricted |
None |
||
|
gmail.settings.sharing |
Manage sensitive mail settings, including forwarding rules and aliases. Note: Operations guarded by this scope are restricted to administrative use only. They are only available to Google Workspace customers using a service account with domain-wide delegation. |
Restricted |
This scope is only available to Google Workspace customers using a service account with domain-wide delegation. |
|
|
Full access to the account's mailboxes, including permanent deletion of threads and messages This scope should only be requested if your application needs to immediately and permanently delete threads and messages, bypassing Trash; all other actions can be performed with less permissive scopes. Note: If the application is using SMTP or IMAP protocols, please refer to the section below titled “If your application uses SMTP or IMAP protocols.” |
Restricted |
gmail.send if the developer only needs to send emails or invite users on the platform via Gmail (Gmail.send is a sensitive scope. Projects requesting only sensitive scopes do not need to undergo a third-party security assessment. If the application only needs to compose and send messages, then gmail.send will be sufficient for everything the project needs to do.) gmail.readonly if the developer only needs to let users read emails using their app (show notifications, etc.) gmail.modify, gmail.readonly, or gmail.settings.basic to enable users to send emails from different aliases |
If your application uses the IMAP or SMTP protocol:
Full mail (mail.google.com) is the only authorization scope for IMAP and SMTP. Please provide a justification for why your application requires this scope. Please note that the https://mail.google.com/ scope should only be requested if your application also needs to immediately and permanently delete threads and messages, bypassing Trash; all other actions can be performed with less permissive scopes. If your app does not permanently delete threads and/or messages, you will need to migrate to the Gmail API and request less permissive scopes.
If your application uses the SMTP protocol only:
In order to use the Gmail API and continue with the verification process, you need to migrate off SMTP protocol. Instead, you should use the https://www.googleapis.com/auth/gmail.send scope. This scope should still give your project enough access to work properly.
If your app uses SMTP protocol only, note that using the broad access https://mail.google.com/ scope just for sending emails with the SMTP protocol violates the minimum scope policy. To use the Gmail API and continue with the verification process, you will need to migrate off SMTP protocol and use the sensitive https://www.googleapis.com/auth/gmail.send scope instead.
If your application is a Gmail Add-On:
Generally, Gmail add-ons should not request broad access to user data with Restricted Scopes. Instead, we recommend that your app use Gmail Add-on Scopes which should be sufficient for your app and will not require you to go through a third-party security assessment. Please refer to the following table for more information on Add-On scopes.
|
Scope Name |
Full Scope |
Description |
Category |
|
current.message.compose |
https://www.googleapis.com/auth/gmail.addons.current.action.compose |
Manage drafts and send emails when you interact with the add-on. |
Non-sensitive |
|
current.message.action |
https://www.googleapis.com/auth/gmail.addons.current.message.action |
View your email messages when you interact with the add-on. |
Non-sensitive |
|
current.message.metadata |
https://www.googleapis.com/auth/gmail.addons.current.message.metadata |
View your email message metadata when the add-on is running. |
Sensitive |
|
current.message.readonly |
https://www.googleapis.com/auth/gmail.addons.current.message.readonly |
View your email messages when the add-on is running. |
Sensitive |
Why should you use gmail.send?
The Google API Services User Data Policy states that your application should request the minimum amount of data necessary for functionality. Additionally, gmail.send is a sensitive scope. Projects requesting only sensitive scopes do not need to undergo a third-party security assessment. If your application only needs to compose and send messages, then gmail.send will be sufficient for everything your project needs to do.
If you are unable to downscope, please reply to the email you received with a thorough justification for the Gmail Restricted Scopes you’re requesting and an explanation for why Gmail Add-on Scopes would be insufficient.
For example: The https://www.googleapis.com/auth/gmail.send scope (to send messages only) would not be sufficient because ____. And, https://www.googleapis.com/auth/gmail.compose can help me accomplish this because ____.
Our reviewers have assessed your application and determined that the scopes you requested do not match the intended use case. We recommend you review the following scopes based on the functionality your app requires.
|
Scope |
Description |
|
fitness.sleep.read |
Read sleep data from the Google Fit platform. |
|
fitness.body.read |
Read body measurement data (height, weight, body fat percentage) from the Google Fit platform. |
|
fitness.heart_rate.read |
Read heart rate data from the Google Fit platform. |
|
fitness.blood_pressure.read |
Read blood pressure data from the Google Fit platform. |
|
fitness.blood_glucose.read |
Read blood glucose data from the Google Fit platform. |
|
fitness.reproductive_health.read |
Read reproductive health data from the Google Fit platform. |
|
fitness.body_temperature.read |
Read body temperature data from the Google Fit platform. |
|
fitness.oxygen_saturation.read |
Read oxygen saturation data from the Google Fit platform. |