An unverified app is a web application or Apps Script that requests a sensitive OAuth scope, but hasn't gone through the Google verification process. Users of unverified apps or your test builds might get warnings based on the OAuth scopes you're using. This is to protect users and their data from deceptive applications.
Unverified app warnings
Unverified app warnings are shown in the following ways:
Unverified app screen
- The app or script might display an "unverified app" screen before it displays the consent screen. This is based on the specific scopes that your app includes in the request. This warning will display when:
- Your app uses sensitive scopes and you haven't configured your OAuth Consent Screen and requested verification.
- You selected sensitive scopes on the OAuth Consent Screen and requested verification, but the verification is in not yet complete.
- Your app uses sensitive scopes that you haven't selected on the OAuth Consent Screen configuration page.
- Security Checkup might show your app as risky and unverified. This is based on the access a user has given to an unverified app.
Unverified app user cap
To protect users and Google systems from abuse, applications that use OAuth and Google Identity have certain quota restrictions based on the risk level of the OAuth scopes an app uses.
To remove these screens from your app, or to prevent your app from being marked as risky, you'll need to go through the verification process.
When to go through verification
You need to go through verification before you launch a user-facing app. You can continue to build and test your application while waiting to complete verification. When your app is successfully verified, the unverified app screen will be removed from your client.
You don't need to go through verification for the following kinds of apps:
- Apps in development: if your app is experimental or a test build, you don't need to go through verification unless you decide to launch it to the public.
- OAuth-based plugins: if you're setting up an OAuth-based plugin for a popular platform, such as SMTP for Wordpress, you don't need to go through the verification process.
- Internal apps: if your app is an internal web app for users in the same G Suite domain and the app is associated with a Cloud Organization that all of your users belong to, you don't need to go through verification. Learn more about public and internal applications.
Verification for apps
Before you start the verification process, review the OAuth Application Verification FAQ. This will help your verification process go quickly. To start the verification process for apps, follow the steps below:
- Update the OAuth Consent Screen details in the Google Cloud Platform Console APIs & Services Credentials:
- Add URLs for your Home Page and Terms of Service if you have them.
- Verify your website ownership through Search Console by using an account that is a Project Owner or a Project Editor on your OAuth project.
- To start the verification process, submit a verification request by following the process below. Note that the Verification required dialog is a beta feature that might not be available for all users at this time.
- On the GCP Console OAuth Consent Screen, click Submit or Save.
- If a Verification required dialog displays:
- Add information in the text boxes for Google to verify your OAuth consent screen.
- When you're finished entering details, click Submit.
Verification for Apps Scripts
If a new Apps Scripts requests OAuth access to data that belongs to consumers or users in other domains, the "unverified app" screen might display before the OAuth consent flow. For more information about how this affects Apps Script developers and users, including instructions for verifying Apps Script OAuth clients, see the Apps Script OAuth client verification documentation.
OAuth user quotas
The OAuth user quotas are summarized in the table below. These may be adjusted for specific applications based on the application history, developer reputation, and riskiness.
New User Cap
Apps that present unverified app screen to users
100 new users in total, once the app presents the unverified app screen
To learn more, see the OAuth Application Rate Limits page.
If you were using an application and you were redirected here from an error page, wait one day before you try to use the application again. This should allow the application total new user cap to refresh. If you continue to get an error, the owner of the application might need to take action before you and other new users can access it.