Unverified apps

An unverified app is a web application or Apps Script that requests a risky OAuth scope, but hasn't gone through the Google verification process. Users of unverified apps or your test builds might get warnings based on the OAuth scopes you're using. This is to protect users and their data from deceptive applications.

Unverified app warnings

Unverified app warnings are shown in the following ways:

Unverified app screen

  • The app or script might display an "unverified app" screen before it displays the consent screen.
    • This is based on the specific scopes that your app includes in the request.
    Unverified app screen on mobile

Security Checkup

  • Security Checkup might show your app as risky and unverified.
    • This is based on the access a user has given to an unverified app.
    Security Checkup on mobile for a risky app

To remove these screens from your app, or to prevent your app from being marked as risky, you'll need to go through the verification process.

When to go through verification

You need to go through verification before you launch a user-facing app. You can continue to build and test your application while waiting to complete verification. When your app is successfully verified, the unverified app screen will be removed from your client.

You don't need to go through verification for the following kinds of apps:

  • Apps in development: if your app is experimental or a test build, you don't need to go through verification unless you decide to launch it to the public.
  • OAuth-based plugins: if you're setting up an OAuth-based plugin for a popular platform, such as SMTP for Wordpress, you don't need to go through the verification process.
  • Internal apps: if your app is an internal web app for users in the same G Suite domain and the app is associated with a Cloud Organization that all of your users belong to, you don't need to go through verification.
    • Internal users will still see the unverified app screen in the following scenarios:
      • If your app is on a .edu or Internet Service Provider (ISP) domain
      • If your app is unlisted and available for internal users on external accounts

      To remove the unverified app screen for these users, you can optionally go through the verification process for apps.

NOTE: If you change your client or use new scopes after verification, you might have to go through verification again.

Verification for apps

To start the verification process for apps, follow the steps below:

  1. Make sure the OAuth consent screen details in the Cloud Console APIs & Services Credentials are up to date.
    • You must have a privacy policy URL.
    • Add URLs for your Home Page and Terms of Service if you have them.
  2. Verify your website ownership through Search Console by using an account that is a Project Owner or a Project Editor on your OAuth project.
  3. To start the verification process, submit a verification request by completing the OAuth Developer Verification Form. To make sure the verification process goes quickly, review the OAuth Developer Verification Form FAQ.
NOTE: If you add any new redirect URLs or JavaScript origins, or if you change your Product Name after verification, you will have to go through verification again.

Verification for Apps Scripts

If a new Apps Scripts requests OAuth access to data that belongs to consumers or users in other domains, the "unverified app" screen might display before the OAuth consent flow. For more information about how this affects Apps Script developers and users, including instructions for verifying Apps Script OAuth clients, see the Apps Script OAuth client verification documentation.

Was this article helpful?
How can we improve it?